What is the Data Protection Act about?

dpa 1998The Data Protection Act 1998 (DPA 1998) governs the processing of your personal data. This includes obtaining, holding, using or disclosing such information. It places a duty on your employer and any other organisation that processes personal data (known as data controllers) to comply with eight data protection principles, and gives you rights in relation to information held about you.

Almost all employers will be data controllers of personal data about employees. All such data processed electronically and manually is personal data under the DPA 1998. The DPA 1998 is important when you need to have information about you from your employer, this includes during any disciplinary action or negotiation. It gives you rights about your information and not anyone else’s.


Terms used in the DPA 1998

Sections 1 and 2 of the DPA 1998 contain definitions for the key terms used in the Act and the Information Commissioners Codes of practice and guidance.

Data Data means information which;

  • is being processed by means of equipment operating automatically in response to instructions given for that purpose
  • is recorded with the intention that it should be processed by means of such equipment, or
  • is recorded as part of relevant filing system or with the intention that it should form part of a relevant filing system

S68 DPA 1998

Information not already included in the above categories is also data if;

  • it forms part of an accessible record, which includes certain health, educational and public records
  • is recorded information held by a public authority

Personal Data

Personal data means data which relates to an individual who can be identified;

  • From those data.
  • From those data and other information which is in the possession of, or is likely to come into the possession of, the data controller (for example names addresses, NI numbers and CCTV images).
  • Includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The Court of Appeal considered the meaning of personal data in the case of Durant v Financial Services Authority [2003]. The Court said that merely mentioning a person’s name does   not make the data personal data for the purposes of the DPA 1998. Information which affects an individual’s privacy, whether in his personal or family life, business or professional capacity is personal data.

Where there is uncertainty as to whether it is personal data, the following considerations should be taken into account;

  • Does the information go beyond the recording of the individual’s involvement in a matter or an event that has no personal connotations, such as a life event in respect of which his privacy could not be said to be compromised?
  • Is the information focussed on the individual rather than on some other person with whom he may have been involved or some transaction or event in which he may have had an interest?

To apply this to the workplace, minutes from a disciplinary hearing, and documents in a personnel file, including name and salary is personal data.

See ICO on Determining what is Personal Data

ICO: The Employment Practices Code 


Sensitive Personal Data

Sensitive personal data is the following personal data about the data subject;

  • racial or ethnic origin
  • political opinions
  • religious beliefs or other beliefs of a similar nature
  • membership of a trade union
  • physical or mental health or condition
  • sexual life
  • any offence actually or allegedly committed and any resulting proceedings

Data Subject

You are the data subject as the individual who the information is about. This includes;

  • Job applicants
  • Former Job Applicants
  • Employees – previous and current
  • Agency staff – previous and current
  • Casual staff – previous and current
  • Contract staff – previous and current
  • Volunteers and work experience placements – previous and current

Data Controller

Your employer is the data controller. A data controller is the person who (either alone or jointly in common with other persons) determines the purposes and manner for which personal data is processed.


Data Processor

A data processor is any person who processes data on behalf of your employer.  This includes companies that carry out services like IT or payroll for your employer.The DPA 1998 applies only to data controllers and not to data processors. Where your employer uses a data processor, the duty to comply with the DPA 1998 remains with your employer. Some data processors are data controllers in their own right due to the type of data processing activities they carry out.

See ICO on Data controllers and data processors: what the difference is and what the governance implications are



Processing data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including;

  • organisation, adaptation or alteration of the information or data
  • retrieval, consultation or use of the information or data
  • disclosure of the information or data by transmission, dissemination or otherwise making available
  • alignment, combination, blocking, erasure or destruction of the information or data

See ICO on The Conditions for processing 

ICO: Outsourcing 


Relevant Filing System

In Durant v Financial Services Authority [2003] the Court of Appeal said that a relevant filing system is any manual or electronic set of information that is structured by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible.

See ICO: The Employment Practices Code (Pages 7-8)

Case Study

The possibility of losing your job whether through dismissal, redundancy or sickness is something that doesn't bear thinking about for…The Disciplinary Hearing: Understanding the Process, and Surviving it
Business, Finance & Law