Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Data Protection Act 1998

Published on: 8/17/2014
Topic: Cyber Security Compliance Standards
The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

Table of Contents

General summary of principles

This section provides a quick overview of what the Key Principles of information-handling practice mean. The Key Principles themselves are discussed below in the context of their definition in law.

- Data may only be used for the specific purposes for which it was collected.

- Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information (for example, the prevention or detection of crime). It is an offence for Other Parties to obtain this personal data without authorisation.

- Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).

- Personal information may be kept for no longer than is necessary and must be kept up to date.

- Personal information may not be sent outside the “European Economic Area” unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.

- Subject to some exceptions for organisations that only do very simple processing, and for domestic use, all entities that process personal information must register with the Information Commissioner’s Office.

- The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organisational measures (such as staff training).

- Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)

Data Protection Principles

1.Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless- a) at least one of the conditions in Schedule 2 is met, and b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2.Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3.Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.Personal data shall be accurate and, where necessary, kept up to date.

5.Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.About the rights of individuals e.g. You have the right to have data about you removed.

7.Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8.Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What is considered personal data?

Personal data means data which relate to a living individual who can be identified:

(a) from those data, or

(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

It is important to note that, where the ability to identify an individual depends partly on the data held and partly on other information (not necessarily data), the data held will still be “personal data”.

Example: An organisation holds data on microfiche. The microfiche records do not identify individuals by name, but bear unique reference numbers which can be matched to a card index system to identify the individuals concerned. The information held on the microfiche records is personal data.

The definition also specifically includes opinions about the individual, or what is intended for them.

Example: A manager’s assessment or opinion of an employee’s performance during their initial probationary period will, if held as data, be personal data about that individual. Similarly, if a manager notes that an employee must do remedial training, that note will, if held as data, be personal data.

A quick reference guide about What is personal data can be found here.

Sensitive personal data means personal data consisting of information as to:

(a) the racial or ethnic origin of the data subject,

(b) his political opinions,

(c ) his religious beliefs or other beliefs of a similar nature,

(d) whether he is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992),

(e) his physical or mental health or condition,

(f) his sexual life,

(g) the commission or alleged commission by him of any offence, or

(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

The presumption is that, because information about these matters could be used in a discriminatory way, and is likely to be of a private nature, it needs to be treated with greater care than other personal data. In particular, if you are processing sensitive personal data you must satisfy one or more of the “conditions for processing” which apply specifically to such data, as well as one of the general conditions which apply in every case.

Scope of data

The Act covers any data about a living and identifiable individual. Anonymised or aggregated data is not regulated by the Act, providing the anonymisation or aggregation has not been done in a reversible way. Individuals can be identified by various means including their name and address, telephone number or Email address. The Act applies only to data which is held, or intended to be held, on computers (‘equipment operating automatically in response to instructions given for that purpose’), or held in a ‘relevant filing system’.

In some cases even a paper address book can be classified as a ‘relevant filing system’, for example diaries used to support commercial activities such as a salesperson’s diary.

Does the Data Protection Act apply to me?

This might seem an obvious question. However, the Act applies to a particular activity “processing personal data” rather than to particular people or organisations. So, if you “process personal data”, then you must comply with the Act and, in particular, you must handle the personal data in accordance with the data protection principles. Broadly, however, if you collect or hold information about an identifiable living individual, or if you use, disclose, retain or destroy that information, you are likely to be processing personal data. The scope of the Data Protection Act is therefore very wide as it applies to just about everything you might do with individuals’ personal details.

Exemptions from notification

Most organisations that process personal data must notify the ICO. However, there are some exemptions. By working through question 1-9 of the online self-assessment or by downloading the Notification exemptions – self-assessment guide you will be able to determine whether you need to notify. Data controllers who are exempt from notification must comply with the other provisions of the Act, and may choose to notify voluntarily.

Need to notify under the Data Protection Act

The Information Commissioner’s Office maintains a public register of data controllers. Each register entry includes the name and address of the data controller and details about the types of personal information they process. Individuals can check the register to find out what processing of personal information is being done by a particular data controller. Notification is the process by which a data controller’s details are added to the register.

Do I need to notify?

The Data Protection Act 1998 requires every data controller who is processing personal information in an automated form to notify, unless they are exempt. Failure to notify is a criminal offence. Register entries have to be renewed annually. If you are required to notify but don’t renew your registration, you are committing a criminal offence.

How do I notify?

