Introduction
Data plays a vital role in every aspect of human interactions. From business operations to national security, data security has been among the core human well-being considerations. With the introduction of digital communication and online businesses, nations have increasingly adopted policies to minimize data misappropriation, setting clear guidelines for individuals and organizations. The Data Protection Act (DPA) is applied to organizations or individuals in the EU or the UK who utilizes or retains personal details on persons. (Daśko, 2017). From its origins, applied principles, objectives, and an analysis of its effectiveness, the DPA 2018 is shown to have facilitated data security and accountability, although it needs some improvements.
The Origin of DPA
The history of data security in the United Kingdom dates back to the 1970s. Several initiatives by private groups to introduce a bill in the 1960s were fruitless, but the Younger Report on Privacy, followed by the Lindop Report on Data Protection, was published in the 1970s (Carey, 2018). Both papers looked at the threats to privacy created by the increased use of technology to process personal data. Carey (2018) records that Sir Kenneth Younger was the first to develop the underlying data security rules, which now serve as the foundation for all consequent data protection rules. The current Act implements the EU directive’s rules, ensuring that persons’ personal information is kept private, up-to-date, and legitimately used.
The Data Protection Act of 1998 was updated and replaced by the DPA 2018, which took effect on May 25, 2018. Following Brexit, provisions under the European Union Statute 2018 altered the Act in January 2021 to reflect the UK’s status as a non-EU member (Carey, 2018). The DPA, 1998, was enacted in the United Kingdom to protect personal details recorded on systems or in well-organized printing file systems. It superseded the 1984 DPA, which scarcely referenced computers or digital media (Carey, 2018). The DPA 2018 has addressed the limitations observed with the past regulations, encompassing all use and transmission of data for enhanced security at all levels.
Offenses Addressed by the DPA
The primary motivation for the enactment of the DPA 2018 was to cover offenses not addressed in previous regulations and modify existing laws for enhanced data security. Access and disclosure offenses form a vital category of elements, which the DPA 2018 encompasses by building upon the conditions set for DPA 1984. The Act’s Section 170 broadens the Data Protection Act of 1998’s section 55. (Hoofnagle et al., 2019). It makes it a crime to obtain, reveal, or acquire personal information without the consent of the data holder and to trade or offer personal information for sale. The rule was initially used to punish anyone who accessed financial and health records without authorization. The crime of intentionally or negligently retaining private data, even if it was legitimately gathered, is now added without the data controller’s consent.
Section 184 deals with Subject Access Requests (SARs) and extends to section 56 of the DPA 1998. It makes it illegal to demand relevant documents (such as healthcare, convictions or warnings, or statutory responsibilities) as a condition of employment or contract (Hoofnagle et al., 2019). Organizations are supposed to conduct appropriate background investigations without forcing individuals to seek and disclose personal information. This section effectively protects individuals from opening up on parts of their lives about which they would prefer not to speak. It is the preservation of confidentiality and voluntary information disclosure. A group of violations described as niche offenses relates to the disclosure of information by former connections. Section 132 makes it illegal for former or present ICO employees to improperly divulge data gathered during their previous employment terms (Carey, 2018). Under this group of offenses, it is illegal to block the ICO’s assessment of European information systems.
While organizations and statutory bodies are allowed to conduct background investigations, the DPA outlines investigation offenses for which an individual or enterprise can be prosecuted. The submission of misleading statements in reaction to a communications notice (a requirement from the ICO to provide information within a particular date) is made illegal. This falls under section 144, which is similar to section 47 (2) of the DPA 1998 (Hoofnagle et al., 2019). Obstructing a warrant or providing a false comment in response to a warrant request is illegal under DPA 2018, which resembles the regulation under paragraph 15 of Schedule 15 of the DPA 1998 (Hoofnagle et al., 2019). Investigation offenses under this Act ensure that enterprises do not wrongfully acquire data that can be used to investigate individuals nor undertake inquiries in an unlawful manner with regard to personal information.
