This guide is based on UK law. It was last updated in March 2008. Topics
• Advertising and marketing
The law relating to data protection is designed to regulate organisations known as data controllers who collect and process information relating to living and identifiable individuals and to provide those individuals with rights in relation to such data. In the UK the position is currently governed by the Data Protection Act 1998 ("the Act"), which is designed to comply with a European Union Directive on Data Protection to harmonise the different data protection laws within different Member States. Personal data are information about a living individual who can be identified from that information and other information which is in, or likely to come into, the data controller's possession and can be minimal such as a name, address, e-mail or even a phone number. Certain data (e.g. political opinions, religious beliefs, ethnic origin, health information, sexual life, criminal convictions or membership of a trade union) are classified as sensitive personal data. To process this type of data a data controller must have special reasons for doing so. The Act applies whenever personal data are processed. Processing covers anything done to personal data, for example when it is used, disclosed, stored, collected, amended or deleted. Once personal data have been irretrievably deleted they can no longer be processed and the Act ceases to apply. The Act applies to data processed automatically by computers and manually, where data are stored in a structured set by reference to an individual which enables specific information about that individual to be readily accessible.
The Data Protection principles
For personal data to be lawfully processed in the UK, a data controller has to ensure that all processing activities with respect to personal data comply with the eight Data Protection Principles. The Principles comprise a broad code of good processing practice which balances the legitimate need for organisations to process personal data in order to deliver goods and services, but which at the same time protects the privacy of the individuals to whom such data relates. Schedule 1 of the Act sets out eight Data Protection Principles which require personal data to be: 1. processed fairly and lawfully, and to be processed only under certain specified conditions; 2. processed only for specified lawful purposes and not processed in any way incompatible with those purposes; 3. adequate, relevant and not excessive in relation to the purpose (or purposes) for which personal data are processed; 4. accurate and where necessary kept up-to-date;
5. processed no longer than is necessary for the purpose or purposes; 6. processed in accordance with the rights of the data subject, e.g. so that a copy can be made available to the individual concerned; 7. protected by appropriate technical and organisational measures; and 8. not be transferred to any country outside the European Economic Area unless that country ensures in relation to processing of personal data an "adequate level of protection" for rights and freedoms of data subjects acceptable to the EU.
Security and Data Processors
The seventh principle requires that all data controllers put in place appropriate technical and organisational measures to safeguard personal data against unauthorised or unlawful processing or accidental loss, destruction or damage. The interpretation section to this principle takes this requirement one step further by imposing upon all data controllers who use data processors certain additional obligations. Data processors are defined in the Act as any person (other than an employee of the data controller) who processes personal data on behalf of the data controller. This is a very broad definition made more so by the wide meaning of "processing" which covers...