The Data Protection Act 1998 (DPA) gives individuals the right to know what information is held about them, and provides a framework to ensure that personal information is handled properly.

In summary, personal information means data that relates to a living individual who can be identified (a) From that data, or (b) From that data and other information which is in the possession of, or is likely to come into the possession of a ‘data controller’,

The DPA covers personal data held on computer and in manual files. All organisations that collect personal data must comply with the 8 data protection principles. This means that personal information must:

  1. Be fairly and lawfully processed;
  2. Processed for limited purposes;
  3. Adequate, relevant and not excessive;
  4. Accurate and up to date;
  5. Not kept for longer than is necessary;
  6. Processed in line with the rights of individuals;
  7. Be kept securely; and
  8. Not transferred to other countries without adequate protection.

The Information Commissioner’s Office (‘ICO’) is the UK’s independent authority set up to promote access to official information and to protect personal information. Every organisation that processes (i.e. holds and uses) personal information must be registered with the ICO, unless they are exempt.

Other relevant legislation 

Privacy and Electronic Communications Regulations (PECR)
The PECR implement European Directive 2002/58/EC, (also known as ‘the e-privacy Directive’) and compliment the DPA to give people more privacy in relation to electronic communications. The PECR cover several areas including:

  • Marketing by electronic means, including telephone calls, texts, emails and faxes
  • The use of cookies that track information about people accessing a website or other electronic service
  • The privacy of customers using communications networks or services* as regards traffic and location data, itemised billing, line identification services (e.g. caller ID and call return), and directory listings

NB: The PECR only apply to unsolicited marketing messages and do not restrict solicited marketing.

Environmental Information Regulations

The Environmental Information Regulations 2004, (‘the EIR’) provide public access to environmental information held by public authorities. The Regulations do this in two ways:

  • Public authorities must make environmental information available proactively
  • Members of the public are entitled to request environmental information from public authorities

The EIR cover any recorded information held by public authorities in England, Wales and Northern Ireland. Public authorities include government departments, local authorities, the NHS, police forces and universities. The EIR also cover some other bodies that do public work that affects the environment. Anyone can make a request for information under the EIR.

Computer Misuse Act 1990 (CMA)

The CMA is designed to protect computer users against wilful attacks and theft of information. Offences under the CMA include:

  • Hacking
  • Unauthorised access to computer systems and purposefully spreading malicious and damaging software (malware), such as viruses
  • Unauthorised modification of computer material
  • Accessing or even attempt to access a computer system without the appropriate authorisation. (Therefore, even if a hacker tries to get into a system but is unsuccessful they can be prosecuted)
  • Accessing a computer system using another person’s user name, (including e-mail, chat and other services).
  • Making, supplying or obtaining articles for use in computer misuse offences

In practice, the CMA makes it an offence to:

  • Erase or amend data or programs without authority;
  • Obtain unauthorised access to a computer;
  • “Eavesdrop” on a computer;
  • Make unauthorised use of computer time or facilities;
  • Maliciously corrupt or erase data or programs;
  • Deny access to authorised users

Regulation of Investigatory Powers Act 2000 (RIPA)

RIPA has the aim of ensuring that, when public authorities conduct investigations which are intrusive on people’s private lives, those investigations take place in accordance with the law, (with particular emphasis on compliance with the Human Rights Act). This means that the use of CCTV by local authorities (and other public bodies) is regulated by RIPA