Last updated on 18 December 2020 by Sara Pegarella (Law school graduate, B.A. in English/Writing. In-house writer at TermsFeed)
The Data Protection Act or DPA was drafted and released to public use in 1984 and then updated in 1998.
DPA is the act, under the legislation of the United Kingdom (UK), that establishes how businesses may legally use and handle personal information from users.
It covers individuals' safety since it protects them against misuse or abuse of their personal information.
If you're based in the UK and you collect, use and store information about users or employees, then you definitely have to comply with DPA.
In order to comply with the DPA Act, determine if you're required to comply with the act first: do you collect, use, store personal information from users?
The act doesn't apply if you collect, use or store anonymised or aggregated data. However, it's important to make sure that combining your anonymised or aggregated data with a different type of data can't identify an individual as the result of this combination is personal data.
"Personal information," as defined by the Act, includes anything that can identify an individual, including but not limited to:
If the answer is Yes, you may need to comply with DPA.
The DPA Act has 8 principles that define how you, as a business, can collect and use personal data from users. It also includes what rights the users have on the collected personal data you have on them.
The Data Protection Act requires you to process any kind of personal data fairly and lawfully.
This means that you need to:
This means that you need to:
Principle #3 of the DPA act says:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
"Adequate, relevant and not excessive" is not defined by the act, but consider the Principle #3 in the context of the entire act:
The Principle #4 of the DPA act is clear:
Personal data shall be accurate and, where necessary, kept up to date.
You need to make sure you've taken all steps to ensure that whatever collected data you have on users is accurate.
This may include prompting users to update the information the have with you.
The retention requirement of the Data Protection Act doesn't state a specific period for how long or how little you can store user data.
However, you may need to review how long you keep the user data and if it's necessary to keep it for that long in the context of your stated purposes.
If the collected data doesn't need to be stored for a very long period, delete it. Consider to update or archive the data if it's out of date.
The DPA Act gives individuals rights in regards to the what personal data you have collected from on/from them:
The main points of Principle #7 of DPA mean that you're responsible for safely keeping user data.
For example, if you're an ecommerce store it's recommended to use SSL certificates as it can increase the level of security when you process user data.
Here's what DPA says on where you can transfer collected personal data, usually referenced to as "International Data Transfer":
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
You can transfer the collected data, either you or through the third-parties that you use, as long as the country you're transferring data to has an adequate level of protection of protecting the privacy of individuals data.
Safe Harbor, a program between the EU and US, is an example of this.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
18 December 2020