BBC Home
Explore the BBC
BBC News
Launch consoleBBC NEWS CHANNEL
Last Updated: Tuesday, 23 December, 2003, 15:46 GMT
Q&A: Data Protection Act
Recent news stories have suggested there is confusion about how to interpret and apply the Data Protection Act.

BBC News Online looks at the principles, history and problems of the legislation.

Q: Why is the Data Protection Act in the news?

Confusion about how to apply the Act has been highlighted by a number of news stories.

After Ian Huntley was convicted of the murders of Holly Wells and Jessica Chapman, it was revealed that Humberside police had deleted records about him.

Ian Huntley
Information about Ian Huntley was wiped from police computers

The force had wiped details of sexual allegations against Huntley because it thought it was in accordance with the Act.

On Monday it emerged that British Gas had failed to inform social services it had cut off the gas supply to an elderly couple, who were later found dead in their home.

The supplier said it had tried to comply with the Act.

And on Tuesday, Metropolitan Police Commissioner Sir John Stevens said the Act required "urgent clarification".

He pointed to long-term, widespread problems among police bodies interpreting the Act.

Sir John said confusion around the Act had hampered attempts by police to build psychological profiles of offenders and suspects.

Q: What is the purpose of the Act and what are its powers?

The main aim of the Act is to protect individuals' rights to privacy and to ensure they have access to information held about them and can correct it.

It also protects against excessive and unreasonable retention of data.

The Act has eight central principles that aim to ensure that personal information is handled properly.

Data handlers must ensure that data is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept for longer than is necessary
  • Processed in line with individuals' rights
  • Secure
  • Not transferred to countries without adequate protection

    The Information Commissioner is empowered to serve enforcement notices on companies found to be violating these principles.

    But very rarely do such infringements become criminal matters.

    Q: What is the history of the Data Protection Act?

    The increasing use of computers in the 1970s first prompted concerns about the risks they posed to privacy.

    In 1981 the Council of Europe Convention established standards among member countries, to ensure the free flow of information among them without infringing personal privacy.

    Three years later the UK's first Data Protection Act was introduced.

    It required public and private organisations with access to computer-held personal data to register with a Data Protection Registrar, who also enforced the Act.

    It did not, however, explicitly recognise the individual's right to privacy.

    That changed with the Data Protection Act 1998, which built on an EC directive of 1995 and was introduced with the explicit aim of protecting the right to privacy.

    It specified conditions for the processing of data, tightened restrictions on the use of particularly sensitive information and broadened the definition of data to include some details held on paper.

    It separated the functions of registration and enforcement and increased the powers of what is now known as the Information Commissioner.

    Q: What problems are associated with the Act?

    It aims to enshrine worthy principles about the protection of the individual, but is often vague on the specifics.

    The government's inquiry into apparent failures in the detection of Soham murderer Ian Huntley will extend to looking at police difficulties interpreting the Act

    For example, the law simply states that information should be kept "no longer than necessary" without giving any precise guidelines, says Ruth Boardman, the co-author of Data Protection Strategy: Implementing Data Protection Compliance.

    The data user, she says, is required to interpret the law and may often choose to err on the side of caution, meaning records may be deleted too hastily.

    The law as it stands also applies to almost every organisation - even those which may hold innocuous information.

    Some of the problems associated with the Act are bound up in its history.

    The 1998 Act takes its cue from the 1995 EC directive.

    But the directive itself is described by a University College London guide as an "unhappy mixture of broad general principles and detailed prescriptive measures, many of which reflect the domestic interests of particular member states".

    This can make it genuinely difficult to interpret.

    Q: How could the Act be improved?

    Some relatively straightforward changes could be made, say experts.

    This could include restricting the types of information the Act applies to, stripping some of its bureaucracy away and perhaps restructuring parts of the legislation.

    Other suggestions include encouraging industry bodies, including the police, to develop specific guidance.

    The complexities of the law could then be translated into specific codes of practice for different industries and services.

    Phil Jones, assistant commissioner at the Information Commission, says he encourages such initiatives.

    Q: What lies ahead?

    The government's inquiry into apparent failures in the detection of Soham murderer Ian Huntley will extend to looking at police difficulties interpreting the Act.

    The Information Commissioner also says it will consider how to improve interpretation of the law.


    The BBC is not responsible for the content of external internet sites


    News Front Page | World | UK | England | Northern Ireland | Scotland | Wales | Politics
    Business | Entertainment | Science/Nature | Technology | Health | Education
    Have Your Say | Magazine | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
    Americas Africa Europe Middle East South Asia Asia Pacific