Legal Information - Access to our archive of legal documentsLegal ToolkitsFast FAQsLiberate OnlineHR SmartRoomSurvival Guide DivorceMuckle Employment Protection Insurance

Do we need to bother about the data protection legislation? What impact could it have on us?

Broadly speaking, the Data Protection Act 1998 is designed to prevent individuals and organisations from 'processing' information about any living individual who can be identified from that information, unless:
  • they have a legally acceptable reason (or reasons) for doing so; and
  • they can prove that they treat the information properly.
'Processing' covers practically anything that can be done with information - obtaining it, collecting it, sorting it, analysing it, discussing it, destroying it or even just filing it.

The individuals to whom the information relates may be people (for instance, customers, or suppliers, or employees) with whom you have dealings now, with whom you hope to have dealings in the future, or with whom you have had dealings in the past.

Most businesses cannot function without taking account of the Act's provisions: even defunct businesses might still be 'processing' (for example, holding) information. However, you are unlikely to fall foul of the Act unless:
  • You hold information unlawfully - ie without a good reason. The more sensitive the information is, the better the reason you will need. Information held for 'standard business purposes' (staff administration, advertising, marketing and PR, and accounts and records) is usually exempt, though you will still need to comply with the principles of data protection (that information must be held lawfully and processed fairly; that it must not be collected for one purpose and then used for another; that it must not be excessive, inaccurate etc - see below). Anything relating to anyone's race, politics, religion, trade union membership, physical or mental health, sexual activities, or the commission of offences is high risk, and can only be justified if you hold it for one of a list of specified reasons.
  • You process information unfairly - for example, without letting the individual know that you have it and what you are going to do with it.
  • You collect information for one purpose, and then use it for another.
  • You collect too much information - if you are trying to sell people egg-timers, you do not need to know their shoe size;
  • you fail to ensure that information is accurate and up-to-date.
  • You hold on to information for longer than you need it.
  • You fail to let individuals know what you have on them when they ask to see it (unless one of the statutory exemptions applies).
  • You fail to keep information secure.
  • You send information outside Europe for processing, except to a limited list of countries with adequate data protection laws of their own.
Resources Icon

Related Resources

in the Legal Information Centre