The centrepiece of UK data protection law is the Data Protection Act 1998 (the “DPA”). This legislation was enacted pursuant to a European Directive. Data protection law governs the “processing” of “personal data”.
“Processing” is defined in the Act to mean: “… obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including – (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.“
In other words, almost anything you do with data will constitute “processing”.
“Personal data” is broadly defined to mean: “… data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.“
So, for example, a list of names and addresses of customers will be personal data, as will an email address containing a person’s name.
Most of the key obligations in the DPA are placed upon “data controllers”. A data controller is defined as: “… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.” In respect of personal data collected and processed through your website, you (or the company or other person who operates the website) will be the data controller.
The main consequences of this status are as follows. First, the DPA requires “notification” from data controllers, unless an exemption is available. You can find out more about notification (which costs £35 per year) on the Information Commissioner’s website. Second, individuals have certain rights under the DPA in relation to their personal data – for example, the well known subject access right – with which data controllers must comply. Third, in the processing of personal data, data controllers must comply with the data protection principles.
In practice, a large number of UK websites operate in breach of data protection laws. Nonetheless, it is important that data protection compliance issues be addressed. Breaches of data protection legislation can lead to criminal as well as civil liability.