A Q&A guide to data protection in the UK.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the PLC multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
Directive 95/46/EC on data protection (Data Protection Directive) was implemented in the UK on 1 March 2000 through the Data Protection Act 1998 (DPA). The DPA is the primary legislation regulating the collection and use of personal data in the UK.
Subsequent secondary legislation has been introduced to address specific issues involving personal data, such as the:
Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which regulate, among other things, the requirements for use of personal data for direct marketing, location tracking and itemized billing purposes and individuals' rights in those circumstances.
Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR Amendments), which regulate the use of technologies for storing information and accessing information stored on a user's equipment, such as their computer or mobile device (see Question 18).
In January 2012, the European Commission released its proposal for a new European data protection Regulation, which would take direct effect in the UK (see Question 25).
The DPA creates a framework within which all "processing" of "personal data" must be carried out. The scope of these defined terms is such that any UK-established entity or individual obtaining personal information is likely to have to operate within the DPA framework.
The DPA applies to "data controllers". Holding the position of data controller can be a consequence of a party's chosen role or imposed by legislation. A data controller is the person who either alone or jointly or in common with other persons, determines the purposes for, and the manner in, which any personal data is or is to be processed (section 1, DPA). In effect, the data controller is the party that decides what to do with personal data and how that activity is to be carried out. These decisions can be made with, or at the same time as, another data controller in respect of the same personal data.
If personal data is processed according to the processing requirements of any enactment, the person that must process the data under that enactment is a data controller (section 1(4), DPA).
Data controllers do not need to hold the personal data or process it. It is sufficient to instruct a third party how to process the personal data to be deemed a data controller. This is commonly the case when considering outsourced business models.
Information is "data" if it fulfils any of the following criteria (section 1(1), DPA):
It is processed automatically by equipment.
It is recorded for the purpose of automatic equipment processing.
It forms part of a relevant filing system.
It does not fall into the first three bullets but either amounts to an accessible record or is processed as recorded information held by a public authority.
The Information Commissioner's Office (ICO) has issued technical guidance to assist those assessing whether information falls in any of these categories of data.
Only data which is "personal data" is regulated by the DPA. Data is personal data if:
It relates to a living individual.
The individual to which the data relates can be identified:
from that data; or
from that data and other information which is in, or is likely to come into, the possession of the data controller.
Personal data can include:
Names and dates of birth.
Contact details such as addresses, e-mail addresses and telephone numbers.
Expressions of opinions on living individuals.
Indications of intentions in respect of living individuals.
The DPA does not safeguard personal information about deceased people, although this may be protected as confidential at common law. Information need not be of a confidential nature to be personal data. The holding of "anonymised" data is not regulated by the DPA if the data holder has no other information enabling it to identify living individuals from such data. The ICO has issued a code of practice on managing the risks related to anonymisation of data.
Identification of personal data is a question of fact in each particular case. In Durant v Financial Services Authority  EWCA Civ 1746, the Court of Appeal held that information relates to an individual if it affects that individual's privacy. In assessing the effect on privacy, the Court suggested that key considerations are whether the information is biographical and has the individual as its focus.
Following this case, the ICO published guidance to assist in identifying personal data in the form of a series of questions:
Can a living individual be identified from the data, or, from the data and other information in the possession of, or likely to come into the possession of, the data controller?
Does the data relate to the identifiable living individual, whether in personal or family life, business or profession?
Is the data obviously about a particular individual?
Is the data linked to an individual so that it provides particular information about that individual?
Is the data used, or to be used, to inform or influence actions or decisions affecting an identifiable individual?
Does the data have any biographical significance in relation to the individual?
Does the data focus on the individual as its central theme rather than on some other person, or some object, transaction or event?
Does the data impact or have the potential to impact on an individual, whether in a personal, family, business or professional capacity?
Answering yes to the first and any subsequent question is very likely to mean that data is personal data.
"Processing" of personal data is regulated under the DPA. This covers obtaining, recording, holding, storing, organising, retrieving, disclosing in any way, aligning, destroying or deleting personal information. There is also a catch-all provision of "carrying out any operation" on personal data (section 1(1), DPA).
