The UK’s Data Protection Act of 1998

On 23 September 1980, the Organisation for Economic Cooperation and Development (“OECD”) adopted a set of guidelines concerning data protection and transborder dataflows. Following on from those guidelines, the EU enacted the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (the “Convention”) in 1981. The UK, in response to the OECD guidelines and the Convention, introduced The Data Protection Act 1984 (the “1984 Act”) which concentrated mainly on Personal Data which were stored and processed ‘automatically’ (i.e. computerised Personal Data). The EU was aware that not all Member States had imposed similar laws and decided that there was a need to harmonise the laws of Member States throughout the EU with regard to data protection. In 1995, after years of discussion the European Data Protection Directive 95/46 EC (the “Directive”) was eventually adopted. The Data Protection Act 1998 (the “DPA”) implements the Directive in the UK, and came into force on 1 March 2000. It replaces the 1984 Act. The DPA allowed for two periods of transition, the first of which ended on 24 October 2001. The second transitional period ends on 23 October 2007, but only applies in limited circumstances to eligible manual data held immediately prior to 24 October 1998. Most businesses which are Processing data in the UK will now need to comply with all of the provisions of the DPA.