In the UK the principles of data protection, the responsibilities of data controllers, and the rights of data subjects are now governed by the Data Protection Act 1998, which came into force on 1 March 2000. As compared to the Data Protection Act 1984, the 1998 Act extends the operation of protection beyond computer storage, replaces the system of registration with one of notification, and demands that the level of description by data controllers under the new Act is more general than the detailed coding system previously required. Under the 1998 Act, the eight principles of data protection are: (1) The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully. (2) Personal data shall be held only for specified and lawful purposes and shall not be used or disclosed in any manner incompatible with those purposes. (3) Personal data held for any purpose shall be relevant to that purpose and not excessive in relation to the purpose(s) for which it is used. (4) Personal data shall be accurate and, where necessary, kept up to date. (5) Personal data held for any purpose shall not be kept longer than necessary for that purpose. (6) Personal data shall be processed in accordance with the rights of data subjects. (7) Appropriate technical and organizational measure shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (8) Personal data shall not be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.Data controllers must now notify their processing of data (unless they are exempt) with the Information Commissioner by completing and returning a notification form (this can now be done online). Notification is renewable annually; a data controller who fails to notify his or her processing of data, or any changes that have been made since notification, commits a criminal offence.
(1) The information to be contained in personal data shall be obtained, and personal data shall be processed, fairly and lawfully.
(2) Personal data shall be held only for specified and lawful purposes and shall not be used or disclosed in any manner incompatible with those purposes.
(3) Personal data held for any purpose shall be relevant to that purpose and not excessive in relation to the purpose(s) for which it is used.
(4) Personal data shall be accurate and, where necessary, kept up to date.
(5) Personal data held for any purpose shall not be kept longer than necessary for that purpose.
(6) Personal data shall be processed in accordance with the rights of data subjects.
(7) Appropriate technical and organizational measure shall be taken against unauthorized and unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
(8) Personal data shall not be transferred to a country or territory outside the European Union unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.