Data Protection Act 1998

Data Protection Act 1984
Data Protection Act 1984
Act of Parliament
	Parliament of the United Kingdom
Long title	An Act to regulate the use of automatically processed information relating to individuals and the provision of services in respect of such information.
Citation	1984 c. 35
Dates
Royal assent	12 July 1984
Repealed	1 March 2000
Other legislation
Repealed by	Data Protection Act 1998
Status: Repealed
Text of statute as originally enacted

Data Protection Act 1998
Act of Parliament
	Parliament of the United Kingdom
Long title	An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.
Citation	1998 c. 29
Territorial extent	England and Wales; Scotland; Northern Ireland;
Dates
Royal assent	16 July 1998
Other legislation
Repeals/revokes	Data Protection Act 1984
Repealed by	Data Protection Act 2018
Status: Repealed
Text of statute as originally enacted

Last updated January 26, 2024

The Data Protection Act 1998 (c. 29) (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Under the 1998 DPA, individuals had legal rights to control information about themselves. Most of the Act did not apply to domestic use,^[1] such as keeping a personal address book. Anyone holding personal data for other purposes was legally obliged to comply with this Act, subject to some exemptions. The Act defined eight data protection principles to ensure that information was processed lawfully.

It was superseded by the Data Protection Act 2018 (DPA 2018) on 23 May 2018. The DPA 2018 supplements the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. The GDPR regulates the collection, storage, and use of personal data significantly more strictly.^[2]

Background

The 1998 Act replaced the Data Protection Act of 1984 and the Access to Personal Files Act of 1987. Additionally, the 1998 Act implemented the EU Data Protection Directive 1995.

The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to "positive consent" such as an opt-in box. Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be permitted on an opt-out basis.

The Jersey data protection law was modelled on the United Kingdom's law.^[3]

Section 1 of DPA 1998 defined "personal data" as any data that could have been used to identify a living individual. Anonymised or aggregated data was less regulated by the Act, provided the anonymisation or aggregation had not been done reversibly. Individuals could have been identified by various means including name and address, telephone number, or email address. The Act applied only to data which was held, or was intended to be held, on computers ("equipment operating automatically in response to instructions given for that purpose"), or held in a "relevant filing system".^[4]

In some cases, paper records could have been classified as a relevant filing system, such as an address book or a salesperson's diary used to support commercial activities.^[5]

The Freedom of Information Act 2000 modified the act for public bodies and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.^[6]

A person who had their data processed had the following rights:^[7]^[8]

under section 7, to view the data on them held by an organisation for a reasonable fee: the maximum fee was £2 for requests to credit reference agencies, £50 for health and educational request, and £10 per individual otherwise,^[9]
under section 14, to request that incorrect information be corrected. If the company ignored the request, a court could have ordered the data to be corrected or destroyed, and in some cases compensation could have been awarded.^[10]
under section 10, to require that their data was not used in any way that potentially could have caused damage or distress.^[11]
under section 11, to require that their data was not used for direct marketing.^[12]

Data protection principles

Schedule 1 listed eight "data protection principles":

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
1. at least one of the conditions in Schedule 2 is met, and
2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
About the rights of individuals e.g.^[13] personal data shall be processed in accordance with the rights of data subjects (individuals).
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Broadly speaking, these eight principles were similar to the six principles set out in the GDPR of 2016.^[14]

Conditions relevant to the first principle

Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions had to be applicable to that data (Schedule 2).

The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
Processing is necessary for the performance of, or commencing, a contract;
Processing is required under a legal obligation (other than one stated in the contract);
Processing is necessary to protect the vital interests of the data subject;
Processing is necessary to carry out any public functions;
Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).^[15]

Consent

Except under the exceptions mentioned below, the individual had to consent to the collection of their personal information ^[16] and its use in the purpose(s) in question. The European Data Protection Directive defined consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed", meaning the individual could have signified agreement other than in writing.^{[ citation needed ]} However, non-communication should not have been interpreted as consent.

