Comply With Data Protection Legislation



Data protection laws affect how businesses and other organisations are allowed to make use of personal information. You must follow these rules if your business stores or processes people’s details – ie keeps customer or employee records.


This guide explains the requirements of the Data Protection Act 1998 and outlines steps you can take to ensure you meet them. This may involve notifying the Information Commissioner’s Office (ICO) about what personal information your business holds and what it’s used for.


You will find specific guidance on what you should consider when recruiting staff and managing employee records, as well the rules on monitoring workers. This guide also contains advice on training your staff to ensure they understand the implications of the Act.

What does the Data Protection Act 1998 apply to?

The Data Protection Act 1998 applies to personal information. This is data about living, identified or identifiable individuals and includes information such as names and addresses, bank details, and opinions expressed about an individual.

You can find advice and definitions for personal information for the purposes of data protection on the Information Commissioner’s Office (ICO) website.

What are the main requirements?

The Act regulates how personal information is used, and requires organisations to comply with eight principles – or rules – of good information handling. It also requires some organisations to tell the ICO what they use personal information for. See the page in this guide on the data protection principles.

Personal information can be used by an organisation only where it meets one of six conditions set out in the Act. In most cases, it should not be too difficult to meet one of these conditions – which include having the individual’s consent or having a legitimate interest in using their personal information.

Sensitive personal data

The Act classifies some personal information as ‘sensitive’ and there are stricter rules about this type of data. This is information about:

  • racial or ethnic origin
  • political opinions
  • religious or similar beliefs
  • trade union membership
  • physical or mental health condition
  • sexual life
  • offences or alleged offences committed
  • proceedings relating to those offences or alleged offences

You can only use sensitive personal information where you can meet at least one of a narrower set of conditions – as well as being able to meet one of the six standard conditions – for processing personal information. These narrower conditions make sure that this sensitive information is only used where there is an essential need for an organisation to use it.

You can see a list of the conditions for processing sensitive personal data on the ICO website.

Read more: