The Data Protection Act or DPA was drafted and released to public use in 1984 and then updated in 1998.
DPA is the act, under the legislation of the United Kingdom (UK), that establishes how businesses may legally use and handle personal information from users.
It covers individuals' safety since it protects them against misuse or abuse of their personal information.
If you're based in the UK and you collect, use and store information about users or employees, then you definitely have to comply with DPA.
How to comply with DPA 1998
In order to comply with the DPA Act, determine if you're required to comply with the act first: do you collect, use, store personal information from users?
The act doesn't apply if you collect, use or store anonymised or aggregated data. However, it's important to make sure that combining your anonymised or aggregated data with a different type of data can't identify an individual as the result of this combination is personal data.
"Personal information," as defined by the Act, includes anything that can identify an individual, including but not limited to:
- Email addresses
- First and last names. This can include billing or shipping addresses
- Social security number
- Date of birth
- Details on a user's bank account
- And so on
If the answer is Yes, you may need to comply with DPA.
The 8 principles
The DPA Act has 8 principles that define how you, as a business, can collect and use personal data from users. It also includes what rights the users have on the collected personal data you have on them.
Principle #1: Process personal data fairly and lawfully
The Data Protection Act requires you to process any kind of personal data fairly and lawfully.
This means that you need to:
- Have legitimate reasons for collecting and using data from users
- You shouldn't use the collected data in ways that can have an adverse effect on your users
- You should be transparent on how you plan to use the data.Give users proper notice about your procedures regarding user data.Do this through a Privacy Policy.
- Don't do anything illegal with the collected data.
Principle #2: Process personal data only for the specified purposes
If your Privacy Policy mentions that you collect personal data from users to improve your website, do so.
It's against DPA's Principle #2 to inform users that you're collecting data only to improve the website, but you're using the collected data to run remarketing campaigns or send commercial messages to users (without a proper notification through the Privacy Policy agreement).
This means that you need to:
- Be very clear in your agreement why you're collecting the data from your users
- Inform users through the legal agreement what you're going to do with the collected data
- Make sure users receive proper notification about this, i.e. they can access your Privacy Policy easily
Principle #3: Collect only personal data you need and ensure that it's sufficient
Principle #3 of the DPA act says:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
"Adequate, relevant and not excessive" is not defined by the act, but consider the Principle #3 in the context of the entire act:
- Don't hold personal data more than you need
- Don't process (collect, use and store) personal data that is not relevant, i.e. sufficient for your purposes
Principle #4: Keep collected personal data accurate and up-to-date
The Principle #4 of the DPA act is clear:
Personal data shall be accurate and, where necessary, kept up to date.
You need to make sure you've taken all steps to ensure that whatever collected data you have on users is accurate.
This may include prompting users to update the information the have with you.
Principle #5: Don't retain collected personal data longer than it is necessary
The retention requirement of the Data Protection Act doesn't state a specific period for how long or how little you can store user data.
However, you may need to review how long you keep the user data and if it's necessary to keep it for that long in the context of your stated purposes.
If the collected data doesn't need to be stored for a very long period, delete it. Consider to update or archive the data if it's out of date.
Principle #6: Individuals have rights
The DPA Act gives individuals rights in regards to the what personal data you have collected from on/from them:
- The right to access a copy of their collected personal data
- The right to object if your way of processing data might cause them damage or distress
- The right to prevent you from processing their data for direct marketing purposes
- The right to object to decisions being taken by automated means
- The right to - in certain cases - have their collected personal data either updated or deleted
- The right to claim compensation for damages if caused by a breach of the Act
Principle #7: Manage the security of the collected personal data
The main points of Principle #7 of DPA mean that you're responsible for safely keeping user data.
For example, if you're an ecommerce store it's recommended to use SSL certificates as it can increase the level of security when you process user data.
Principle #8: Don't transfer collected personal data outside the European Economic Area unless...
Here's what DPA says on where you can transfer collected personal data, usually referenced to as "International Data Transfer":
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
You can transfer the collected data, either you or through the third-parties that you use, as long as the country you're transferring data to has an adequate level of protection of protecting the privacy of individuals data.
Safe Harbor, a program between the EU and US, is an example of this.