Additionally, consent should have been appropriate to the age and capacity of the individual and other circumstances of the case. If an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this." When consent was given, it was not assumed to last forever, though in most cases, consent lasted for as long as the personal data needed to be processed, and individuals may have been able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information was collected and used.^[17]

The Data Protection Act also specified that sensitive personal data must have been processed according to a stricter set of conditions, in particular, any consent must have been explicit.^[17]

Exceptions

The Act was structured such that all processing of personal data was covered by the act while providing a number of exceptions in Part IV.^[1] Notable exceptions were:

Section 28 – National security. Any processing for the purpose of safeguarding national security is exempt from all the data protection principles, as well as Part II (subject access rights), Part III (notification), Part V (enforcement), and Section 55 (Unlawful obtaining of personal data).
Section 29 – Crime and taxation. Data processed for the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of taxes are exempt from the first data protection principle.
Section 36 – Domestic purposes. Processing by an individual only for the purposes of that individual's personal, family or household affairs is exempt from all the data protection principles, as well as Part II (subject access rights) and Part III (notification).

Police and court powers

The Act granted or acknowledged various police and court powers.

Section 29 – Consent of the data subject was not required when processing personal data to prevent or detect crime, apprehend or prosecute offenders, the assessment and collection of taxes and duties and discharge a statutory function.^[18]
Section 35 – Disclosures required by law or made in connection with legal proceedings. This included obeying court orders and other laws, and were part of legal proceedings.^[19]

Offences

The Act detailed a number of civil and criminal offences for which data controllers may have been liable if a data controller failed to gain appropriate consent from a data subject. However, consent was not specifically defined in the Act and so was a common law matter.

Section 21(1) made it an offence to process personal information without registration.^[20]
Section 21(2) made it an offence to fail to comply with the notification regulations made by the Secretary of State^[20] (proposed by the Information Commissioner under section 25 of the Act).^[21]
Section 55 made the acquisition of personal data unlawful, and made the acquisition of unauthorised access to personal data an offence for people (other parties), such as hackers and impersonators, outside the organisation.^[22]
Section 56 made it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes of recruitment, continued employment, or the provision of services.^[23] This section was enforced on 10 March 2015.^[24]

Complexity

The UK Data Protection Act was a large Act that had a reputation for complexity.^[25] While the basic principles were honored for protecting privacy, interpreting the act was not always simple. Many companies, organisations, and individuals seemed very unsure of the aims, content, and principles of the Act. Some refused to provide even very basic, publicly available material, quoting the Act as a restriction.^[26] The Act also impacted the way in which organisations conducted business in terms of who should have been contacted for marketing purposes, not only by telephone and direct mail, but also electronically. This has led to the development of permission-based marketing strategies.^[27]

Definition of personal data

The definition of personal data was data relating to a living individual who can be identified

from that data; or
from that data plus other information that was in the possession, or likely to come into the possession, of the data controller.

Sensitive personal data concerned the subject's race, ethnicity, politics, religion, trade union status, health, sexual history, or criminal record.^[28]

Subject access requests

The Information Commissioner's Office website stated regarding subject access requests:^[29] "You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request.'"

Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations could have charged a specified fee for responding to a SAR of up to £10 for most requests. Following GDPR: "A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is 'manifestly unfounded or excessive'. If so, it may ask for a reasonable fee for administrative costs associated with the request."^[29]

Information Commissioner

Compliance with the Act was regulated and enforced by an independent authority, the Information Commissioner's Office, which maintained guidance relating to the Act.^[30]^[31]

EU’s Article 29 Working Party

In January 2017, the Information Commissioner's Office invited public comments on the EU's Article 29 Working Party's proposed changes to data protection law and the anticipated introduction of extensions to the interpretation of the Act, the Guide to the General Data Protection Regulation.^[32]

Related Research Articles

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

The United States Commission's fair information practice principles (FIPPs) are guidelines that represent widely accepted concepts concerning fair information practice in an electronic marketplace.

