Data Protection Act 1998

Everyone responsible for developing systems that store personal data as well as those using and maintaining those systems have to follow strict rules called ‘data protection principles’. They must make sure the information is:

• used fairly, lawfully, and transparently
• used for specified, explicit purposes
• used in a way that is adequate, relevant, and limited to only what is necessary
• accurate and, where necessary, kept up to date
• kept for no longer than is necessary
• handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction, or damage

Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:

• be informed about how your data is being used
• access personal data
• have incorrect data amended
• have data erased
• stop or restrict the processing of your data
• restrict the portability of data, or sharing with third parties
• object to how your data is processed in certain circumstances

You also have rights when an organisation is using your personal data for:

• automated decision-making processes (without human involvement), e.g. deciding whether to offer you a credit card or loan
• profiling, for example to predict your behaviour or interests (as can be done by cookies)

If you want to see the data that an organisation holds on you, you need to make a written request. If it is a public organisation, write to their data protection officer (DPO). Their details should be on the organisation’s privacy notice. If the organisation has no DPO, or you do not know who to write to, address your letter to the company secretary. The organisation must give you a copy of the data they hold about you as soon as possible, and within one month at most. In certain circumstances, for example particularly complex or multiple requests, the organisation can take a further two months to provide data. In this case, they must tell you:

• within one month of your request
• why there’s a delay

You also have rights when an organisation is using your personal data for:

• the prevention, detection, or investigation of a crime
• national security or the armed forces
• the assessment or collection of tax
• judicial or ministerial appointments

An organisation does not have to say why they’re withholding information. Requests for information are usually free. However, organisations can charge an administrative cost in some circumstances. For example if:

• you’re asking for a large amount of information
• your request will take a lot of time and effort to process

If you think your data has been misused or that the organisation holding it has not kept it secure, you should contact them and tell them. If you’re unhappy with their response or if you need any advice, you should contact the Information Commissioner’s Office (ICO).
There have been some high profile cases of companies being fined for contravening the law. In 2019, British Airways was fined £183m for its poor security arrangements, which saw the unauthorised access of data including customer names, home addresses, travel booking info, and payment card details. Later that year the ICO fined the Marriott hotel chain £99m for failing to protect personal data contained in almost 500 million guest records.
Both incidents were the result of external hacking, whereby third parties managed to gain access to personal data through flaws in each company’s online security. At one time, large companies would try to 'hush up' hacking exploits to protect their reputation. Today, data protection legislation requires them to notify the ICO of any security breaches that compromise personal data.