UK Data Protection Act report

This report displays Data Protection Act issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.

Why it matters

The Data Protection Act of 1998 governs the processing of personal data in the UK. The United Kingdom's Data Protection Act of 1984 was revised in 1998, and brought into effect on March 1, 2000. The new Act changes the original definitions and meanings of personal data, and broadens the scope of the original act by differentiating between personal data and sensitive personal data. The Act now incorporates the concepts of 'obtaining', holding' and 'disclosing'.

The Data Protection Act contains eight Data Protection Principles:

  1. Personal data shall be processed fairly and lawfully.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or region outside the European Economic Area unless that country or region ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

By law, businesses must adhere to these principles, and must notify the Information Commissioner if they collect personal data. Under the Act, the UK's Information Commissioner can serve an enforcement notice to any business that contravenes any of the Data Protection principles while processing personal information. When asked to do so by a member of the public, businesses must stop processing personal information about the individual.

Website operators established outside the UK that use a computer hosted inside the UK to collect personal information, or where the operator places a cookie on the computer of a UK Internet user, are also subject to the Act.

Best practices for complying with the Data Protection Act

Website operators who collect personal information from individuals must:

  • Ensure web collection forms comply with 'fair processing' principles that identify the organization to users; explain why the site is collecting the data, and the third parties they will pass the data to (both internally and externally).
  • Inform users when they intend to use "cookies" or web bugs (beacons) and provide the opportunity to refuse the cookie. Ensure the security of the data collection process
  • Post a privacy policy and provide links to it at every point of information collection
  • Provide an "opt-out" mechanism for receiving direct marketing email
  • Ensure a valid email address is used for direct marketing purposes
  • Ensure that if information is collected from children under 12, that they understand how their information is being collected and used. Parental consent must be obtained for those under the age of 12, and there must be a way to verify that the consent has been given.