Legislation overview

The main legislation governing data protection is the Data Protection Act 1998 (DPA) which came into force on 1 March 2000.

The DPA implements an EU Directive (the Data Protection Directive 95/46/EC) and both the Act and the Directive aim to give individuals rights in connection with the processing of manual and computerised personal data and on the movement of such data.

Other important statutory provisions concerning data protection include the following:

  • Police Act 1997
  • Human Rights Act 1998
  • Freedom of Information Act 2000 (FOI Act) (only applicable to public authorities)
  • Regulation of Investigatory Powers Act 2000 (RIPA)
  • The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699)
  • The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/2905)
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426)
  • The Environmental Information Regulations 2004 (SI 2004/3391)
  • The Data Protection (Processing of Sensitive Personal Data) Order 2006 (SI 2006/2068
  • Criminal Justice and Immigration Act 2008
  • The Data Protection (Notification and Notification Fees) (Amendment) Regulations 2009 (SI 2002/1677)
  • The Data Protection (Processing of Sensitive Personal Data) Order 2009 (SI 2009/1811)
  • The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (SI 2010/31)
  • The Data Protection (Monetary Penalties) Order 2010 (SI 2010/910)
  • The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208).
  • Protection of Freedoms Act 2012.

Information and guidance is available from the Information Commissioner's Office (ICO) website - see the related Q&A Where can guidance and assistance on interpretation of the Data Protection Act be found?

In December 2015, after months of negotiations, the EU Commission, Parliament and Council of Ministers reached agreement on the General Data Protection Regulation.

Significant changes are proposed which will affect how all employers (and other institutions) throughout the EU deal with personal data. For more information see the related Q&A What changes are likely to result to data protection form the EU General Data Protection Regulation?.

Q: What is the Information Commissioner's Office?

Q: Where can guidance and assistance on interpretation of the Data Protection Act be found?

Q: What is data protection and what are the eight data protection principles?

Q: Who are data controllers?

Q: Does the Data Protection Act only apply to data processed in relation to employees?

Q: What data does the Data Protection Act apply to? Are videos, CCTV and emails covered?

Q: Are manual personnel and other manual files likely to be covered by the Data Protection Act?

Q: If an individual is entitled to request to view their personnel file from an employer (subject access request), what is the procedure?

Q: Can employers require people to use their subject access rights to provide certain records, such as police records, as a condition of employment?

Q: If an employer contracts out payroll services what are the obligations as regards the supply of data to this third party?

Q: What is the definition of 'sensitive personal data' and what additional measures must an employer take when processing this type of data?

Q: Do employers need to seek explicit consent from employees before processing data relating to the reasons for sickness absence?

Q: Is there any guidance on the length of time personnel records or individual items of data should be retained?

Q: How do the requirements of the Data Protection Act apply to the provision of references?

Q: What can an employee do if they believe that an employer has breached their rights under the Data Protection Act?

Q: Can an employer video employees, monitor and or intercept or monitor telephone calls, emails or use of the Internet?

Q: What should an employer do to manage employees’ use of social networking sites such as Facebook?

Q: What are the potential liabilities and risks for an employer if employees misuse the email system and the Internet?

Q: What are the issues arising for an employer if employees are supplied with their own smart phones or use their own devices at work?

Q: What is the Freedom of Information Act and to whom does it apply?

Q: What changes are likely to come into force under the General Data Protection Regulation?

Q: Are there any future developments expected in the area of data protection, surveillance and privacy at work?

Top