Data Protection Act (1998)

It is the main piece of legislation that governs the protection of personal data in the UK.

It was enacted to bring UK law into line with European Directive of 1995. In practice it provides a way for individuals to control information about themselves. It required member status to protect people’s fundamental rights and freedoms and in particular the right to privacy with respect to processing of personal data

As security professionals, we need to be aware that this legislation exists and, particularly, of section 7

Appropriate technical and organisation measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Principles

Personal data shall be processed fairly and lawfully
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
Personal data shall be accurate and, where necessary, kept up to date.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Personal data shall be processed in accordance with the rights of data subjects under this Act.
Appropriate tecknical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to , personal data.
Personal data shall not be transferred to a country or territory outside the EEA, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.