|Act of Parliament|
|Long title||An Act to make new provision for the regulation of the processing of information relating to individuals, including the obtaining, holding, use or disclosure of such information.|
|Citation||1998 c. 29|
|Territorial extent||United Kingdom of Great Britain and Northern Ireland|
|Royal assent||16 July 1998|
|Repeals||Data Protection Act 1984|
|Repealed by||Data Protection Act 2018|
|Text of statute as originally enacted|
The Data Protection Act 1998 (c. 29) was a United Kingdom Act of Parliament designed to protect personal data stored on computers or in an organised paper filing system. It enacted the EU Data Protection Directive 1995's provisions on the protection, processing and movement of data.
Under the 1998 DPA, individuals had legal rights to control information about themselves. Most of the Act did not apply to domestic use, for example keeping a personal address book. Anyone holding personal data for other purposes was legally obliged to comply with this Act, subject to some exemptions. The Act defined eight data protection principles to ensure that information was processed lawfully.
It was superseded by the Data Protection Act 2018 (DPA 2018) on 23 May 2018. The DPA 2018 supplements the EU General Data Protection Regulation (GDPR), which came into effect on 25 May 2018. The GDPR regulates the collection, storage, and use of personal data significantly more strictly.
The 1998 Act replaced the Data Protection Act of 1984 and the Access to Personal Files Act of 1987. Additionally, the 1998 ACT implemented the EU Data Protection Directive 1995.
The Privacy and Electronic Communications (EC Directive) Regulations 2003 altered the consent requirement for most electronic marketing to "positive consent" such as an opt-in box. Exemptions remain for the marketing of "similar products and services" to existing customers and enquirers, which can still be given permission on an opt-out basis.
The Jersey data protection law was modelled on the United Kingdom's law.
Section 1 defined "personal data" as any data that could have been used to identify a living individual. Anonymised or aggregated data was less regulated by the Act, provided the anonymisation or aggregation had not been done in a reversible way. Individuals could have been identified by various means including name and address, telephone number, or email address. The Act applied only to data which was held, or was intended to be held, on computers ('equipment operating automatically in response to instructions given for that purpose'), or held in a 'relevant filing system'.
In some cases paper records could have been classified as a 'relevant filing system', such as an address book or a salesperson's diary used to support commercial activities.
The Freedom of Information Act 2000 modified the act for public bodies and authorities, and the Durant case modified the interpretation of the act by providing case law and precedent.
A person who had their data processed had the following rights:
Schedule 1 listed eight "data protection principles":
Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2).
Except under the exceptions mentioned below, the individual would have had to consent to the collection of their personal information  and its use in the purpose(s) in question. The European Data Protection Directive defined consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed", meaning the individual could have signified agreement other than in writing. However, non-communication should not have been interpreted as consent.
Additionally, consent should have been appropriate to the age and capacity of the individual and other circumstances of the case. E.g., if an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this." And even when consent was given, it should not have been assumed to last forever. Although, in most cases, consent lasted for as long as the personal data needed to be processed, individuals may have been able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information was collected and used.
The Data Protection Act also specified that sensitive personal data must have been processed according to a stricter set of conditions, in particular any consent must have been explicit.
The Act was structured such that all processing of personal data was covered by the act, while providing a number of exceptions in Part IV. Notable exceptions were:
The Act granted or acknowledged various police and court powers.
The Act detailed a number of civil and criminal offences for which data controllers may have been liable if a data controller failed to gain appropriate consent from a data subject. However, 'consent' wass not specifically defined in the Act and so was a common law matter.
The UK Data Protection Act was a large Act that had a reputation for complexity. While the basic principles were honored for protecting privacy, interpreting the act was not always simple. Many companies, organisations, and individuals seemed very unsure of the aims, content, and principles of the Act. Some refused to provide even very basic, publicly available material, quoting the Act as a restriction. The Act also impacted the way in which organisations conducted business in terms of who should have been contacted for marketing purposes, not only by telephone and direct mail, but also electronically. This has led to the development of permission-based marketing strategies.
The definition of personal data was data relating to a living individual who can be identified
Sensitive personal data concerned the subject's race, ethnicity, politics, religion, trade union status, health, sexual history, or criminal record.
The Information Commissioner's Office website stated regarding Subject Access Requests (SARs): "You have the right to find out if an organisation is using or storing your personal data. This is called the right of access. You exercise this right by asking for a copy of the data, which is commonly known as making a 'subject access request."
Before the General Data Protection Regulation (GDPR) came into force on 25 May 2018, organisations could have charged a specified fee for responding to a SAR of up to £10 for most requests. Following GDPR: "A copy of your personal data should be provided free. An organisation may charge for additional copies. It can only charge a fee if it thinks the request is 'manifestly unfounded or excessive'. If so, it may ask for a reasonable fee for administrative costs associated with the request."
Main article: Information Commissioner's Office
Compliance with the Act was regulated and enforced by an independent authority, the Information Commissioner's Office, which maintained guidance relating to the Act.
In January 2017, the Information Commissioner's Office invited public comments on the EU's Article 29 Working Party's proposed changes to data protection law and the anticipated introduction of extensions to the interpretation of the Act, the Guide to the General Data Protection Regulation.
In the case involving Michael Durant he sought information held on him by the Financial Services Authority. The Court of Appeal ruled that just because a document contained his name it was not necessarily defined as personal data. This changed the perception of how wide a definition of personal data could be.