The Register of data controllers was a United Kingdom database under the control of the UK Information Commissioner's Office mandated by section 19 of the Data Protection Act 1998.

The German Bundesdatenschutzgesetz (BDSG) is a federal data protection act, that together with the data protection acts of the German federated states and other area-specific regulations, governs the exposure of personal data, which are manually processed or stored in IT systems.

The Data Protection (Jersey) Law 2018 is an information privacy law in the Crown Dependency of the Bailiwick of Jersey, one of the Channel Islands. The latest version is 2018, updating the previous law from 2005 to mirror the General Data Protection Regulation (GDPR). It was adopted on 25 May 2018.

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The Data Protection Act, 2012 is legislation enacted by the Parliament of the Republic of Ghana to protect the privacy and personal data of individuals. It regulates the process personal information is acquired, kept, used or disclosed by data controllers and data processors by requiring compliance with certain data protection principles. Non compliance with provisions of the Act may attract either civil liability, or criminal sanctions, or both, depending on the nature of the infraction. The Act also establishes a Data Protection Commission, which is mandated to ensure compliance with its provisions, as well as maintain the Data Protection Register.

The National Pupil Database (NPD) is a database controlled by the Department for Education in England, based on multiple data collections from individuals age 2-21 in state funded education and higher education. Data are matched using pupil names, dates of birth and other personal and school characteristics, including special educational needs, disability, and indicators for free school meals, a child in care, and families in the armed forces. Personal details are linked to pupils' attainment and exam results over a lifetime school attendance.

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

1 2 Data Protection Act 1998, Part IV (Exemptions), Section 36 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007
↑ Ford, Michael (March 1999). "Recent legislation. The Data Protection Act 1998". Industrial Law Journal. 28: 57–60. doi:10.1093/ilj/28.1.57.
↑ Jersey: Data Protection In Jersey And Other Offshore Jurisdictions Archived 27 October 2012 at the Wayback Machine 23 July 2008 Article by Wendy Benjamin, mondaq.com,
↑ "Data Protection Act 1998, Basic interpretative provisions". Office of Public Sector Information. Archived from the original on 1 March 2014. Retrieved 14 March 2014.
↑ "Determining what information is 'data' for the purposes of the DPA" (PDF). Information Commissioner's Office. 16 March 2012. Archived (PDF) from the original on 22 July 2016. Retrieved 2 March 2018.
↑ "What is personal data? Information Commissioner updates guidance". Pinsent Masons. 30 August 2007. Archived from the original on 20 October 2011. Retrieved 20 August 2012. In the case involving Michael Durant he sought information held on him by the Financial Services Authority. The Court of Appeal ruled that just because a document contained his name it was not necessarily defined as personal data. This changed the perception of how wide a definition of personal data could be.
↑ Your rights ^{[ permanent dead link ]}, ICO, accessed 6 September 2007
↑ "The rights of individuals (Principle 6) Archived 18 November 2016 at the Wayback Machine ", ICO, accessed 7 December 2016
↑ "FAQs". Information Commissioner's Office. Archived from the original on 30 May 2013. Retrieved 19 January 2014.
↑ "Claiming compensation". Information Commissioner's Office. Archived from the original on 21 June 2017. Retrieved 24 November 2017.
↑ Data Protection Act 1998, Part II (Rights of data subjects and others), Section 10 Archived 5 September 2011 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007
↑ Data Protection Act 1998, Part II (Rights of data subjects and others), Section 11 Archived 4 September 2011 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007
↑ The rights of individuals (Principle 6), ICO.org.uk, accessed 14 April 2011
↑ Maxwell, F., Six Principles of GDPR, Quality Compliance Systems Ltd., published 3 February 2020, accessed 3 January 2024
↑ OPSI.gov.uk Archived 16 April 2009 at the Wayback Machine Data Protection Act 1998 Schedule 2
↑ Sarah, Featherstone (28 May 2021). "How to Comply with GDPR". Archived from the original on 29 May 2021.
1 2 "Conditions for Processing – Guide to Data Protection – ICO". Information Commissioner's Office. Archived from the original on 6 January 2015. Retrieved 8 February 2013.
↑ Data Protection Act 1998, Part IV (Exceptions – Crime and taxation), Section 29 Archived 1 June 2017 at the Wayback Machine
↑ Data Protection Act 1998, Part IV (Exemptions – Disclosures required by law or made in connection with legal proceedings etc.), Section 35 Archived 23 May 2017 at the Wayback Machine
1 2 Data Protection Act 1998, Part III (Notification by Data Controllers), Section 21 Archived 7 December 2009 at the Wayback Machine , Office of Public Sector Information)
↑ Data Protection Act 1998, Part III (Notification by Data Controllers), Section 25 Archived 4 February 2013 at the Wayback Machine
↑ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 55 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 14 September 2007
↑ Data Protection Act 1998, Part VI (Miscellaneous and General), Section 56 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 14 September 2007
↑ "Forced data subject access requests are now a criminal offence". Lewis Silkin. Archived from the original on 19 March 2015. Retrieved 10 March 2015.
↑ Bainbridge, D: "Introduction to Computer Law – Fifth Edition", p. 430. Pearson Education Limited, 2005
↑ Data Protection myths and realities , Information Commissioner's Office, accessed 30 August 2008
↑ Iversen, Amy; Liddell, Kathleen; Fear, Nicola; Hotopf, Matthew; Wessely, Simon (19 January 2006). "Consent, confidentiality, and the Data Protection Act". BMJ. 332 (7534): 165–169. doi:10.1136/bmj.332.7534.165. ISSN 0959-8138. PMC 1336771 . PMID 16424496.
↑ "Data Protection Act 1998". UK Statute Law Database . Archived from the original on 20 August 2012. Retrieved 20 August 2012.
1 2 "Your right of access". Information Commissioner's Office. Archived from the original on 26 May 2018. Retrieved 25 May 2018.
↑ "The Guide to Data Protection". Information Commissioner's Office . Retrieved 6 January 2015.
↑ Guidance – The Data Protection Act, Page of Assorted Guidance ^{[ permanent dead link ]}, Information Commissioner's Office, accessed 20 October 2007
↑ "Guide to the General Data Protection Regulation (GDPR)". ico.org.uk. 22 December 2017. Archived from the original on 7 January 2018. Retrieved 6 January 2018.