The combination of personal data and any activity with that data is likely to be regulated as processing. These acts can be done by the data controller or at his instruction by a data processor, all will be processing.
The DPA applies to the following when they are "established" in the UK and if they process data as data controllers in the context of that establishment (section 5, DPA):
Individuals ordinarily resident in the UK.
UK-formed partnerships or other unincorporated associations.
Persons with a UK office, branch or agency.
Data controllers established outside the European Economic Area (EEA) who process data using equipment located in the UK are also subject to the DPA.
The main exemptions to the DPA's requirements are based on public policy considerations, where the public interest is deemed to require disclosure of personal data that would otherwise be in breach of the DPA. The exemptions include disclosures for:
Purposes of national security (section 28, DPA).
Prevention or detection of crime and the apprehension or prosecution of offenders (section 29, DPA).
Assessment or collection of any tax or duty or of any imposition of a similar nature (section 29, DPA).
Health, education, social work and regulatory purposes (sections 30 and 31, DPA).
Compliance with legislation or otherwise required by law (sections 34 and 35, DPA).
Processing personal data can also be exempt from most of the DPA (including the rights of data subjects), for artistic, literary or journalistic purposes. Again, the justification for such processing is founded on the public interest (section 32, DPA).
In addition, the processing of personal data by individuals for their domestic purposes is specifically exempted (section 36, DPA).
Further specific exemptions from the DPA permitting data subjects' access to their personal data (see Question 13) for disclosures include (Schedule 7, DPA):
Confidential references given by the data controller.
Information prejudicial to the combat effectiveness of the armed forces.
Information relating to crown employment and crown, ministerial or judicial appointments and honours.
Management forecasts, corporate finance and negotiations.
Examination marks and examination scripts.
Legal professional privilege.
A prospective data controller must notify the ICO of its intention to process personal data before starting any processing (section 18, DPA). Details notified are then recorded by the ICO on the register of data controllers. This register is available to the public for inspection (www.ico.gov.uk/ESDWebPages/search.asp).
Failure to notify with the ICO is a criminal offence and failure does not release a data controller from the ongoing obligation to comply with all other requirements of the DPA.
Notification can made in one of the following ways:
Online, at the ICO's website: www.ico.gov.uk/for_organisations/data_protection/notification.aspx.
By telephone, on the notification helpline (+44 1625 545 745).
By completing a notification form in hard copy.
Notifications must be renewed annually. A notification fee of GB£500 applies to data controllers with:
A turnover of GB£25.9 million and 250 or more members of staff.
250 or more members of staff, with no turnover requirement if they are a public authority.
All other data controllers fall into in the lower-tier category, and pay GB£35 each year.
Exceptions to the notification requirements exist for processing where the purpose is:
The maintenance of a public register (section 17(4), DPA).
Staff administration, advertising, marketing and public relations, accounts and record keeping.
Operations carried out by non-profit making organisations.
Data controllers relying on an exception from the obligations to notify the ICO must still comply with the other obligations of the DPA at all times, so they can process data.
The main obligations imposed on data controllers by the DPA are set out in the eight data protection principles (Principles) (Part I, Schedule 1, DPA). Guidance on the Principles is also provided in the DPA (Part II, Schedule 1, DPA).
Unless expressly exempt, the Principles apply to all personal data processing and require that personal data must:
Be processed fairly and lawfully.
Be obtained only for specified, lawful purposes and not be subject to further processing in a manner incompatible with those purposes. Data controllers cannot collect data without first deciding what they are going to do with it.
Be adequate, relevant and not excessive to the purposes for which it is processed. Data controllers cannot process vast sets of personal data if they do not need that data for their defined purposes.
Be accurate and, where necessary, kept up-to-date. If recurrent processing is envisaged, data controllers require regular database overhauls.
Not be kept for longer than is necessary for the purposes for which it is processed. Data controllers must focus on what they have collected personal data for and if that task is completed, the data must be erased.
Be processed in accordance with the rights of data subjects under the DPA (see Questions 12 to 14).
Be protected, through appropriate technical and organisational measures, from unlawful processing, accidental loss, destruction or damage. What is appropriate will depend on the nature of the personal data and the context of its processing.
