The Data Protection Act 1998

The Data Protection Act (DPA) gives individuals the right to know what information is held about them, and provides a framework to ensure that personal information is handled properly.

The Act came into force on 1 March 2000 and covers personal data held on computer and in manual files. It also imposes restrictions on the transfer of data outside the European Economic Area, which has particular implications for placing material on the web. The University must comply with eight data protection principles, which make sure that personal information is:

1. fairly and lawfully processed;

2. processed for limited purposes;

3. adequate, relevant and not excessive;

4. accurate and up to date;

5. not kept for longer than is necessary;

6. processed in line with the rights of individuals;

7. secure; and

8. not transferred to other countries without adequate protection.


Anyone holding information relating to individuals in the course of their work must therefore consider:

  • whether the information they hold is subject to the provisions of the new Act;
  • whether the arrangements they have in place satisfy the requirements of the Act, for example in relation to security of the data concerned; and
  • whilst data access requests are handled centrally by the University's Data Protection Officer, what procedures are in place to facilitate a prompt response to requests for data.

The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information. Every organisation that processes (i.e. holds and uses) personal information must be registered with the Information Commissioner's Office (ICO), unless they are exempt. The University's registration number is Z575783X.

For more detailed guidance

The legislation is complex and more detailed guidance is available on this website, from the University's Data Protection team and on the Information Commissioner's website.