The Evolution of the Data protection act


Personal data, put simply, is “information about a particular person or individual.” Individuals can include anyone from employees and business contacts to customers and members of the public. Information that is public knowledge or about someone’s professional life can also be considered personal data. The Data Protection Act is therefore an act designed to which controls how personal data can be used and your rights to ask for information about yourself. 

So why do we need the data protection law? Firstly, it’s part of a person’s fundamental right to privacy. Especially with such rapid growth of technology and its role in society in recent years, naturally, there has been an increase in the holding of data banks. Nowadays very few businesses in fact don’t hold or process personal data. With the increase of storing and processing personal data, processing can include almost anything done with data including collecting, recording, analysing, disclosing, deleting (etc), it comes to little surprise that this has brought concerns about privacy and security. Data protection laws are therefore set in place to ensure people can trust businesses to use their data in a fair and responsible way. 

The data protection act 1984 

It was towards the end of the 20th century in which organisations, businesses, employers and society in general begun relying on computer systems to store information about individuals on large databases. As this use and reliance increased, parliament introduced the first legislation governing data protection in the form of the data protection act 1984 which came in to force in 1987. 

The act was also otherwise known as “an act to the use of automatically processed information relating to individuals and the provision of services in respect of such information.”

The Data Protection Act 1984 introduced basic rules of registration for users of data and rights of access to that data for the individuals to which it related. It set out a schedule of data protection principles which are the basis for processing personal information onto a computer.

The data protection act 1998

These rules and rights were revised and superseded by the Data Protection Act 1998 which came into force on 1st March 2000.

The Act applied when personal data was processed or was to be processed by a computer or was recorded or to be recorded in a structured manual filing system. There were other types of system covered by the Act, but these are the most common.

To be covered by the 1998 data protection act the following had to apply:

  • there must have been a set of information relating to individuals,
  • which was structured either by reference to individuals or by criteria relating to individuals,
  • in such a way that specific information relating to particular individuals was readily accessible. If your manual files were to fall within this definition, you would have to comply with the Act.

The act also introduced eight key principles for processing personal data into UK law. These included:

  1.  the personal data must be processed fairly and lawfully
  2. Personal data must be processed for specific lawful purposes 
  3. Personal data must be adequate, relevant and not excessive
  4. Personal data must be accurate and up to date
  5. Personal data must not be kept for longer than necessary
  6. Personal data must be processed in accordance with the rights of individuals 
  7. Personal data must be kept secure 
  8. Personal data must not be transferred outside of the European economic area without adequate protection

Data Protection Act 2018

The Data Protection Act 2018 achieved royal assent on 23 May 2018. The Act has seven parts including: 

  1. This Act makes provision about the processing of personal data. Most processing of personal data is subject to GDPR.
  2. Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
  3. Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
  4. Part 4 makes provision about the processing of personal data by the intelligence services.
  5. Part 5 makes provision about the information commissioner.
  6. Part 6 makes provision about the enforcement of the data protection legislation.
  7. Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

The Act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence.  

This act being the current UK data protection act introduced clearer individual rights for the processing of personal data. 


  1., , 2020
  2.  Pinset Madison,  30th March 2005
  3. Wikipedia, , 14th august 2020 
  4. Wikipedia, , 14th august 2020
  5. Pauline Jeffree, Sprink link, , 1994
  6. Adam Warren and James Dearnley, Taylor and Francis Online, , 12th April 2011 


Leave a Comment