Not be transferred outside the EEA to any place that does not ensure an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data (see Questions 20 to 23).
While all of the Principles must be complied with when processing personal data, the first Principle, that processing be fair and lawful, underpins the other Principles.
For processing of personal data to be considered fair, one of the fair processing conditions of Schedule 2 of the DPA must be satisfied (see Question 10). Where sensitive personal data is processed, there is an additional requirement that one of the processing conditions of Schedule 3 of the DPA be met (see Question 11).
In addition, the first Principle requires that certain information is given to individuals before their data is processed (see Question 12). If a data subject is deceived or misled about the purpose for which the personal data is to be processed, the processing is not fair.
In published guidance, the ICO says it is of primary importance to consider the consequences of the processing to the individual, then the purposes and nature of the processing when assessing fairness.
What constitutes lawful processing is not clarified in the DPA. Therefore, the data controller must comply with all relevant rules of law when processing personal data, including all statute or common law rules, whether criminal or civil.
If all other obligations are complied with, obtaining consent from data subjects before processing their personal data makes processing fair and lawful. However, consent is not always required, as there are other justifications for processing an individual's personal data (see Question 10).
"Consent" is not defined in the DPA , however, the Data Protection Directive defines consent as an individual's freely given, specific and informed indication signifying agreement to the processing of their personal data.
Signifying agreement requires consent to be an active communication, but this need not be in writing. A common means of signifying consent is to set out the processing which will be undertaken and asking individuals to tick to signify their agreement to it. Consent cannot be obtained through acquiescence on the individual's part nor can it be obtained under duress or by misleading the individual.
Consent provided online is sufficient for DPA purposes if the individual receives all necessary information about the proposed processing, and signifies consent to this processing as personal data is submitted. This consent is commonly captured by ticking an electronic box or clicking an "I agree" or similar icon.
Consent from minors is not covered in the DPA as a special category. The ICO has recommended that it is good practice for parents to be consulted about important decisions affecting their children. However, the ICO also emphasises that the DPA confers rights on the individual, including minors. These rights should only be exercised by another on a minor's behalf if the minor is not capable of exercising them independently. In particular, the ICO supports the view that personal data collated from children directly should only be gathered, transferred or disclosed to third parties with the explicit, verifiable consent of the child's guardian, unless:
The child is more than 11 years old.
Information collected is only that information which is necessary to enable the child to be sent limited e-mail communications.
The child understands the implications of his actions.
In the absence of consent, personal data is processed fairly, as required by the first Principle (see Question 8), if the processing is necessary (Schedule 2, DPA):
To perform a contract with the individual, or to comply with a request by the individual to contract.
To comply with any non-contractual legal obligation of the data controller (for example, video surveillance in certain circumstances).
To protect the life of the individual.
For the administration of justice, to comply with a statute or for exercising functions of a public nature.
For the legitimate interests of the data controller or a third party to whom the data is disclosed, except where it is unwarranted because it is prejudicial to the individual.
Additional criteria apply in relation to sensitive personal data (see Question 11).
Sensitive personal data includes data relating to:
Race or ethnic origin.
Religious and other similar beliefs.
Trade union membership.
Physical and mental health,.
Criminal proceedings and criminal records.
Sensitive personal data is only processed fairly and lawfully, under the first Principle (see Question 8) if, in addition to one of the fair processing conditions in Schedule 2 of the DPA (see Question 10), at least one of the following conditions is also satisfied (Schedule 3, DPA):
The individual gives explicit consent to:
the detail of the processing;
the type of data to be processed;
the purposes of the processing; and
any special aspects of the processing, such as disclosures of the data.
The processing is necessary to perform the data controller's employment law obligations.
The processing is necessary to protect the life of the individual where consent cannot be given or cannot reasonably be obtained (or of a third party where the individual to whom the data relates unreasonably withholds consent).
The processing is carried out by certain non-profit organisations.
The individual has made the data public.
The processing is necessary for the purpose of:
obtaining legal advice;
establishing or defending legal rights;
the administration of justice; or
exercising functions of a public nature.