Another crucial category of offenses falls under the re-identification of de-identified personal data. Section 171 criminalizes the re-identification of personal details that have been de-identified. Daśko (2017) defines de-identification as a procedure – such as redactions – to delete private data. This was implemented after a suggestion by Dame Fiona Caldicott, the National Data Guardian for Health and Care (Hoofnagle et al., 2019). Section 173 pertains to the execution of requests for private information from persons, and makes it illegal for organizations to change, deface, obstruct, erase, damage, or conceal information in order to avoid disclosure (Hoofnagle et al., 2019). This offense is based on a violation of the Freedom of Information Act of 2000, introducing new perspectives on personal data identification and processing. These offenses are addressed by the DPA’s eight principles addressed below.
DPA Principles
The first principle encompasses the fair and lawful gathering of data and its application. Companies must be entirely open about how they plan to use data and make sure it is only used in manners that clients would expect (Hoofnagle et al., 2019). This important requirement has granted data owners more control over their personal details. If clients understand exactly what their data would be used for, they can make an informed decision on whether or not to divulge particular pieces of information to corporate bodies.
The second principle is the specificity of use, which requires organizations to be transparent in their data-gathering methods. According to Hoofnagle et al. (2019), corporations should be open about why they are gathering and analyzing data and how they plan to go through it. They shall only use the personal information for the purposes for which it was gathered. Therefore, business organizations should refrain from using individual customers’ data for advertising purposes without the data owners’ consent. Adequacy is satisfied in the third principle, which states that organizations should keep sufficient data on their clients for the specific purposes intended, meaning that the amount of data should not exceed the requirements.
The fourth requirement entails accuracy, whereby it is required to make reasonable attempts to keep the information updated and, if needed, to rectify it if it is incorrect. When a customer changes their data with a firm, the organization is no longer permitted to approach them using the previously provided information. (Carey, 2018). The fifth principle holds that data should not be kept for longer than needed. Individual users’ rights should be taken into consideration under the sixth law, and the security of the gathered data should be maintained as detailed in the seventh principle. Lastly, the eighth requirement maintains that data should only be transferred within nations with the same data protection levels.
Key Objectives of the DPA
The Act amends the General Data Protection Regulation (EU) 2016/679 (GDPR), incorporates the EU Law Enforcement Directive (LED), and broadens the scope of data protection requirements to sectors not covered by the GDPR or the LED. The Act is essential for executing a wide range of data protection requirements in the UK. The Act provides four distinct data protection regimes in UK data protection law. Each regime specializes in regulating individual information processing for a given type or class of data. The categories cover processing carried out under the GDPR and outside it, the same procedures done by relevant agencies for legal purposes, and data usage by intelligence services (Carey, 2018). These four dimensions, it encompasses a comprehensive set of tools for safeguarding personal information.
Prosecutors can bring charges against individuals, corporations, and their associates under the Act’s Section 198, which is designed to have similar implications as section 61 DPA 1998. It states that both parties are subject to criminal prosecution when a body or an enterprise commits an offense with the knowledge and approval of an official (an individual purporting to serve in that position) (Carey, 2018). This requirement implies that the Act does not show partiality since all violators are prosecuted fairly.
The DPA 2018 aims to facilitate safe information transfer within the European Union. This can be viewed as the central purpose around which all other objectives are formulated. Its goal is to keep people and organizations from having and utilizing inaccurate information about them, which includes both personal and professional information (Carey, 2018). In terms of the general public, the Act attempts to instill confidence in enterprises’ use of personal information. Similarly, it allows data subjects the fundamental right to see the information organizations have on them and request that the data controller remove it. It essentially gives data subjects more control over how data controllers utilize their data.
Furthermore, it emphasizes accountability by requiring enterprises to have policies in place that outline how they manage data safely. The Act has made it a legal duty for enterprises to retain people’s privacy and security after they have obtained it (Carey, 2018). It is the obligation of data controllers to ensure that personal information is not misused. Finally, it is intended to make registration with the Directorate of the Information Commissioner mandatory for data owners or controllers.
