UK Data Privacy Law

UK data privacy law is governed by the Data Protection Act (1998) and its application is overseen by the Information Commissioner’s Office (ICO) who, like other European Union member states, is based on Directive 95/46 of the European Union (Directive 95/46/EC) which is related to the protection of individuals from the misuse of data. There is also the Freedom of Information Act (2000) that allows a person to obtain information held on you by public authorities unless “there are good reasons to keep it confidential” (Freedom of Information Act 2000).

Areas of privacy included in the laws are CCTV, credit ratings, criminal records, education records, medical health records, housing, marketing calls, social networking and unsolicited and junk email. Therefore any person or organisation that is recording private data must register as a “Data Controller” with the ICO and adhere to these acts.

The Data Protection Act 1998 lists eight key principles which, in simplistic re-phrased terms, are that you must have a legitimate reason for collecting personal data, you must be open about how you intend to use it and not use it to any negative effect on the person in question and it must be stored securely and not used illegally. The data in question must also be kept up to date, not kept for any longer than necessary and must not be sent to any country outside the EU unless privacy laws of an equal standard are in place.

One of the most important developments of these laws over the past decade has been to give the government bodies overseeing the implementation of privacy laws is to audit and prosecute, under criminal law if necessary, people or organisations that are in breach of the rules.

In the UK in particular it is interesting to read the recent list of enforcements under these acts (available at to see the type of organisations that have been found guilty of breech of privacy laws. Some, such as medical and education establishments, have a great duty of trust with their private data and you would expect that these organisations would be at the forefront of privacy protection. Seemingly not.


Adams & McGrindle, (2008) Pandora’s Box: Social & Professional Issues of the Information Age. University of Reading: Wiley.

Information Commissioner’s Office (ICO): The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals [Online]. Available at: (Accessed 14 February 2010).

Wikipedia: Information privacy [Online]. Available at: (Accessed 14 February 2010).