The processing is carried out by a health professional and is necessary for medical purposes.
The data relates to racial or ethnic origin and is processed in the context of equal opportunity monitoring.
The data controller must ensure that the individual is provided with:
The name of the data controller (or its representative).
The purposes for which the data is intended to be processed.
Any other information necessary to ensure that processing is fair (such as the names of recipients of the data).
An individual can request information from a data controller. If the data controller is processing that individual's personal data, when requested, it must:
Inform the individual.
Describe the personal data being processed.
Give the purposes of the processing.
Identify any recipients, if the personal data is shared.
Provide this information in permanent form.
Where a processing decision is made by fully automated means, the individual is entitled to be informed about the logic involved in the process.
If an individual believes that a data controller processing their personal data is causing, or is likely to cause, substantial unnecessary damage or distress, the individual can send a notice to the data controller requiring that it stop the processing, within a reasonable time. However, this right does not apply where any of the conditions in Schedule 2 of the DPA are met (see Question 10).
An individual can also, by written notice, require a data controller to cease, or not to begin, processing his personal data for direct marketing. In addition, PECR generally require opt-in consent from individuals to receive direct marketing (however, see Question 18 for requirements relating to technologies for storing information, and accessing information stored, on a user's equipment).
An individual can, by written notice, require that a data controller ensures that no processing decision significantly affecting him (such as work performance, creditworthiness, reliability or conduct) is based solely on processing his personal data by automatic means. This right does not apply where the decision is made in relation to the entry into, or performance of, a contract with the individual and either:
The effect of the decision is to grant a request of the individual (such as a loan application).
Steps have been taken to safeguard the legitimate interests of the data subject (for example, allowing the individual to make representations).
An individual can apply for a court order requiring a data controller to rectify, block, erase or destroy inaccurate data relating to that individual (including an expression of opinion based on inaccurate data) (section 14, DPA) .
Data controllers must take appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, damage or accidental loss or destruction (Schedule 1, Part 1, paragraph 7, DPA).
Neither the DPA nor the ICO provides details of what measures are appropriate, although BS7799, the British Standard for Information Security Management and its international counterpart ISO 27001, are used as reference points, and the ICO has released guidance on practical security steps that small businesses can take to improve their security. The UK Department for Business, Innovation and Skills has also produced guidance on security.
The ICO's view is that what is appropriate depends on the circumstances, particularly the harm that may result from a security breach. This may depend on the nature of the data. The data controller needs to adopt a risk-based approach, taking into account the state of technological development at any time and the associated costs. Management and organisational measures are as important as technical ones.
In addition, the data controller must take reasonable steps to ensure the reliability of any employees who have access to personal data, and is legally responsible for any third parties processing data on its behalf (see Question 17).
There is no general legal obligation under the DPA to notify security breaches to the data subject or the ICO. However, following the PECR Amendments there is a mandatory data breach notification requirement on electronic communications operators and internet service providers. If a personal data breach occurs in one of those service providers’ operations they must, without undue delay, notify that breach to the ICO.
Other sector specific requirements (for example, for financial services) to notify data breaches also apply.
Otherwise, the ICO's guidance states that it expects all other data controllers to bring serious data breaches to the ICO's attention. Seriousness is assessed based on the:
Potential harm to data subjects.
Extent of compromised personal data.
Sensitivity of the compromised personal data.
The processing must be carried out under a written contract requiring the data processor to act only on the data controller's instructions and to comply with the security requirements under the seventh Principle (see Question 8). As processing is widely defined, it is easy for an organisation to fall within the category of a data processor.
This requirement applies to a data processor regardless of whether it is part of the same corporate group structure as the data controller.
The requirements to provide the information and obtain consent do not apply where a cookie or similar device is to be used for one of the following purposes (Regulation 6.4, PECR Amendments):
Solely to carry out or facilitate transmission of a communication over an electronic communications network.
To store and access information only to the extent strictly necessary to provide a service requested by the user.
The ICO has published repeated guidance on the implementation of the amended PECR and how compliance might best be obtained. Updated ICO guidance endorses a more lenient approach to the validity of implied consent than that adopted by the Article 29 Working Party and many other regulators in the EEA.