Effectiveness of the DPA
The DPA 2018 has effectively addressed previous challenges in personal data acquisition and application and has contributed to innovative solutions in Pandemics. In the age of technological advancement and digital transformation, the DPA, in line with the GDPR, has facilitated a better understanding of data security, minimizing the data misappropriation witnessed before. Tikkinen-Piri et al. (2018) record that since its formulation, the Act has significantly transformed individual interactions, shaped business operations, and altered human-computer interactions. Through the provisions of the Act, individuals have become increasingly aware of their rights in regard to data privacy and processing. Technological applications have been designed to comply with the DPA and GDPR rules by having functionalities such as end-to-end encryption, which prevents data from leaking to third parties. Organizations such as Google that depend on user data for content suggestions have had to implement consent forms and clearly document their privacy policies. Data misappropriation is minimized as users read and consent to privacy policies (Tikkinen-Piri et al., 2018). Therefore, DPA is a vital and adaptable tool for ensuring that new technologies are developed in line with fundamental rights.
The application of the Act’s key principles is significant for data-intensive operations. The Regulation’s risk-based and technology-neutral methodology offers a degree of data protection suitable for the risk of processing by developing technologies. During the COVID-19 epidemic, the DPA and GDPR’s technological neutrality and future-proof strategy were put to the test and proved to be successful (Bradford et al., 2020). Its principles-based regulations aided in the development of instruments to battle and track the virus’s progress. Contact-tracing apps in line with data protection regimes were influential in establishing COVID-19 patients, thereby reducing the spread of the virus. The Act has proved vital for global initiatives whereby its future-proofing and risk-based strategy will be used in the future EU Artificial Intelligence (AI) framework as well as the execution of the European Data Strategy. These applications reveal that the DPA has solved global data issues, proving effective in the past and applicable for any future challenges that require information processing.
Conclusion and Recommendations
DPA grants individuals the liberty to decide how organizations collect, use, and dispose of their data. The Act’s provisions have contributed to a number of challenges for organizations that rely on personal data collection. One of the challenges is that enterprises must require individual data owners’ consent by fully specifying the data to be collected and its application. Although data custodians and that processing may publish the requirements, some people may fail to understand some of the terms used, thereby consenting wrongly (Daśko, 2017). In addition, organizations have to train their employees in data protection, which is costly. It is recommended that data analysts develop new techniques for collecting personal data legally by ensuring that every user is well-informed about the policy. In addition, there should be ways to limit the probability of individuals failing to read the policy document.
A significant difficulty confronting cloud data scientists is data erasure, which involves overwriting old data to avoid leakage or theft. It is possible that the cloned information is not destroyed from the hard disk during data erasure, which could lead to the theft of people’s personal information (Tikkinen-Piri et al., 2018). It is critical that cloud data analysts concentrate on things when using the data erasure technique, as this can aid in the proper use of the technology and ensure that copied personal information is completely removed from the hard drive. As a result, it is essential for cloud data analysts to set specific rules for implementing data erasure that must depend on the organization’s demands. This will verify that the data erasure procedure is implemented correctly.
Reference List
Bradford, L., Aboy, M. and Liddell, K. (2020). COVID-19 contact tracing apps: A stress test for privacy, the GDPR, and data protection regimes. Journal of Law and the Biosciences, 7(1), pp. 34-35.
Carey, P. (2018). Data protection: a practical guide to UK and EU law. Oxford University Press, Inc.
Daśko, N. (2017). ‘General data protection regulation (GDPR)–Revolution is coming to European data protection laws in 2018. What’s new for ordinary citizens? Comparative Law Review, 23(1), pp.123-138.
Hoofnagle, C.J., van der Sloot, B., and Borgesius, F.Z. (2019). The European Union general data protection regulation: What it is and what it means. Information & Communications Technology Law, 28(1), pp.65-98.
Tikkinen-Piri, C., Rohunen, A. and Markkula, J. (2018). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review, 34(1), pp.134-153.