Search Our Site

We have 3,751,322 registered online learners.
1,100 new learners so far today.

What is the Data Protection Act 1998?

schedule 30th August 2017 by Ben Piper in Virtual College Last updated on 24th April 2018

Business man at computer

Designed to ensure that companies use and store the personal data associated with their customers in a responsible manner, the data protection act is a piece of legislation that sets forth a number of specific rules governing the way that any organisation can gather, process and disseminate information that could be used to identify a specific individual. Because of its scope, the data protection act affects the overwhelming majority of public-facing organisations. Unfortunately, it is also widely regarded as one of the most complicated and opaque parliamentary acts in the UK, and, as a result of its wording, is often misinterpreted by organisations and consumers alike.

Before the data protection act was introduced in 1998, the rules governing the way that companies had to protect sensitive information pertaining to their customers were much less defined. This meant that an individual’s details could be stored in an unsafe manner, sold on to third party companies for profit, or withheld from the individual in question - unless company-defined data processing surcharges were paid.

Now, however, everything is regulated - permission from the involved party is needed before data is taken, organisations have responsibility to protect the data that they store from theft and accidental loss. Certain pre-defined rights pertaining to the individual whose data is being stored have to be fully respected and a number of offences have been defined to ensure that companies who do not comply with the act can be fined.

If you’re working for a customer-facing organisation, or an organisation that stores personal information, you’ll need to stay abreast of the specifics, and take steps to ensure that you remain compliant with the Data Protection Act 1998.

You can find more information on compliance with the Act by taking the Virtual College Data Protection at Work course. Click here to find out more.

The Scope of the Data Protection Act

The Data Protection Act covers any and all information that could be used to identify an individual, whether these are records that contain a name and an address, an email address, or any information that includes personal details that could be used to identify someone, such as information about medical conditions, details of employment or details of marriage.

For most businesses, this means their customer data, gathered every time somebody places an order or signs up for a service. However, the Data Protection Act 1998 does also cover data obtained from a third party source, or data gathered via email signup forms. Unfortunately, a great many organisations do not fully understand the scope of the Act, and don’t always know what information they should be protecting, which means that they struggle to comply with the stricter parts of the legislation, and often unwittingly violate its rules and regulations.

The Principles and Responsibilities of Data Protection

Information that’s covered by the Data Protection Act has to be stored, processed and disseminated according to eight clearly defined principles:

  • Firstly, data that’s stored and processed by an organisation has to be handled in a lawful fashion, and used only for its intended purpose
  • Secondly, data should only be gathered and stored if it’s for a specific, clearly defined purpose, and should not be kept ‘just in case’
  • Thirdly, any data that is stored for a specific purpose should only be adequate for that intended purpose, and should not include excessive or unneeded details
  • Data should also be accurate, and should also be kept up-to-date where possible to prevent old addresses or phone numbers from being associated with the wrong individual
  • Data should not be kept for longer than it is needed
  • Sensitive information of any kind should be handled with the rights of its subject in mind
  • Any data covered by the act should be protected from unlawful use, accidental loss or destruction
  • Data covered by the act should not be transferred outside of any European territory

The data protection act also demands that companies and/or organisations that seek to obtain sensitive information always get permission from the subject, which means that you, as a business or organisation seeking to collect records covered by the act, have a responsibility to inform your customers that data is being collected, and also to allow them to opt out of this process.

If you’d like to know more about the specific requirements of the data protection act, you might be interested in taking the Virtual College Data Protection at Work course.

Related resources

Ben Piper - Virtual College

Author: Ben Piper

Ben is a member of the Virtual College marketing team. He has a degree in economics and writes about business and education issues. In his spare time he loves food, drink and films.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.