Principles, Rights and Personal Data

What is the Purpose of the Data Protection Act? The Data Protection Act (DPA) came into effect in April of 2016 and became enforceable on May 25th two years later. The DPA came as a result of several years of development and stands as the United Kingdom’s adoption of the European Union’s General Data Protection Regulation (GDPR); a Europe-wide piece of legislation addressing two decades of technological development.

What is the Purpose of the Data Protection Act?

There are several purposes of the Data Protection Act, though the legislation is largely designed to protect individuals from having their personal information misused, exploited or mishandled. The DPA does so by, firstly, firmly establishing the rights of individuals, and secondly, placing well defined responsibilities upon organisations handling personal data, and guidelines for practices.

“The legislation requires increased transparency and accountability from organisations, and stronger rules to protect against theft and loss of data with serious sanctions and fines for those that deliberately or negligently misuse data”

CBE Elizabeth Denham, UK Information Commissioner

Before the updated legislation in 2018, the Data Protection Act 1998 contained 8 principles of data protection. Not deviating greatly from the 7 principles that exist as part of the Data Protection Act 2018, the DPA 1998, though reasonable for the time, failed to address the increased necessity for data protection present almost two decades on.

Principle 7 of the Data Protection Act 2018, ‘Accountability’, is perhaps the most significant addition to the holistic approach now taken. With this key principle, the responsibility to handle personal data appropriately and lawfully is placed directly upon organisations, whilst also obliging these entities to be able to demonstrate their continued compliance.

The Information Commissioner’s Office

The Information Commissioner’s Office was founded in 1984 and now acts as the independent official responsible for upholding information rights in the public interest, promoting data privacy for individuals and openness in public bodies.

The UK’s Information Commissioner, Elizabeth Denham stated at the time of its introduction that the Data Protection Act 2018 would make the UK one of the “world’s most progressive data protection regimes”. Adding:

“The previous Data Protection Act, passed a generation ago, failed to account for today’s internet and digital technologies, social media and big data.”

With the introduction of the Data Protection Act and GDPR, the role, scope and prominence of the Information Commissioner has grown significantly, dealing with many high-profile cases and handing out headline news fines to offending organisations.

Important Terms

To better understand what the purpose of the Data Protection Act is, there are some important terms that likely require a little further explanation. Within this legislation and all equivalents across Europe, the following terms are used similarly as to allow convergence and compliance.

Firstly, ‘personal data’, as one of the most frequently used and fundamental terms in data protection legislation refers to ‘any piece of information related to an identified, or potentially identifiable individual’. Secondly, ‘data subject’ defines the individual to which personal data refers. Next, ‘data processor’ refers to the party responsible for performing ‘processing’ (operations) upon personal data or data sets, which can be performed either manually or with an automated system.

The corresponding term to ‘data processor’ is ‘data controller’. As a ‘competent authority’ who alone or jointly determines the means and purpose of the processing. Though there is a controller/processer distinction, a single party can fulfil both roles.

Finally, ‘data breach’ is a vital term to define as its impact, and repercussions can be especially devastating. A data breach is the unlawful or accidental destruction, loss, unauthorised disclosure, alteration of, or access to, personal data.

Case Study: Cathay Pacific Airways Limited

The ICO announced in March of 2020 that they levied a fine of the DPA 1998’s maximum fine of £500,000 against international airline Cathay Pacific for failing to protect the security of its customers’ personal data.

The incidents in question took place between 2014 and 2018, with computer systems lacking appropriate security measures, which resulted in the unauthorised disclosure of 9.4 million customers’ personal data, 111,578 of that amount being UK citizens.

In their investigation, the ICO found a plethora of security failures, finding malware, a lack of password-protection, unpatched servers and inadequate anti-virus protection. The ICO’s Director of Investigation stated that the breach was “particularly concerning given the number of basic security inadequacies across Cathay Pacific’s system…the airline failed to satisfy four out of five of the National Cyber Security Centre’s basic Cyber Essentials guidance.

Enforcement and Fines

Having been previously capped at £500,000 by the DPA 1998, the Information Commissioner’s Office and enforcement authorities across Europe are now, post 2018, capable of levying fines up to 4% of annual global turnover (from the previous year), or 20 million Euros, whichever is larger.

At the time of its royal assent, the Information Commissioner noted, “although the ICO will be able to impose much larger fines – this law is not about fines. It’s about putting the consumer and citizen first.”

Though the consequences for failing to comply with data protection legislation have never been more significant, we are yet to see the ICO using its power to levy these potentially massive fines. Perhaps, in part, because many cases require years of investigation and many pre-GDPR cases/incidents are still being investigated, as such many of the effects of the DPA are perhaps yet to be seen.