Tell us whether you accept cookies

We use necessary cookies to make our website work. We also use cookies to collect information about how you use so we can improve our services.

Beta This is a new way of showing guidance - your feedback will help us improve it.

Data protection

1. The Data Protection Act 1998  (“DPA”)1 regulates the processing and use of personal data2. The DPA is wide ranging and covers data kept in both manual and electronic form3.  It lists eight “data protection principles”, and any “processing” of personal data must be done in accordance with them. “Processing” includes obtaining, recording, holding, adapting, or disclosing the data4. These principles are designed to ensure that:

2. The DPA specifies conditions which must be met before processing of personal data 5 and "sensitive" personal data 6 can be undertaken.

3. The DPA provides certain rights of access by data subjects to the data held on them 7 but is also subject to a number of exceptions for a range of governmental (including law enforcement and regulatory) activities 8.

4. It also prevents access by third parties to the personal data of others 9 but this prohibition is again subject to various exceptions 10.


  1. c.29 The Data Protection Act 1998 gives effect to European Directive 95/46/EC (OJ No L281/31) (23.11.95)
  2. For detailed guidance on Data Protection Act 1998 see GAP 37.
  3. DPA 1998 Section 1
  4. DPA 1998 Sections 1, 4 and Schedule 1
  5. DPA 1998 Section 1 and Schedule 2
  6. DPA 1998 Section 2 and Schedule 3
  7. DPA 1998 Section 7-8
  8. Part IV of Act, sections 27-39. For example, there are exemptions to the right of subject access for the purpose of safeguarding national security (section 28); where disclosure would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders (section 29(1)); and where disclosure would be likely to prejudice the proper discharge of certain functions including those designed to secure the health, safety and welfare of persons at work, or to protect persons other than persons at work against risks to health or safety or safety arising out of or in connection with the actions of persons at work (section 31(1)(2)(e) and (f)).
  9. Sections 7(4) and 27(3).
  10. For example, personal data is exempt from what are called "the non-disclosure provisions" in any case in which the disclosure is necessary for the purpose of the prevention or detection of crime or the apprehension or prosecution of offenders and non-disclosure would be likely to prejudice those purposes (section 29(3)). Personal data is also exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by order of the Court (section 35(1)) or where the disclosure is "necessary" for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings), or for the purpose of obtaining legal advice, or is otherwise necessary for the purpose of establishing, exercising or defending legal rights (section 35(2)(a) and (b)).
Updated 2009-07-07