External links

Information Commissioner's Office
The Department for Constitutional Affairs
Council of Europe – ETS no. 108 – Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981) – basis for Data Protection Act 1984
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data – basis for Data Protection Act 1998

UK legislation

Text of the Data Protection Act 1998 as in force today (including any amendments) within the United Kingdom, from legislation.gov.uk .

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[exemptions-1] 1 2 Data Protection Act 1998, Part IV (Exemptions), Section 36 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007

[2] Ford, Michael (March 1999). "Recent legislation. The Data Protection Act 1998". Industrial Law Journal. 28: 57–60. doi:10.1093/ilj/28.1.57.

[3] Jersey: Data Protection In Jersey And Other Offshore Jurisdictions Archived 27 October 2012 at the Wayback Machine 23 July 2008 Article by Wendy Benjamin, mondaq.com,

[4] "Data Protection Act 1998, Basic interpretative provisions". Office of Public Sector Information. Archived from the original on 1 March 2014. Retrieved 14 March 2014.

[5] "Determining what information is 'data' for the purposes of the DPA" (PDF). Information Commissioner's Office. 16 March 2012. Archived (PDF) from the original on 22 July 2016. Retrieved 2 March 2018.

[pinsent-durant-6] "What is personal data? Information Commissioner updates guidance". Pinsent Masons. 30 August 2007. Archived from the original on 20 October 2011. Retrieved 20 August 2012. In the case involving Michael Durant he sought information held on him by the Financial Services Authority. The Court of Appeal ruled that just because a document contained his name it was not necessarily defined as personal data. This changed the perception of how wide a definition of personal data could be.