In the UK, spam can take the form of any text (including SMS), voice, sound, or image (including video) message sent over a public electronic communications network if the message can be stored in the network or in the recipient's terminal equipment.
The PECR require that no party can transmit or instigate the transmission of unsolicited marketing material to an individual by these electronic means unless:
The individual has previously notified the message sender that he consents to receiving such communications.
The individual's contact details have been obtained directly by the message sender in the course of selling or negotiating with the individual for products or services to that recipient and the message relates to the message sender's similar products and services.
The individual is given a simple means to opt out of the use of his or her contact details for marketing purposes, both when the details are collected and at the time of each subsequent message.
Even if those conditions are satisfied, all messages must:
Clearly identify the party responsible for the message.
Provide a valid address where the receiving individual can send an opt-out request in respect of future similar messages.
These requirements apply whether the message is solicited or unsolicited, and whether the individual receives the message in a personal or corporate capacity.
Service providers must clearly identify all commercial communications and the person on whose behalf the message is sent (Electronic Commerce (EC Directive) Regulations 2002). Where the message is a promotional offer, competition or game, the relevant conditions of the offer must also be clearly and unambiguously stated. Where the message is unsolicited, its nature must also be made clear to the individual as soon as the message is received.
The DPA prohibits the transfer of personal data outside the EEA, unless the destination country ensures an adequate level of protection of the rights of the individual in relation to data processing. There are no special restrictions on the transfer of data within the EEA.
A transfer of data takes place only where some type of processing occurs. Simply passing through a country, for example, through a communications network, does not amount to a transfer.
The European Commission has made findings that the following countries offer an adequate level of protection:
Canada (subject to certain conditions).
Eastern Republic of Uruguay.
Isle of Man.
US (where the US recipient is a signatory to the Safe Harbor scheme, or under the 2007 EU-US Agreement on the transfer of passenger name record information).
In other cases, the data controller must determine whether a country provides an adequate level of protection. The data controller must take into account that if the processing of personal data is done by a data processor on the data controller's behalf, it will not comply with the seventh Principle (requiring appropriate technical and organisational security (see Question 8) unless it is done according to instructions in a written contract requiring, among other things, the data processor to comply with the seventh Principle (Schedule 1, Part II, paragraph 12, DPA).
Where a destination country does not, or is presumed not, to satisfy the adequacy test, the transfer of data can still be permitted if it is:
Done with the consent of the individual.
Necessary to enter or perform a contract with the individual (such as an employment contract) or is necessary to perform or conclude a contract with another party that is in the interests of the individual.
Necessary for reasons of substantial public interest (such as crime prevention or detection).
Necessary for, or in connection with, any legal proceedings (including prospective legal proceedings) for obtaining legal advice, or otherwise for establishing, exercising or defending legal rights.
Necessary to protect the life of the individual.
Made on terms approved by the ICO as ensuring adequate safeguards for the rights of the individual.
Authorised by the ICO as being made in a way that ensures adequate safeguards for the rights of the individual.
Also, the use of European Commission authorised model clauses or binding corporate rules (BCRs) provides adequate safeguards for the rights of the individual (see Question 21).
The European Commission has approved three sets of model clauses as providing adequate protection to transfer individuals' personal information, covering transfers outside the EEA of data from a data controller to either another data controller or to a data processor and its sub-processors. However, to rely on that approval, the clauses cannot be amended in any way. A separate contract is not required; the terms can be included in any general contract between the parties.
There are some cases where a data controller can reasonably decide that there is adequate protection without carrying out a detailed test (for example, where there is a contract in place requiring the data processor to have adequate security and act only on the data controller's instructions).
Corporate intra-group transfers of personal data from the UK to outside the EEA can be carried out using BCRs approved by the ICO. If a data controller wishes to use BCRs to export data out of the EEA from a number of different European jurisdictions, there is a co-operation procedure through which the data controller can propose a lead authority in one country who liaises with the other relevant authorities to have the BCRs approved by them all. To date, the ICO has approved the BCRs of 17 organisations. A similar process for data processors has been launched by the Article 29 Working Party with effect from 1 January 2013.
