The UK Data Protection Act is implemented by the information Commissioners Office (ICO) in UK to regulate the use of personal data that is made available to commercial and non commercial organizations by individuals for a variety of purposes. The ICO is an independent authority set up to uphold information rights in safeguarding individual privacy and to promote transparency in data use by public bodies.

The terminologies associated with “information” are defined granularly in the act.

  1. Data is defined in the Act to refer to processing of any kind of information automatically or manually. This information may be recorded with an intention to process electronically or may form or may be intended to form, a part of a relevant filing system or may form a part of an accessible record or information held by a public authority for any purpose.
  2. Accessible records can be health records, educational records, or public records that contain personal information in connection with an individual.
  3. Personal data is any data relating to a living individual who can be identified or includes an opinion about the individual or indications of the intentions of the data controller or any other person.
  4. Sensitive personal data is data that contains information about the racial or ethnic origin of the person, political opinions, religious beliefs, membership of trade unions, physical or mental health, sexual life, commission or alleged commission of offenses, or proceedings for offences committed or alleged to have been committed by the individual.

The term “processing” is also defined at some length as the process of “obtaining, recording, holding information or data or carrying out any operation or set of operations on the information or data”. In this context, any effort to organize, adapt, alert, retrieve, disclose or align information is considered “processing” of data. Data subjects are individuals to whom the information pertains and data controllers are entities who have collected and processed the data. Recipients are people or entities to whom data disclosures have been made.

Failure to ensure “fair processing” and identify “third party” to data processing can attract penal provisions under the act. Fair processing includes installation of all security systems for the protection of the data.

The fact that a number of penalties have been levied in 2010 under the Data Protection Act by the ICO is an indication that the act is beginning to show teeth and is clamping down heavily on entities that violated the provisions of the act during the year. It is a clear signal to the entities that collect information that compliance to the provisions is mandatory.