Currently, the United Kingdom's Data Protection Act governs how personal information is processed and used by organisations and the government. The Data Protection Act is especially relevant to businesses that rely on IT software to store data and information.
Enacted in 1998, the Data Protection Act sought to improve data privacy standards and enable citizens to access and control their personal information. With the exception of national security or criminal concerns, all organisations that store any "identifiable" information, such as names, addresses, or emails, must follow the Data Protection Act and pursue the necessary measures to protect the data and security of users. According to the government's website, there are stronger legal protective measures and repercussions associated with more sensitive information, such as ethnicity, political beliefs, and health.
The Data Protection Act consists of eight "principles" that businesses and organisations must follow:
Personal data must be used "fairly and lawfully"
Whenever an organisation collects personal information, it must obtain the individual's consent. Written disclaimers and other notices must clearly articulate exactly how and for what purposes personal information will be used.
Personal data must be used "for limited, specifically stated purposes"
This principle ensures that organisations use and process data, solely for the reasons that were originally agreed upon. If an organisation seeks to use personal information for purposes that were not explicitly stated in the original disclaimer, then it must obtain further approval from the customer.
Personal data must be used in a manner that is "adequate, relevant and not excessive"
Although this principle is worded slightly vaguely, it holds that information collection and processing must be reasonable. According to this principle, organisations should not hold personal information that is not "necessary" for its operations.
Personal data collected must be "accurate"
The fourth principle ensures that information is accurate. The government's concern is that misstatements and misrepresentations can ultimately harm the customer.
Personal data must be kept "for no longer than is absolutely necessary"
Although assessing what is an "absolutely necessity" requires normative judgments, the fifth principle prompts companies to hold data for only as long as they are essential for organisational operations. To adhere to the fifth principle, companies should review and destroy information that is no longer necessary for their day-to-day operations.
Personal data use must align with "data protection rights"
Through the Data Protection Act, the UK government established that citizens can control how their information is used and processed. An individual has the right to access a copy of the personal data being held, prevent the processing of their data for direct marketing, and correct any inaccurate personal data.
Personal information must be "safe and secure"
This is perhaps the most relevant principle for IT firms and companies that rely on IT tools to store data. According to the seventh principle, it is the organisation's responsibility to ensure personal data is kept secure. Any data exposure or breach resulting from negligence will likely result in heavy fines.
Personal information must not be transferred outside the European Economic Area without "adequate protection"
Any personal data from the UK should not be stored outside the European Union, unless appropriate security measures are pursued. Some foreign countries, such as Canada and Australia, have arranged Safe Harbouring schemes with the European Commission, and they are considered to provide "adequate protection". Recently, through a court decision made in October 2015, the European Commission has "invalidated" the pre-existing Safe Harbouring arrangements with the United States. However, there are reports citing that a new Safe Harbour arrangement between the US and the UK are "within reach".
Please note, though, that the European Commission seeks to reform current data protection standards through the General Data Protection Regulation, which is expected to become adopted in 2017.