Assuming all the Principles are complied with (see Question 8), a data transfer agreement is sufficient to legitimise transfer of personal data outside the EEA.
Data transfer agreements do not need to be approved on an individual basis. The data controller is responsible for ensuring adequate protection exists when transferring personal data outside the EEA.
If the individual is unable to resolve an issue with the data controller, the individual can make a request for assessment to the ICO. Provided sufficient information is provided, the ICO must make an assessment as to whether the processing complies with the DPA and inform the individual that it has made an assessment. The ICO can serve an information notice on a data controller requesting information.
The ICO's priority is to give the data controller advice and ask it to resolve the problem so that it will handle personal information properly in the future. Therefore, if the organisation has corrected the mistake, it is unlikely that the ICO will take action.
In the most serious cases, the ICO can serve an enforcement notice, which is a legally binding document requiring the data controller to take steps or refrain from processing data. If the data processing relates to journalistic, literary or artistic material, additional requirements may be imposed on the data controller by the ICO through a "special notice". However, in most cases the ICO cannot award compensation for a breach of the DPA although it can issue monetary penalty notices for the most serious breaches.
Failure to comply with an enforcement notice, information notice or a special notice (relating to journalistic, literary or artistic material) is an offence unless the data controller can show that he or she exercised all due diligence to comply with the notice.
The ICO also has powers (subject to a court warrant) of entry, inspection, and seizure of documents.
The ICO has the power to:
Serve information notices requiring organisations to provide the ICO with specified information within a certain time period.
Issue undertakings committing an organisation to a particular course of action to improve its compliance.
Serve enforcement notices and stop now orders where there has been a breach, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law.
Conduct consensual assessments (audits) to check organisations are complying.
Serve assessment notices to conduct compulsory audits to assess whether an organisation's processing of personal data follows good practice.
Issue monetary penalty notices, requiring organisations to pay up to GB£500,000 for serious breaches of the DPA occurring on or after 6 April 2010 or for serious breaches of PECR.
Prosecute those who commit criminal offences under the DPA.
Report to Parliament on data protection issues of concern.
Most of the offences created by the DPA can be tried in a magistrates' court or the Crown Court (or the Sheriff Court or the High Court of Justiciary in Scotland). Usually, prosecutions under the DPA are brought by the ICO. A person found guilty of an offence is liable, in a magistrates' court, to a fine not exceeding GB£5,000, or in the Crown Court, to an unlimited fine.
In its recent proposal for a new European data protection Regulation, the European Commission has proposed an overall cap on fines for non-compliance (which would be staggered according to seriousness) at 2% of the annual worldwide turnover of the non-compliant business.
Main areas of responsibility. The Information Commissioner’s office (ICO) is the UK’s independent public authority set up to uphold information rights. It does this by promoting good practice, ruling on complaints, providing information to individuals and organisations and taking appropriate action when the law is broken.
The ICO enforces and oversees the following legislation:
It is responsible for data protection in England, Scotland, Wales and Northern Ireland; it also has some international duties.
Information Commissioner's Office
Description. Official website of the Information Commissioner’s office, the UK regulator. Maintained by the ICO and up to date.
Description. Official website of Her Majesty’s Stationery Office, part of The National Archives, part of the UK Government. Maintained by the legislation team at The National Archives and up to date to the extent relevant to this note. DPA available at www.legislation.gov.uk/ukpga/1998/29/data.pdf; PECR available at www.legislation.gov.uk/uksi/2003/2426/made/data.pdf.
Professional qualifications. Solicitor Scotland; Solicitor, England and Wales;
Areas of practice. Advertising, sales and marketing; commercial law; data protection and privacy; digital-commerce; development, licensing and support for software, systems and devices; IT systems and services procurement; BPO and IT outsourcing; travel law and regulation.
Professional associations/memberships. Member of the Society for Computers and Law; ITechLaw and Computer Law Group.
Professional qualifications. Solicitor, England and Wales.
Areas of practice. Cross-sectoral technology service delivery contracts; information management and data protection; professional services, retail and supply-chain commercial and technology contracting; systems and services outsourcings; financial services IT.
Languages. German, Czech.