We solve your legal problems. Read our legal advice guides & instruct the best lawyer for you.


Unlock Legal Advice


Data Protection & Information Security - Privacy Law Guide



Our modern day usage of technology has made it easier than ever to store and send personal information to others. Unfortunately, it has also made it easier for that information to be compromised. It is important to understand the responsibilities any organisations have which process personal information held about you, and your rights in obtaining your personal data. Data protection is enforced by an independent body and by law to make sure that your data is less likely to fall into the wrong hands and is only processed when necessary.

Information security is a related concept to data protection. It is more to do with the storage of computer data and relates to our storage of personal information as well as the security that other organisations must follow which hold information about us.

This guide will examine these related concepts and your legal rights in relation to organisations that hold your data. It will also look at common threats to your personal data that you may face at home and what you can do to prevent your own data being compromised. See here for more guides on Privacy Law.




Data, when relating to data protection, is a term for a set of information that is stored in such a way that a specific individual within that set can be identified. This is quite broadly defined in the Data Protection Act 1998 so that things written down in a filing system and information written down with the intention of being stored on a computer database is covered.


Organisations that hold personal data on clients or customers must make sure that it is safeguarded from falling into the wrong hands and use it in an appropriate manner. The Data Protection Act 1998 regulates the usage and interpretation of information held about you, or ‘personal data’, the terminology used throughout the Act.

This legislation governs all organisations that may use your data, whether the organisation in question is your bank, building society or your local GP.


  • Definitions

As well as defining what is meant by data and personal data, the Data Protection Act 1998 (the DPA) also defines three key parties involved in data protection.

  • The Information Commissioner

The Data Protection Act 1998 and other related legislation is enforced by an independent body, the Information Commissioners’ Office. They provide advice to members of the public and can investigate organisations that they believe to be in breach of data protection regulations. Their main day-to-day role is to keep a register of all companies that have personal data on file.

  • The Data Controller

The data controller is the organisation or individual that has personal data on file. They must apply in advance to the Information Commissioners’ Office (ICO) before they can hold personal data. In a large organisation, a senior representative would be regarded as a data controller rather than the person that has actually typed the data into a computer. As the ICO summarises in their Guidance, “we take the view that having some discretion about the smaller details of implementing data processing (i.e. the manner of processing) does not make a person a data controller.”

  • The Data Subject

This is the person who has information held about them on file.

The Principles of Data Protection

The DPA also defines eight main principles that any organisations processing data must follow.

  • Principle 1: Personal data must be processed fairly and lawfully

This means that as a data subject, you should be aware that an organisation would be holding data on you. An organisation is statutorily obliged to either tell you or write to you to let you know when they are collecting information. This is known as a “fair processing notice” or a “privacy notice”.

  • Principle 2: Personal data is only held for a specified purpose

This means that data is only held for the reason or reasons given by the organisation holding your data (the Data Controller) to the Information Commissioner. So if they have agreed to use your data only for the purpose of sending you catalogues, they cannot use your data for sending you special offers unless you have expressly agreed this.

The Act says that in interpreting this principle, “regard is to be had by the method by which they are obtained”. So if you are asked over the phone to give personal details, the person you are speaking to should summarise briefly how they will use your information in accordance with the Act. This principle will also take into account whether or not someone is being deliberately misled.

  • Principle 3: Personal data must be relevant to and adequate for the purpose for which it is obtained. However, it must not be excessive.

Say, for example, you sell clothes on the Internet. To update your customers on new offers, you would need their e-mail address and their name for a personalised message to each customer. These details would be seen as both adequate and relevant. You might also have their postal address. However, keeping a record of their National Insurance Number or credit rating would be considered excessive.

  • Principle 4: Data must be accurate and kept up to date if necessary.

Inaccuracy often comes hand in hand with failure to keep personal data up to date. Essentially, any data controller (i.e. any individual or company which holds personal data) is potentially in breach of this Act if they do not have an accurate address or alternative way of contacting someone in accordance with what they need the data for.

  • Principle 5: Data must not be kept for longer than necessary.

If, for example, you apply for a job and are unsuccessful, companies have a finite amount of time to store your details after you have gone through the application process.

  • Principle 6: Data must be processed in accordance with the rights of the data subject

The data subject has rights given to them by the Data Protection Act, which will be discussed in the next part of this guide.

  • Principle 7: Data must be held securely

This principle is mainly to do with information security, which will be covered later on in the guide. Information security could also be defined as principle no 6 of the Data Protection Act 1998.

  • Principle 8: Data must not be transferred to any country out with the European Economic Area

This ring fences all data to be within the EEA, or European Economic Area. This includes the EU and a few small member states. As a consequence of this some organisations have separate rules to allow them to send customer data out with the European Economic Area, provided they have similar provisions to what is contained within the EEA.

Your right to access data

You have a right of access any data that is held on you by a data controller. This is contained in section 7 of the 1998 Act.

The ICO, who publish guidelines on how to request this information, recommend that you plan ahead. It is a good idea to write to the organisation you want to obtain your personal data from first to find out who the person or team is in charge of that data. If you don’t do this you may have to wait considerably longer to obtain your data. However it is a statutory requirement that the organisation gets back to you within forty days. You will be charged a fee by the organisation of up to £10 in order to obtain your data.

Once you have obtained the necessary contact details, you should write to the organisation.

