IHTM09392 - Third Party Information and the Data Protection Act 1998: main provisions of the Data Protection Act 1998

The Data Protection Act 1998 (DPA) was enacted to preserve the confidentiality of personal computer records and (from 24 October 2001) manual records. It applies to all information (‘data’) held by a person (‘data user’) about living individuals (‘data subjects’). It does not apply to information relating to companies, trusts or partnerships. Although most of our information gathering will relate to dead individuals, it is safer to treat all information as coming potentially within the scope of the DPA.

In general, information about living individuals held on computer or manual records may not be given (‘disclosed’) to a third party. The DPA lays down strict rules to ensure that unauthorised disclosure of information is not attempted. These are known as the ‘non-disclosure provisions’.

It is a criminal offence not only to disclose information to another person, but also to ask for (procure) information from a data user, where it is known that disclosure would contravene the DPA. The maximum penalty for contravening the non-disclosure provisions of the DPA is on summary conviction, a fine not exceeding the statutory maximum (currently £5000) or on conviction in indictment, a fine that can be unlimited. (For the offence of procuring disclosure the information would have to be obtained. Asking for non-disclosable information could constitute an attempt to procure, which is also a criminal offence.)