Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

UK - Data Protection

History of Data Protection in THE UK

The first legislation in the UK concerning data protection was the Data Protection Act 1984. This followed the principles of the OECD Guidelines of 1980, and the Council of Europe Convention of 1981. The Act only applied to data stored on a computer.

The Conservative government in the UK was unreceptive to the idea of a Data Protection Directive, arguing that there was no need for one. The UK thus had little influence on the final text of the Directive, agreed after protracted negotiations in 1995. However, the Labour government that was elected in 1997 placed Data Protection on its agenda as a part of its wider concerns for human rights.

The Data Protection Act, implementing Directive 95/46/EC was passed on 16 July 1998 . The Act faithfully transposes the provisions of the EC directive into UK law. However much of the detail was left to secondary legislation; 17 Statutory Instruments were needed before commencement. More have been introduced subsequently. The Act eventually entered into force on 1 March 2000 . Minor modifications were made under the Freedom of Information Act 2000.

Summary of Data Protection in THE UK

Title of Data Protection Legislation Data Protection Act 1998
Name of supervisory authority The Information Commissioner
General Powers of supervisory authority The Act sets out the functions of the Commissioner in section 51. Section 51(1) states that the Commissioner should promote good practice by data controllers, and promote the observance of the Act. 51(2) states that the Commissioner should advise the public about the operation of the Act. 51(3) states that the Commissioner should prepare and disseminate codes of practice. The Commissioner also assesses the observance of data controllers to the Act, and can order compliance, as detailed on the Commissioner’s website.
Who has standing to notify the supervisory authority of breaches? The data subject
What are the penalties for data controllers if they breach the law? Section 60(2) of the Data Protection Act 1998 states that fines may be imposed on data controllers in breach of the law. In addition, according to section 60(4) “any document or other material used in connection with the processing of personal data and appearing to the court to be connected with the commission of the offence [can] be forfeited, destroyed or erased.”
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? Schedule 1, Part II, paragraph 4 of the 1998 Act allows the Secretary of State to issue an order specifying when a general identifier may be fairly and lawfully processed.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. However, the Human Rights Act 1998, interpreted in the light of the ECHR, may give priority to consent.
Does the Data Protection Legislation cover the deceased? No
Who is able to indirectly identify the data subject? Only the data controller. This is a unique position among the countries who have implemented Directive 95/46/EC.

Laws and Regulations

Institutions