Your correspondence should include your name, address and the personal information that you want to see. It should also include some reference to the Data Protection Act and subject access requests. The ICO provide a useful template to aid members of the public in accessing their information.

Sometimes the organisation may not give you the information you seek. This is because it may be deemed as ‘disproportionate effort’. They may also refuse to give you the information if it relates to another person not mentioned in the subject access request.

What are my other rights as a data subject?

The DPA also confers an additional number of rights on someone who has personal data held about them by an organisation.

  • The right to prevent data being processed which may cause damage or distress to the data subject

If the data being processed by an organisation causes unwarranted distress, then the person who is the subject of that data can apply in writing to stop that data being processed. Please note that the distress must be unwarranted – for example, credit agencies are allowed to hold credit scores on individuals under other parts of the DPA, so in such a case, the data subject would not have the right to stop the data being processed.

  • The right to stop direct marketing

This right allows you to stop any ongoing marketing you might receive from the organisation holding your data, such as marketing e-mails and junk mail through the post, also by applying in writing. You can enforce it before you receive any unwanted mail as well as after you have received it.

  • The right to prevent automated decisions being made

This allows the data subject “to ensure that no decision taken by or on behalf of the data controller which significantly affects that individual is based solely on the processing by automatic means of personal data”. For example, imagine that you have decided to apply to a bank for a loan. This right would allow the organisation to review your case individually rather than be reliant on automatically processing the data they already hold on you.

  • The right to complain to the Information Commissioners’ Office

The DPA allows you to complain to the ICO if you feel that a data controller has contravened any part of the Data Protection Act.

  • The right to compensation

If you have suffered damage or distress as a result of the organisation holding data about you, you have the right to obtain compensation. Your distress or damage must be related to the organisation’s processing of your personal data.

  • The right to correct errors

If you believe an organisation has inaccurate information on you, such as a wrong address, the Act allows you to correct this error. You must write to the organisation and state exactly what you think is inaccurate. This provision only applies to facts and not opinions or points of view, so you could not use this provision if you disagreed with a medical diagnosis you have been given by your GP.

Freedom of Information

Public authorities must provide certain information about their activities. The legal framework for this in England in Wales is the Freedom of Information Act 2000. In Scotland, local authorities are covered by the Freedom of Information (Scotland) Act 2002. The Act grants a reciprocal benefit on members of the public in that they are entitled to request information from public authorities.

Information Security

This concept is best summed up in Principle 6 of the Data Protection Act 1998. Principle 6 of the Data Protection Act 1998 states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of, or damage to, personal data”.

In broader terms, information security refers to the storage of data and personal information held on computer. It is relevant to us in our everyday lives if we work at an organisation which deals with customer data. However, it is also equally relevant when we are using the Internet at home. We all use passwords for many different websites and use the web for various different personal uses.

Threats to information security

There are various threats to the security of your personal data. The most common are the following:

  • Trojan horses

Trojan horses are pieces of software (script, code) hidden in seemingly reputable products that are designed to harm your computer.

  • Worms

Worms are pieces of software that expose the security loopholes of software in order to obtain sensitive information and possibly harm your computer.

  • Phishing

This is one of the most common threats to information security. Phishing occurs when someone pretending to be a reputable organisation (e.g. a government organisation or a bank) sends you an unsolicited e-mail trying to get information out of you.

  • Accidental loss or damage

We can also lose data through accidental loss or damage. This is usually why it is good practice to have file encryption protection on USB memory sticks. Many organisations have actually banned the use of portable storage devices because of the risks associated with them.

  • Social engineering

This is when someone befriends you to obtain personal information. This kind of information security risk is generally used to attack someone who works in a place that deals with highly sensitive customer data, such as a bank or a building society.


There are many different ways in which you can prevent or mitigate attacks on your personal information. This list is a starter, but is non-exhaustive.

  • Use a strong password

You should create a password that is a mixture of special characters, numbers and letters. You should also have a separate password for each website you log on to

  • Make sure your Anti-Virus software is up to date

Anti-Virus software can stop the majority of malware and viruses from affecting your computer.

  • Never open anything that looks suspicious

If you receive any e-mail from an organisation asking for your personal details, you should not open it. Organisations generally never contact you in this way, and there may be signs that things are not what they seem, such as spelling mistakes or generic salutations, such as “Dear Customer” rather than using your name.

Data protection and information security are two related concepts that are more prominent now due to our reliance on technology. This does not mean that we should decrease our vigilance. The Data Protection Act 1998 provides the framework on which we can control our personal data, and we must use appropriate common sense at home to make sure that we do not unwittingly compromise our own personal data over the Internet.

Key Points

    • Data protection can be defined as the obligations organisations have that hold data on you to safeguard them from accidental loss
    • There are several principles surrounding data protection which organisations must adhere to
    • The main statute that protects your information is the Data Protection Act 1998.
    • Local authorities are statutorily obliged to provide certain information about their activities through the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002 depending on their geographic location.
    • Information security can be defined as safeguarding computer systems that hold personal data
    • There are various different ways that you can put your information at risk at home daily.
    • There are a few ways in which you can mitigate information security threats

Nothing in this guide is intended to constitute legal advice and you are strongly advised to seek independent advice on matters that affect you.

Like this? Why not share.



Last Updated

Monday, 20 November 2017