What Is the Data Protection Act 1998? Key Facts Explained
Learn what the Data Protection Act 1998 is, what it does, its eight principles, key rights, and how it compares to the UK GDPR that replaced it.
If you have ever wondered what is the Data Protection Act 1998, you are asking about the law that shaped how the United Kingdom handled personal data for nearly two decades. The Data Protection Act 1998 (DPA 1998) was the UK's primary privacy legislation from March 2000 until May 2018, and its influence still runs through modern data protection law.
This article is for educational purposes only and does not constitute legal advice. If you need guidance on your specific compliance obligations, consult a qualified solicitor or data protection professional.
What Is the Data Protection Act 1998?
The Data Protection Act 1998 was a UK Act of Parliament that regulated how organisations, businesses, and the government processed personal data relating to living individuals. It replaced the earlier Data Protection Act 1984 and transposed the EU Data Protection Directive 95/46/EC into domestic UK law.
The Act received Royal Assent on 16 July 1998 and came into force on 1 March 2000, with transitional provisions allowing organisations time to adjust. It applied to any "data controller" that determined the purposes and manner of processing personal data, whether the controller was a multinational corporation, a small business, a charity, or a sole trader.
Enforcement sat with the Information Commissioner's Office (ICO), which had the power to issue enforcement notices, conduct audits, and prosecute serious offences. The maximum fine under the DPA 1998 was 500,000 GBP, a figure that the UK GDPR later increased dramatically.
What Does the Data Protection Act 1998 Do?
Understanding what the Data Protection Act 1998 does requires looking at three pillars: obligations on organisations, rights for individuals, and an enforcement framework.
Obligations on organisations:
- Register with the ICO and pay an annual notification fee
- Process personal data only in accordance with eight data protection principles
- Appoint appropriate staff to manage data protection compliance
- Respond to subject access requests within 40 calendar days
- Implement adequate security measures proportionate to the sensitivity of the data
Rights for individuals:
- The right to access personal data held about them (subject access requests under Section 7)
- The right to prevent processing likely to cause damage or distress (Section 10)
- The right to prevent processing for direct marketing purposes (Section 11)
- The right to object to automated decision-making (Section 12)
- The right to seek compensation for damage caused by breaches (Section 13)
Enforcement framework:
- The ICO could issue information notices requiring organisations to provide details about their processing
- Enforcement notices compelled organisations to stop or change processing activities
- Criminal offences included unlawfully obtaining personal data and failing to register with the ICO
The Eight Data Protection Principles of the 1998 Act
The backbone of the DPA 1998 was eight principles set out in Schedule 1 of the Act. Every data controller had to comply with all eight when processing personal data.
1. Fair and Lawful Processing
Personal data had to be processed fairly and lawfully. Controllers needed to meet at least one condition from Schedule 2 (such as consent, contractual necessity, or legitimate interest) and, for sensitive personal data, an additional condition from Schedule 3. Sensitive data included information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, and criminal records.
2. Purpose Limitation
Data could only be obtained for one or more specified and lawful purposes. Further processing incompatible with those stated purposes was prohibited. Organisations declared their purposes when registering with the ICO.
3. Adequacy and Relevance
Personal data had to be adequate, relevant, and not excessive for the purpose it was collected. Gathering more information than necessary for a stated purpose breached this principle.
4. Accuracy
Data had to be accurate and, where necessary, kept up to date. Controllers were expected to take reasonable steps to verify accuracy and to correct or erase inaccurate data when notified.
5. Retention Limitation
Personal data could not be kept longer than necessary for its original purpose. The Act did not prescribe specific retention periods, leaving organisations to determine appropriate timelines based on their purposes and any other legal requirements.
6. Individual Rights
Data had to be processed in accordance with the rights of data subjects under the Act, including the rights of access, objection, and prevention of direct marketing.
7. Security
Appropriate technical and organisational measures were required to prevent unauthorised or unlawful processing and accidental loss, destruction, or damage. The standard of security had to match the potential harm from a breach and the nature of the data being protected.
8. International Transfers
Personal data could not be transferred outside the European Economic Area (EEA) unless the destination country provided an adequate level of protection. Approved transfer mechanisms included adequacy decisions by the European Commission, standard contractual clauses, and binding corporate rules.
Who Did the Data Protection Act 1998 Apply To?
The DPA 1998 applied broadly across the UK economy. Any organisation or individual that acted as a data controller fell within scope. Key terms defined in Section 1 of the Act included:
- Data controller: A person or organisation that determined the purposes and manner of processing personal data
- Data processor: A person or organisation that processed data on behalf of a controller
- Personal data: Information relating to a living individual who could be identified from that data alone or in combination with other information held by the controller
- Sensitive personal data: A subset of personal data covering racial origin, political opinions, religious beliefs, trade union membership, health, sexual life, and criminal proceedings or convictions
- Processing: Any operation performed on data, including obtaining, recording, holding, organising, adapting, retrieving, consulting, using, disclosing, aligning, combining, blocking, erasing, or destroying it
Certain processing activities were exempt from some or all of the Act's provisions. Section 36 exempted personal data processed by an individual only for domestic purposes. Other exemptions applied to national security (Section 28), crime and taxation (Section 29), journalism, literature, and art (Section 32), and research, history, and statistics (Section 33).
Subject Access Requests Under the 1998 Act
One of the most significant practical features of the DPA 1998 was the subject access request (SAR) under Section 7. This gave every individual the right to obtain a copy of any personal data an organisation held about them.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowHow subject access requests worked:
- The individual submitted a written request to the data controller
- The controller could charge a fee of up to 10 GBP
- The controller had 40 calendar days to respond
- The response had to include a description of the data, the purposes of processing, and the recipients to whom data had been or might be disclosed
- The data had to be provided in an intelligible form with an explanation of any technical terms
Controllers could refuse a SAR only in limited circumstances, such as when complying would reveal information about another identifiable individual (unless that person consented) or when a specific exemption applied. Persistent failure to respond to SARs could result in enforcement action from the ICO or a court order under Section 7(9).
