• Contact
  • Accountants: +44 (0) 1753 551111
  • Solicitors: +44 (0) 20 7067 4300

Date of publication: November 2016

In the UK, the Data Protection Act 1998 (the “Act”) regulates the use of personal data.

The Act applies to the “processing” of “personal data”, and as such affects most business operating in the UK which holds information about individuals (such as employees or customers).

It is important that businesses comply with the Act, as a failure to do so can result in both criminal and civil liability.

The Act is complex and imposes a large number of obligations on those who process personal data. This publication highlights the key issues, role and responsibilities under the Act.


Key Concepts

Personal data” is information which relates to living individuals (“data subjects”) who can be identified from that data. Examples of personal data include information relating to an individual’s name, address, telephone number and other similar details.

A “data controller” is defined as the person/s who determines the purposes and manner in which any personal data is processed. This includes individuals, organisations and other corporate and unincorporated bodies.

A “data processor” means any person (other than an employee of the data controller) who processes data on behalf of a data controller but does not make any independent determination of the purposes or manner in which personal data is, or will be, processed. 

The Act broadly defines “processing” data as obtaining, recording, holding, using, disclosing or erasing data which in practice encompasses almost any activity relating to the use of data, including storing on remote servers for cloud computing purposes.

There are more restrictive conditions relating to the treatment of “sensitive personal data”. Sensitive personal data includes, but is not limited to, information relating to an individual’s race, health, sexual history, religious beliefs, salary details, political opinions, criminal records and other information of a “sensitive” nature.


Before any data can be processed, the data controller (as opposed to a data processor) must notify the Information Commissioner’s Office (ICO) of certain information, unless they are exempt. The ICO is the primary regulator in the UK and the information is publically available on an online register via the ICO website www.ico.gov.uk. The failure for a data controller to notify is a criminal offence.

Before any data can be processed, the data controller (not the data processor) must notify the UK regulator, the Information Commissioner’s Office (ICO) of certain information, unless they are exempt. Information provided to the ICO during registration is publically accessible on an online register via the ICO website www.ico.gov.uk. The failure for a data controller to notify is a criminal offence.

The Data Protection Act Principles

There are 8 principles under the Data Protection Act 1998 as follows:

  • Data must be fairly and lawfully processed.
  • Data must not be used in a manner which is incompatible with the purpose for which it was obtained.
  • The data must be adequate, relevant and not excessive in relation to the purpose for which it was obtained.
  • Personal data must be kept up to date and accurate.
  • Data must not be kept for longer than is necessary.
  • Data must be processed in accordance with data subjects’ rights.
  • Appropriate measures will be taken against unauthorised or unlawful processing of data and accidental loss, damage or destruction of personal data.
  • Data must not be transferred to Countries outside the European Economic Area (EEA) without adequate protection.

Below is a short examination of some of the key principles that data controllers must observe at all times:

Principle 1. Fairly and lawfully processed

The processing of data will not be fair where the data subject has been pressured into giving personal data, or misled/misinformed about the use of their data.  Data controllers therefore need to either obtain the consent of the data subject before processing the personal data (which is strongly recommended) or demonstrate that:

  • the processing is necessary to enter into/perform a contract with a data subject (e.g. employment contract);
  • the processing is necessary to comply with a legal obligation on the controller; or
  • the processing is essential to protect the individual’s vital interests.

The processing of sensitive personal data must fulfil further criteria under the first principle, which includes:

  • obtaining the individual’s explicit consent to the processing;
  • showing that the processing is necessary for medical purposes; or
  • processing data which relates to racial origin and is used for equal opportunity monitoring.

Principle 5. Not kept longer than necessary

This principle requires data controllers to put procedures in place to ensure that data is destroyed or deleted where it is no longer necessary for the purpose for which it was collected. For example, data which is collected for a specific campaign should be destroyed once the campaign is concluded.

The Act does not provide specific time limits for the retention of data, and thus the responsibility lies with individual organisations to determine what is “necessary” in the circumstances.