[7] Your rights ^{[ permanent dead link ]}, ICO, accessed 6 September 2007

[8] "The rights of individuals (Principle 6) Archived 18 November 2016 at the Wayback Machine ", ICO, accessed 7 December 2016

[9] "FAQs". Information Commissioner's Office. Archived from the original on 30 May 2013. Retrieved 19 January 2014.

[10] "Claiming compensation". Information Commissioner's Office. Archived from the original on 21 June 2017. Retrieved 24 November 2017.

[11] Data Protection Act 1998, Part II (Rights of data subjects and others), Section 10 Archived 5 September 2011 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007

[12] Data Protection Act 1998, Part II (Rights of data subjects and others), Section 11 Archived 4 September 2011 at the Wayback Machine , Office of Public Sector Information, accessed 6 September 2007

[13] The rights of individuals (Principle 6), ICO.org.uk, accessed 14 April 2011

[14] Maxwell, F., Six Principles of GDPR, Quality Compliance Systems Ltd., published 3 February 2020, accessed 3 January 2024

[15] OPSI.gov.uk Archived 16 April 2009 at the Wayback Machine Data Protection Act 1998 Schedule 2

[16] Sarah, Featherstone (28 May 2021). "How to Comply with GDPR". Archived from the original on 29 May 2021.

[conditions-17] 1 2 "Conditions for Processing – Guide to Data Protection – ICO". Information Commissioner's Office. Archived from the original on 6 January 2015. Retrieved 8 February 2013.

[18] Data Protection Act 1998, Part IV (Exceptions – Crime and taxation), Section 29 Archived 1 June 2017 at the Wayback Machine

[19] Data Protection Act 1998, Part IV (Exemptions – Disclosures required by law or made in connection with legal proceedings etc.), Section 35 Archived 23 May 2017 at the Wayback Machine

[opsi-20] 1 2 Data Protection Act 1998, Part III (Notification by Data Controllers), Section 21 Archived 7 December 2009 at the Wayback Machine , Office of Public Sector Information)

[21] Data Protection Act 1998, Part III (Notification by Data Controllers), Section 25 Archived 4 February 2013 at the Wayback Machine

[22] Data Protection Act 1998, Part VI (Miscellaneous and General), Section 55 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 14 September 2007

[23] Data Protection Act 1998, Part VI (Miscellaneous and General), Section 56 Archived 24 August 2007 at the Wayback Machine , Office of Public Sector Information, accessed 14 September 2007

[24] "Forced data subject access requests are now a criminal offence". Lewis Silkin. Archived from the original on 19 March 2015. Retrieved 10 March 2015.

[25] Bainbridge, D: "Introduction to Computer Law – Fifth Edition", p. 430. Pearson Education Limited, 2005

[26] Data Protection myths and realities , Information Commissioner's Office, accessed 30 August 2008

[27] Iversen, Amy; Liddell, Kathleen; Fear, Nicola; Hotopf, Matthew; Wessely, Simon (19 January 2006). "Consent, confidentiality, and the Data Protection Act". BMJ. 332 (7534): 165–169. doi:10.1136/bmj.332.7534.165. ISSN 0959-8138. PMC 1336771 . PMID 16424496.

[28] "Data Protection Act 1998". UK Statute Law Database . Archived from the original on 20 August 2012. Retrieved 20 August 2012.

[SAR-29] 1 2 "Your right of access". Information Commissioner's Office. Archived from the original on 26 May 2018. Retrieved 25 May 2018.

[30] "The Guide to Data Protection". Information Commissioner's Office . Retrieved 6 January 2015.

[31] Guidance – The Data Protection Act, Page of Assorted Guidance ^{[ permanent dead link ]}, Information Commissioner's Office, accessed 20 October 2007

[32] "Guide to the General Data Protection Regulation (GDPR)". ico.org.uk. 22 December 2017. Archived from the original on 7 January 2018. Retrieved 6 January 2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]

[24]

[25]

[26]

[27]

[28]

[29]

[30]

[31]

[32]