Data Protection Act 1998

The Data Protection Act 1998 is an Act of Parliament that sets out UK law regarding the processing and use of personal information about individuals by organisations. The Data Protection Act 1998 came in to force on the1st March 2000 and replaced the Data Protection Act 1984. The Act refers to data regarding living, identified or identifiable individuals such as names, addresses, bank details and opinions about individuals.

If an orgnaisation stores an individuals’ personal details then they must comply with the Data Protection Act. The Act allows individuals right of access to personal data held by organisations about themselves within England and Wales. The Act gives individuals power to lawfully control information that is held about themselves and ensures organisations collect and use individuals personal data legitimately.

The legislation itself is complex and in places difficult to understand. The Act regulates how personal information is used and requires organisations to comply with eight simple data protection principles. Personal information can be used by an organisation only where it meets one of six conditions set out in the Act.

This includes having the individuals’ consent or having a legitimate interest in using individuals personal information. For the large part, the Act does not apply to domestic use such as keeping a personal address book. Anyone holding personal data for purposes other than domestic use is legally obliged to comply with the Data Protection Act subject to a few exemptions.

The Act classifies some personal information as sensitive and there are strict rules regarding sensitivity. This information includes ethnic origin, sexual orientation, political opinions, religious beliefs, trade union membership, physical or mental health conditions, criminal offences or alleged criminal offences committed and proceedings relating to those criminal or alleged criminal offences.

Organisations can only use sensitive information where they can meet at least one of a narrower set of conditions as well as being able to meet one of the six standard conditions for processing personal information. These narrower conditions make sure that this sensitive information is only used by an organisation where there is an essential need to use it.


The eight data protection principles are:

1. Personal data shall be processed fairly and lawfully.
2. Personal data should be obtained for only one or more specified and lawful purposes and should not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data should be adequate, relevant and not excessive in relation to the purposes for which they are processed.
4. Personal data shall be accurate and kept up to date.
5. Personal data processed for any purpose should not be kept for longer than is necessary for any purpose.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate security or technical and organisational measures should be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.
8. Personal data should not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


Information Commissioner’s Office (ICO)

The Information Commissioner’s Office or the ‘ICO’ is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The ICO enforces and regulates the Data Protection Act, the Freedom of Information Act, the Environmental Information Regulations and the Privacy and Electronic Communications Regulations.

It’s main functions is to educate, promote good practice and provide information and advice to organisations and individuals. The ICO resolves complaints from individuals that think their rights may have been breached and enforces legal sanctions against organisations that ignore or refuse to adhere to their legal obligations.

The ICO makes rulings on eligible complaints and takes the appropriate action when organisations are in breach of the law. Any organisation that stores personal information is required to register with the ICO as a registered data controller. The Act requires some organisations to inform the Information Commissioner’s Office (ICO) what they use personal information for.

The data protection powers of the Information Commissioner’s Office are to conduct assessments to check organisations are complying with the Act, serve information notices requiring organisations to provide the Information Commissioner’s Office with specified information within a certain time period, serve enforcement notices and ‘stop now’ orders where there has been a breach of the Act, requiring organisations to take (or refrain from taking) specified steps in order to ensure they comply with the law, prosecute those who commit criminal offences under the Act, conduct audits to assess whether organisations processing of personal data follows good practice and report to Parliament on data protection issues of concern.

Appeals from notices are heard by the Information Tribunal, an independent body set up specifically to hear cases concerning enforcement notices or decision notices issued by the Information Commissioner. The ICO’s new power to issue monetary penalties came into force on 6 April 2010, allowing the ICO to serve notices requiring organisations to pay up to £500,000 for serious breaches of the Data Protection Act.

Looking after individuals rights and ensuring organisations comply with the law is only part of the work undertaken by the ICO. The ICO also commissions research to provide individuals with a greater understanding of data protection and freedom of information and how these issues affect individuals. This research is intended to help the ICO understand the nature and range of matters they may need to address and assists decision making.


Subject Access Request

You have the right to get a copy of the information that is held about you by a charity advertising organisation. This is known as a ‘subject access request’. This right of subject access means that you can make a request under the Data Protection Act to any advertising organisation processing your personal data.

You can ask the organisation to supply you with copies of both paper and computer records and any other related information. Charity advertising organisations are able to request a fee of up to £10 to cover their stationery costs when processing a request.

When making a subject access request, you should include your full name, address, telephone number, account number and details of the specific information and dates you require, copies of sent emails and payments received by the Data Controller.

Give reference to the 40 day legal deadline that applies when dealing with requests to provide personal information and make reference to the Data Protection Act 1998 and subject access requests. Also provide contact details for the Information Commissioner’s Office if they need assistance when processing your request.

Approaching the organisation in this manner should make it very clear to them that they must comply with their legal obligations and that action will be taken by you if they fail to comply with your request.


Your Concerns

If you are concerned that a support publishing firm may be in breach of their legal obligations in regards to personal information they may hold about you or are witholding data they may be holding about you or are collecting and using your or other individuals details illigitimately  then you can contact the ICO on their helpline number on 0303 123 1113 to report your concerns and for advice.

You will be given the option to complete an official complaint form. The ICO is available from 9am to 5pm, Monday to Friday. Please use the link we have provided below to visit the ICO website. Alternatively, if you have instructed TAPA to represent your business and have any concerns about your rights or require any additional support, then you can contact your appointed representative for assistance if you have any concerns regarding personal information held about you by support publishing firms.