Principle 6. Processed in accordance with data subjects’ rights

The Act confers rights on data subjects, which must be observed by data controllers and processors, the key ones of which are as follows:

  • The right of subject access – individuals have the right to know what personal information about them is being processed, the reason for processing and to whom it may be disclosed to. They are entitled to receive a copy of the data held about them and the sources of such information by making a written Subject Access Request (SAR). Data controllers may charge an administrative fee of up to £10 for this process.
  • The right to prevent direct marketing – individuals are entitled to make a written request that their personal information is not used for direct marketing purposes. This request must be acted upon within a reasonable period of time (in most cases, this is 28 days.)
  • The right to have personal information corrected – Individuals have the right to request that misleading information about them is corrected. Where a valid request is made, it must be addressed by the data controller within a reasonable period of time.
  • The right to prevent automated decisions – Individuals are entitled to request that important decisions about them are not made solely by automated (e.g. computerised) processes.  Where such a request is made, any fully-automated decision should be discounted and replaced by a manually evaluated process.

Principle 7. Security measures to prevent damage

Any personal data that is processed must be protected or encrypted with adequate methods to ensure that the data is secure and safe from damage.  This principle poses particular issues in relation to portable devices which store data and personal information, because they can easily be lost or stolen. The ICO recommends that laptops or other such devices are protected by approved encryption software.

Principle 8. Not transferred abroad without adequate protection

The Act prevents the transfer of data to a country or territory outside of the EEA unless that country or territory ensures a level of protection of the rights of data subjects equivalent to that provided in the UK. 

Putting personal data on a website will often lead to a transfer outside of the EEA occurring, as a transfer will take place each where the website is hosted on an overseas servers.

The European Commission has decided that certain countries outside the EEA have an adequate level of protection for personal data. As at the date of this publication, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands,

Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay.

If a country has not been approved as adequate by the European Commission, it is still possible to send personal data to that country if in the particular circumstances, the data controller is satisfied that there is an adequate level of protection.

There are various methods of a company satisfying this requirement - they may:

  • use contracts incorporating the European Commission approved Model Contractual Clauses;
  • adopt binding Corporate Rules approved by the Information Commissioner;
  • rely on one of the exceptions from the rule, for example where a data subject has given their explicit consent and understands what they are agreeing to;
  • rely on the exemption that the transfer is necessary for reasons of substantial public interest; or
  • demonstrate that the transfer is necessary in connection with legal proceedings or obtaining legal advice.

In connection only with transfers of personal data to the United States, US organisations may self-certify their compliance to EU standards of data processing within their business activities by signing up to the Privacy Shield program, which was adopted by the European

Commission on 12 July 2016 following the invalidation of the previous Safe Harbor Framework.

A prescribed application process must be undertaken to self-certify under Privacy Shield and there are ongoing compliance obligations and fees payable.

In practice, the ICO has confirmed that it is always preferable to ensure adequate protection of data is in place rather than rely on an exemption where data is being transferred, particularly as data subject consent is unlikely to remain valid for long periods of time. 

Data Protection and Cloud Computing

With the advent of cloud-based computing, infrastructure, platform and software services are often wholly operated using servers in remote data warehouse accessible to users via an internet browser or remote access software. 

Although this provides various positives such as flexibility of access, reduction of costs for IT resources, and environmental benefits, there is a risk that data is split and stored in multiple countries at any given time, including those outside of the EU.

Any businesses which operate using cloud-based remote third party services should consider putting in place controller-processor agreements based upon the Model Contract Clauses to govern the flow of data between the parties and ensure that there are private contractual rights to enforce the observance of EU data protection standards.

What should you be doing now?

The Act imposes various obligations on organisations who hold personal information and affects the vast majority of our clients.

Should you have any questions or require further information about the requirements and obligations under the Act, please contact Ben Robson our Corporate & Commercial Team using the details below.

Disclaimer: This note does not contain a full statement of the law and it does not constitute legal advice. Please seek legal advice if you have any questions about the information set out above.

  • Member of London Partners
  • Member of London of Chamber Commerce and Industry
  • Canada Chamber of Commerce
  • The Association for UK Interactive Entertainment
  • Offical Xero Partner

Copyright © 2013 - Oury Clark.