UKDPA

Data Protection Act

The United Kingdom Data Protection Act

The United Kingdom Data Protection Act of 2019 (DPA) is the Uk governments implementation of the General Data Protection Regulation. It is the control architecture behind how data subjects personal information is allowed to be used by organisations, businesses, or by the government. The UKDPA is an evolutionary regulation based on the previously outdated Data Protection Act of 1998. "Designed to protect personal data stored on computers or in organised paper filing systems. It enacted the European Union Data Protection Directive." 1995's provisions on the protection, processing, and movement of personal data before the EU updated its data space regulatory framework, which became the General Data Protection Regulation.

Important Data Protection Act Principles

The Data Protection Act is applicable to professional or commercial organizations handling data within the United Kingdom. It is based on eight principles of data subject protection and data security.


Data Act Principles

(Principle 1) Fair and Lawful Use, Transparency

          - Principle 1 details that any business may only collect, process, and hold personal data and information in a fair and transparent way.


(Principle 2) Specific for Intended Purpose

          - Principle 2 details that data controllers and processors must collect data solely for the specific intended use for which the data subject has granted permission.


(Principle 3) Minimum Data Requirement

          - Principle 3 of the 8 principles of the Data Protection Act details that controllers cannot request otherwise irrelevant information. "All held data must be adequate and relevant" according to the legislation.


(Principle 4) Need for Accuracy

          - Principle 4 requires that controllers check periodically to ensure that data being held is up to data and remains accurate. In the United Kingdom, Europe, and the United States a period of time amounting to no more than twelve months is considered 'acceptable'.


(Principle 5) Data Retention Time Limit

          - Principle 5 details the length of time that controllers are allowed to store subjects data. If no withdrawal of consent is received, then data could be stored in perpetuity under the GDPR because no statement is given under the regulation for a specific time limit on data storage providing the controller maintains a 'fair reasoning' as defined by the Information Commissioner's Office (ICO).


(Principle 6) The Right to be Forgotten

          - Under principle 6 of the DPA data subjects process the right to know precisely what personal data is held relating to them and subsequently hold the right to prevent the use of the data.


(Principle 7) Ensuring Data Security

          - Principle 7 stipulates that adequate data protection measures are taken and that the responsibility for such action is taken by the data controller in 'good data governance practices'. A secure system and secure network which are 'robust against attack' must be implemented and that the level of security is appropriate to the business.


(Principle 8) Accountability

          - Principle 8 of the DPA details the ensuring of businesses and organizations within the United Kingdom who are responsible as data controllers to demonstrate that they are upholding the eight DPA principles and are upholding their legal duties. They must also display that they have appropriate security measures in place in the event of a data breach as well as maintaining records of their data processing.


Information Commissioner's Office (ICO)

gov.uk/data-protection

Contact the Information Commissioner's Office at ico.org.uk or call 0303 123 1113

Saxon Data is a Tier 1 registered data controller. Our certification on the UK Data Protection Registry is available for public viewing by visiting ico.org.uk and searching Saxon Data or inserting our registration reference ZB755580 or alternatively downloading the register. 

Share by: