The Data Protection Act 1998

12/5/03. By Deirdre Janson-Smith

Protecting people from the wrongful use of their personal information by others.

The Act, which translates the European Data Protection Directive into UK law, covers a wide range of personal data and specifically identifies certain categories of data as 'sensitive' - such as physical and mental health, racial or ethnic origin, sexual orientation and political beliefs.

It imposes restrictions on the holders of personal information as to what they may do with it and whom they may share it with. And it requires data controllers to seek explicit consent from individuals before collecting, processing or passing on 'sensitive' information about them.

The Act enshrines eight Principles, which state that all data must be fairly and lawfully processed (processing includes collection). In the case of sensitive personal data, further conditions must be met – the data must be:

processed for limited purposes
adequate, relevant and not excessive
accurate and up to date
not kept longer than necessary
processed in accordance with the data subject's rights
secure
not transferred to countries outside the EEA that do not have adequate protection.

(This final provision has major implications for scientific research as an international enterprise – the USA, for example, is deemed not to have adequate data protection provision.)

The Act is overseen by The Information Commissioner, who also oversees the Freedom of Information Act 2000. The Commissioner is an independent authority reporting directly to the UK Parliament and works both nationally and internationally. The Commissioner's duties include enforcing the Act, promoting best practice and encouraging the development of codes of practice.

Medical research

The Data Protection Act has huge implications for medical research. First, medical research de facto deals with sensitive data, which faces more stringent requirements for its collection, processing, storage and security. Biomedical research has some exemption under the Act, but it is only partial and concerns have been expressed that the Act prevents some research in genetics, epidemiology, therapeutic evaluation and drug safety, communicable disease and so on. The use of much key data for vital studies on the epidemiology of cancer, such as that contained in the Cancer Registries, which was collected without explicit consent, would have been impossible.

Regulations under Section 60 of the Health and Social Care Act 2001 addressed this problem. They gave the Secretary of State for Health limited discretion over the use and disclosure of data held by the NHS. Identified research can now be exempted from the consent requirements, following a recommendation from the Patient Information Advisory Group to the Secretary of State.

Learning from Experience, a 2002 report by Dr William Lowrance for the Nuffield Trust, usefully critiques the issues surrounding privacy and research on existing data, and surveys the ways we all benefit from this research. "Secondary studies of data can make substantial contributions to health... Health research is avidly feeding into and analysing these collections and streams of data... Ethics, policy, and law are being severely challenged to keep up."

Latest articles from genetics and regulations

Human genetics review sets out opportunities and challenges for the next decade

EU plan to share DNA and fingerprint data

US proposal for genetic discrimination legislation

Review of Human Fertilisation and Embyology Act

AMS report on personal medical data

Share |

Icon representing the Key legislation section.

Review of Human Fertilisation and Embyology Act

Consultation on HFE Act 1990

Human Tissue Bill published

HFEA Act review

White Paper on Genetics

Home > Genetics and society > Genetics and regulations > Background > Data Protection Act 1998