What is the primary difference between a Data Controller and a Data Processor?

The Data Controller is the entity that decides the 'why' and 'how' of data processing and holds legal responsibility. The Data Processor is a third party that processes data only as instructed by the Controller.

How does 'Personal Data' differ from 'Sensitive Personal Data' under the 1998 Act?

Personal Data is general identifying info like a name or address. Sensitive Personal Data includes more private details like health, religion, or criminal records, which require much stricter legal conditions to process.

When comparing Principle 2 (Purpose) and Principle 5 (Retention), how do they interact?

Principle 2 dictates that data can only be used for its original stated purpose, while Principle 5 mandates that once that specific purpose is fulfilled, the data must be deleted.

True or False: The Data Protection Act 1998 only applies to data stored on computers.

False. The Act also applies to manual (paper) records if they are stored in a 'relevant filing system' where specific information about individuals is easily accessible.

What is a common misconception regarding the rights of deceased individuals under the DPA 1998?

A common error is assuming the DPA protects the data of the deceased. The Act explicitly defines a Data Subject as a 'living individual,' so it does not apply to those who have passed away.

Does Principle 7 (Security) only refer to digital hacking?

No. Security also includes physical measures (like locked filing cabinets) and organizational measures (like staff training) to prevent accidental loss or unauthorized disclosure.

Define a 'Subject Access Request' (SAR).

A SAR is a formal request made by a data subject to a data controller to receive a copy of all personal data the organization holds about them.

What is the role of the Information Commissioner's Office (ICO)?

The ICO is the UK's independent body set up to uphold information rights, investigate data breaches, and enforce the rules of the Data Protection Act.

What does it mean for data processing to be 'Fair and Lawful'?

It means the organization must be honest about why they want the data (fair) and must have a valid legal reason, such as consent or a contract, to handle it (lawful).

Why is Principle 8 (International Transfer) necessary in a global economy?

It prevents organizations from bypassing UK privacy laws by moving data to countries with weaker protections, ensuring the individual's rights 'follow' their data.

The Data Protection Act 1998 | OCR AS-Level Computer Science

5. Legal, Moral, Cultural & Ethical Issues

The Data Protection Act 1998

Summary

The Data Protection Act 1998 (DPA) is a fundamental piece of UK legislation designed to protect the privacy and rights of individuals regarding their personal data. It establishes a legal framework that balances the needs of organizations to collect and use data with the rights of individuals to have their information handled fairly, securely, and transparently.

1. Definition & Core Concepts

Personal Data: This refers to any information relating to a living individual who can be identified from that data, or from that data and other information in the possession of the data controller. It includes facts, such as an address, as well as opinions expressed about the individual.
Data Subject: The living individual who is the subject of the personal data. The Act is specifically designed to protect these individuals from the misuse of their private information.
Data Controller: The person or organization that determines the purposes for which, and the manner in which, any personal data is processed. They bear the legal responsibility for ensuring compliance with the Act.
Processing: This is a broad term covering almost any action taken with data, including collecting, recording, storing, altering, retrieving, consulting, using, disclosing, or destroying it.

A diagram showing the Data Controller at the center, surrounded by the eight principles of the Data Protection Act 1998.

2. The Eight Data Protection Principles

Principle 1: Fair and Lawful: Data must be processed fairly and lawfully. This means organizations must be transparent about why they are collecting data and must have a legitimate legal reason to do so.
Principle 2: Specific Purpose: Data must be obtained only for one or more specified and lawful purposes. It cannot be used for a different, incompatible purpose later without further consent.
Principle 3: Adequacy and Relevance: Personal data shall be adequate, relevant, and not excessive. Organizations should only collect the minimum amount of data necessary to achieve their stated goal.
Principle 4: Accuracy: Data must be accurate and, where necessary, kept up to date. Inaccurate data should be erased or rectified without delay to prevent harm or misinformation.
Principle 5: Retention Period: Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose. Once the data is no longer needed, it must be securely destroyed.
Principle 6: Individual Rights: Data must be processed in accordance with the rights of data subjects under the Act, such as the right to access their own information.
Principle 7: Security: Appropriate technical and organizational measures must be taken against unauthorized or unlawful processing, and against accidental loss or destruction of data.
Principle 8: International Transfers: Personal data shall not be transferred to a country outside the European Economic Area (EEA) unless that country ensures an adequate level of protection for the rights of data subjects.

3. Rights of Data Subjects

4. Enforcement & Compliance

5. Key Distinctions

6. Exam Strategy & Tips