This applies to any person or organization that handles personal information about identifiable living people in the United Kingdom for uses other than personal ones.


The DPA is the principal piece of legislation governing the protection of personal data in the United Kingdom. It requires compliance with eight privacy and disclosure principles.


The DPA was passed by Parliament in 1998 to bring UK law into line with the European Directive of 1995, which required member states to protect people’s right to privacy with respect to personal data.


Public notification requirements, civil penalties  of up to £500,000, and criminal prosecution.


The EU Data Protection Directive harmonizes the various data protection laws of EU member states. Meanwhile, each member state has its own requirements, provisions, and penalties. In the United Kingdom, it’s the DPA.

Covered personal information includes names, birthdays, anniversary dates, addresses, telephone numbers, and email addresses. For the most part, it applies only to electronically stored information, but some paper records used for commercial purposes are also covered by it.

The DPA requires compliance with eight privacy and disclosure principles, as follows. Personal data …

  1. shall be processed fairly and lawfully and shall not be processed unless certain other conditions (set forth in the Act) are met.
  2. shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which it is processed.
  4. shall be accurate and, where necessary, kept up-to-date.
  5. processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. shall be processed in accordance with the rights of data subjects under this Act.
  7. shall be protected against unauthorized or unlawful processing, and against accidental loss or destruction or damage, by appropriate technical and organizational measures.
  8. shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.