Data Protection Act 1998
The Data Protection Act 1998 became law on 1 March 2000. It sets standards which must be satisfied when obtaining, recording, holding, using or disposing of personal data. It provides living individuals with a right of access to personal information held about them. The right applies to all information held on computers and also covers most manual records.
Data Protection Principles
The Data Protection Act 1998 standards are summarised by eight Data Protection Principles.
Personal data must be:
- Processed fairly and lawfully
- Obtained only for one or more specific and lawful purposes
- Adequate, relevant and not excessive in relation to the purpose(s) for which they are processed
- Accurate and where necessary kept up to date
- Not kept for longer than necessary
- Processed in accordance with the rights of data subjects under the Act
- Protected by appropriate security (practical and organisational)
- Not transferred outside the EEA (European Economic Area) without adequate protection
The Oxford BioBank has a Data Protection Policy setting out these principles and the rights and responsibilities of its members.