Skip Navigation

Data Protection

Information about the Data Protection Act and the requirements placed upon organisations when collecting and storing data.

Data Protection

The Data Protection Act 1998, which replaced the 1984 Act, received Royal assent on 16th July 1998 and came fully into force in 1999.

Responsible Officer Contact Information

For information about the Data Protection Act email:

Telephone: (01354) 654321

Fax: (01354) 606917

As with the 1984 Act, the 1998 Act gives legal rights to individuals (data subjects) in respect of personal data held about them. The Act gives effect in UK law to EC Directive 95/46/EC (the 'Directive').

Purpose of the Act

The Data Protection Act 1998 is designed to cover the collecting, storing, processing and distribution of personal data. It gives rights to individuals about whom information is recorded.

This applies to all individuals whether they are an employee, elected member or a member of the public. Each individual has the right to access personal data, prevent processing likely to cause damage or distress and prevent processing for the purposes of direct marketing.

They also have rights in relation to automated decision taking, to take action for compensation if they suffer damage by any contravention of the Act by the data controller, to rectify, block, erase or destroy inaccurate data and to make a request to the Data Protection Commissioner for an assessment to be made of the data controller if they feel that the Act has been contravened.

The Act places obligations on those who record and use personal data (data controllers). They must be open about the use of such personal data through Notification (see the link to the Information Commissioner's Office above) and they must follow sound and proper practices by applying the Data Protection Principles.


Data protection law changes on 25 May 2018 with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) replacing the Data Protection Act 1998 (Directive 95/46/EC).

The GDPR is a regulation by which the European Union intends to strengthen and unify data protection for all individuals within the European Union (EU). It also covers the export of personal data outside the EU. The UK government has already confirmed that these regulations will be retained after the UK leaves the European Union in 2019.

Each Member State within the EU is required to establish an independent Supervisory Authority. The Supervisory Authority in the United Kingdom is the Information Commissioners Office (ICO). The Information Commissioner's Office or ICO is an independent body that ensures businesses; both public and private sector comply with Data Protection regulations. It is also where members of the public can complain if they believe their data is not being processed in accordance with legislation. The ICO has the power to fine bodies that contravene the regulations.

GDPR is an extension of the existing Data Protection Rules. The regulation aims primarily to give control to citizens over their data through a series of rights and to simplify the regulatory environment.