There are three ways to notify:

1. On the internet

2. Request for a notification form

3. By telephone

Click here for reference.

Do I need to renew my register entry?

Yes. The notification period is one year from the day ICO receive your correctly completed notification form. Your entry will expire unless it is renewed. If you are required to notify but fail to renew your registration, you are committing a criminal offence.

How much does it cost and how can I pay?

There is a two-tiered notification fee. The two-tiered structure is based on an organisation’s size and turnover. A data controller will need to assess which tier they fall in and hence the fee they are required to pay. The fee for tier 1 is £35 and the fee for tier 2 is £500.

The period of notification is one year, after which time you will need to renew your notification. A notification fee of £500 applies to data controllers with either:

- a turnover of £25.9M and 250 or more members of staff


- if they are a public authority with 250 or more members of staff.

All other data controllers fall into in the lower-tier category, paying £35 per annum unless they are exempt.

What does “fair processing” mean?

The first data protection principle requires you to process personal data fairly and lawfully. Ensuring fairness in everything you do with people’s personal details is, in our view, central to complying with your duties under the Data Protection Act. In practice, it means that you must:

- have legitimate reasons for collecting and using the personal data;

- not use the data in ways that have unjustified adverse effects on the individuals concerned;

- be open and honest about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data;

- handle people’s personal data only in ways they would reasonably expect; and

- make sure you do not do anything unlawful with the data.

Fairness generally requires you to be transparent: clear and open with individuals about how their information will be used. Transparency is always important, but especially so in situations where individuals have a choice about whether they wish to enter into a relationship with you. Assessing whether information is being processed fairly depends partly on how it is obtained. In particular, if anyone is deceived or misled when the information is obtained, then this is unlikely to be fair.

What is a privacy notice?

One of the requirements of the Act’s fair processing provisions is that certain information is given to the individuals concerned. The oral or written statement that individuals are given when information about them is collected is often called a “privacy notice” or a “fair processing notice”.

ICO have published a Privacy Notices Code of Practice to help organisations draft clear privacy notices and to ensure they collect information about people fairly and transparently. In general terms, a privacy notice should state:

- your identity and, if you are not based in the UK, the identity of your nominated UK representative;

- the purpose or purposes for which you intend to process the information; and

- any extra information you need to give individuals (in the circumstances) to enable you to process the information fairly.

Subject rights

The Data Protection Act creates rights for those who have their data stored, and responsibilities for those who store, process or The person who has their data processed has the right to:

- View the data an organisation holds on them, for a small fee, known as ‘subject access fee’.

- Request that incorrect information be corrected. If the company ignores the request, a court can order the data to be corrected or destroyed, and in some cases compensation can be awarded.

- Require that data is not used in any way that may potentially cause damage or distress.

- Require that their data is not used for direct marketing.

Personal data which is normally held for under 40 days may be legitimately denied in subject access requests under the Act. This is a consequence of the time limit data controllers must meet in making their response. If the data has been deleted by the normal procedures of the business by the time the data controller responds to a request, that data cannot be supplied.

Conditions relevant to the first principle

Personal data should only be processed fairly and lawfully. In order for data to be classed as ‘fairly processed’, at least one of these six conditions must be applicable to that data (Schedule 2).

1.The data subject (the person whose data is stored) has consented (“given their permission”) to the processing;

2.Processing is necessary for the performance of, or commencing, a contract;

3.Processing is required under a legal obligation (other than one stated in the contract);

4.Processing is necessary to protect the vital interests of the data subject;

5.Processing is necessary to carry out any public functions;

6.Processing is necessary in order to pursue the legitimate interests of the “data controller” or “third parties” (unless it could unjustifiably prejudice the interests of the data subject).[8]


The Act details a number of civil and criminal offences for which data controllers may be liable if a data controller has failed to gain appropriate consent from a data subject. However ‘consent’ is not specifically defined in the Act; consent is therefore a common law matter.

Section 21 – This section makes it an offence to process personal information without registration or to fail to comply with the notification regulations.

Section 55 – Unlawful obtaining of personal data. This section makes it an offence for people (Other Parties), such as hackers and impersonators, outside the organisation to obtain unauthorised access to the personal data.

Section 56 – This section makes it a criminal offence to require an individual to make a Subject Access Request relating to cautions or convictions for the purposes of recruitment, continued employment, or the provision of services.

Continue Reading: Data Protection Act – Information security Principle – 7