Data protection is a legal duty for all organisations in the UK*. The Data Protection Act 1998 is the key piece of legislation setting out the responsibilities of organisations to ensure they keep personal data secure and use it fairly. While every organisation has a duty to comply with the Act not all organisations have to register with the independent regulator (the Information Commissioner). The Act sets out eight data protection principles to guide organisations in the use of personal data. Broadly speaking organisations have a duty to:
- Keep personal data secure.
- To obtain personal data legally.
- To process personal data only for the purposes that it was collected, and which the person the data is about has agreed to.
- To make sure the data is accurate, and that you only store the data you need to provide your services to that person.
- That you delete data when it is no longer required and you no longer have any statutory duty to retain it.
- That you do not delete records (accidentally or otherwise) that result in the loss of personal data.
On 25th May 2018 UK organisations will also be subject to the EU’s General Data Protection Regulation which places additional responsibilities on organisations with regard to personal data.
There is separate legislation, the Privacy and Electronic Communications Regulation, which governs how organisations can use data to market to individuals.
* There are some exceptions to the law such as the security services.