If you process personal data from UK residents today, you still need to handle data subject requests, though now under the UK GDPR with a 30-day deadline and no fee in most cases. A comprehensive privacy policy generator can help you document how individuals can exercise their rights.
How the Data Protection Act 1998 Compares to the UK GDPR
The DPA 1998 was replaced by the Data Protection Act 2018 working alongside the UK GDPR, which took effect on 25 May 2018. While the core principles remained similar, the modern framework introduced substantial changes:
| Area | DPA 1998 | UK GDPR / DPA 2018 |
|---|---|---|
| Maximum fine | 500,000 GBP | 17.5 million GBP or 4% of global turnover |
| SAR response time | 40 days | 30 days (one month) |
| SAR fee | Up to 10 GBP | Free (with exceptions for excessive requests) |
| Breach notification | No mandatory requirement | 72 hours to notify the ICO |
| Data Protection Officer | Not required | Required for certain controllers |
| Right to erasure | Limited | Explicit right under Article 17 |
| Data portability | Not available | Right to receive data in machine-readable format |
| Consent standard | Could be implied | Must be freely given, specific, informed, unambiguous |
| Lawful bases | Schedule 2 conditions | Six lawful bases in Article 6 |
| Accountability | Limited documentation duty | Comprehensive record-keeping and DPIA requirements |
The shift from the DPA 1998 to the UK GDPR represented a move from a registration-based system to an accountability-based model. Organisations can no longer simply register with the ICO and hope for the best. They must actively demonstrate compliance through documented policies, impact assessments, and technical measures.
Why the Data Protection Act 1998 Still Matters
Although the DPA 1998 has been repealed, it remains relevant for several reasons:
- Historical claims: Enforcement actions for breaches that occurred before May 2018 may still reference the 1998 Act
- Legal precedent: Court decisions interpreting DPA 1998 provisions continue to influence how courts apply the UK GDPR
- Foundation of current law: The eight principles of the DPA 1998 map closely to the six principles in Article 5 of the UK GDPR, so understanding the 1998 framework provides context for current obligations
- Contractual references: Older contracts, data processing agreements, and privacy policies may still reference the DPA 1998 and need updating
For businesses operating in the UK today, the practical question is not whether the 1998 Act applies (it does not) but whether your current data protection practices meet the higher standards of the UK GDPR. A privacy policy generator can help ensure your documentation reflects your current obligations rather than outdated references to repealed legislation.
Penalties and Enforcement Under the 1998 Act
The ICO's enforcement powers under the DPA 1998 were more limited than those available today, but they were still consequential:
- Monetary penalties: The ICO could issue fines of up to 500,000 GBP for serious breaches (this power was added by the Criminal Justice and Immigration Act 2008, effective from April 2010)
- Enforcement notices: Formal orders requiring organisations to take or cease specific processing activities, with criminal liability for non-compliance
- Information notices: Orders requiring organisations to provide the ICO with specified information
- Criminal prosecution: Offences included unlawful obtaining or disclosing of personal data (Section 55), failure to notify processing with the ICO (Section 17), and obstructing the Commissioner (Section 47)
Notable enforcement actions under the DPA 1998 included the ICO's 325,000 GBP fine against Brighton and Sussex University Hospitals NHS Trust in 2012 for failing to securely dispose of hard drives containing sensitive patient data.
How to Ensure Compliance with Current UK Data Protection Law
The DPA 1998 laid the groundwork, but today's obligations under the UK GDPR and DPA 2018 are more demanding. If you operate a website that collects personal data from UK residents, these steps will help you meet your obligations:
- Identify your lawful basis for each type of processing under Article 6 of the UK GDPR
- Publish a clear privacy policy that explains what data you collect, why, how long you keep it, and how individuals can exercise their rights
- Implement a cookie consent mechanism that obtains informed consent before setting non-essential cookies, in line with the Privacy and Electronic Communications Regulations 2003
- Respond to data subject requests within one calendar month
- Conduct Data Protection Impact Assessments for high-risk processing activities
- Report breaches to the ICO within 72 hours where there is a risk to individuals' rights and freedoms
- Keep records of processing activities as required by Article 30 of the UK GDPR
Tools like TermsBox can simplify several of these steps by scanning your website for cookies and trackers, generating compliant legal documents, and providing a cookie consent banner that meets regulatory requirements.
Frequently Asked Questions
What is the Data Protection Act 1998 in simple terms?
The Data Protection Act 1998 was a UK law that controlled how organisations and the government collected, stored, and used people's personal information. It gave individuals the right to access their data and required organisations to follow eight data protection principles when handling personal information.
Is the Data Protection Act 1998 still in effect?
No. The Data Protection Act 1998 was repealed on 25 May 2018 and replaced by the Data Protection Act 2018, which sits alongside the UK GDPR. However, understanding the 1998 Act remains important because its core principles carried forward into current law.
What does the Data Protection Act 1998 do to protect individuals?
The Act protected individuals by requiring organisations to process personal data fairly and lawfully, keep it accurate and secure, and not retain it longer than necessary. It also gave people the right to see what data was held about them, request corrections, and object to processing that caused damage or distress.
What is the difference between the Data Protection Act 1998 and the GDPR?
The UK GDPR introduced stronger individual rights including data portability and the right to erasure, mandatory 72-hour breach notification, significantly higher fines of up to 17.5 million GBP or 4% of global turnover compared to the 1998 Act's maximum of 500,000 GBP, and stricter rules around consent requiring clear affirmative action rather than implied agreement.