HomeRulesLegalCitizenship › Data Protection Act 2018: Your Rights
Data Protection for British Citizens

This guide explains the principles of the Data Protection Act 2018 citation c 12. The UK Act of Parliament protects personal data stored in paper filing systems and on computers.

DPA PRINCIPLES: The guidelines control how your personal information gets stored and used. The government, businesses, and organisations must all follow the rules of the Data Protection Act.

Stronger legal protection applies to the most sensitive information such as an individual’s:

  • Race, ethnic background, and religious beliefs.
  • Biometrics, genetics, and criminal records.
  • Health, and sexual health or orientation.
  • Political opinions and trade union membership.

Note: United Kingdom uses the Data Protection Act 2018 to update and implement the General Data Protection Regulation (GDPR)./p>

Anyone who uses people’s personal data must follow the strict ‘data protection principles‘. That means they have a duty to ensure that the information is:

  1. Obtained and processed ‘fairly‘ and according to the law.
  2. Kept and used for limited and specified stated purposes.
  3. Used and disclosed in a way that is adequate, relevant to the purpose, and not excessive.
  4. Kept safe and secure (and give a copy of the data on request).
  5. Kept accurate, complete, and up-to-date.
  6. Stored and used for no longer than is ‘absolutely‘ necessary.
  7. Handled in a way that ensures an appropriate level of security. That includes a level of protection against unlawful or unauthorised access, damage, destruction, loss, or processing.

Requesting Data Organisations Store about You

The Data Protection Act 2018 gives individuals several rights. One of them allows you to find out what details the government and organisations store about you and use.

Data Protection Act 2018 Your Rights

According to the laws on data protection, you have the right to:

  • Access personal data and be informed on how that data is being used.
  • Data portability (allowing you to access and reuse your own data for different services).
  • Have data erased and have incorrect data updated.
  • Stop or restrict the processing of your data and object to how it is processed in certain circumstances.

Your rights also apply when an organisation uses your personal data for:

  • Automated decision-making processes (i.e. without human involvement).
  • Profiling (e.g. to predict behaviour or interests).

You can write to an organisation and ask them for a copy of the information that they hold about you. Address the letter to the Data Protection Officer (DPO) or company secretary if you are unsure who to send the letter to.

Note: If you request it, the law forces an organisation to give you a copy of the information that they hold about you. As a rule, you should get it without delay and no longer than one (1) month (unless there is a delay).

Data Protection Principles for Citizens Living in the United KingdomWithholding Information ‘Legally’

In some cases, organisations can withhold the information altogether from you. There is no requirement for them to inform you why they withhold it. Examples include situations that involve:

  • Judicial or ministerial appointments.
  • National security or the armed forces.
  • Preventing, detecting, or investigating a crime.
  • The assessment or collection of taxes.

Cost to get Your Data Information

In most cases, organisations will not charge you a fee to provide the data information they store. But, some may make a charge to produce a large amount of information or if it is either:

  • Contained in certain types of filing systems or records (e.g. education or health records).
  • Part of a large number of paper records held in a complex or unstructured way. This is typical of some public authorities.

Personal Data Employers Can Keep About Employees

The personal data that an employer can keep about an employee must be kept safe and up to date. The type of data that employers can keep about their employees (without requiring their permission) includes their:

Employers need permission from their employees to hold certain kinds of ‘sensitive’ data. Typical examples of data that employers need to keep more secure includes:

  • Biometrics (e.g. fingerprints used for identification)
  • Health and medical conditions
  • Inherited characteristics (e.g. genetics)
  • Political membership or opinions
  • Race and ethnicity
  • Religion
  • Sexual history or orientation
  • Trade union membership

Employers must tell employees:

  • What records they are keeping about them (and how they will use the information).
  • The confidentiality of the details in the records.
  • How the records may help with their training and development in the workplace.

Employers have thirty (30) days to provide a copy of the information if an employee makes a request to check what data is kept about them. Personal data should not be kept longer than necessary and all employers must follow UK rules on data protection.

Complain about Data Protection Breaches

What if you believe your data got misused or an organisation holding it failed to keep it secure? In cases such as these you should contact the organisation and inform them.

What if you are not satisfied with their response? Contact the Information Commissioner’s Office if you need any further advice. They also have an ‘ICO live chat‘ facility if you prefer an online conversation.

Information Commissioner’s Office (ICO) Helpline
Wycliffe House Water Lane

Mail: [email protected]
Telephone: 03031231113
Textphone: 01625 545860
Monday to Friday: 9am to 4:30pm
Check call charges to 0303 numbers.


Data Protection for Small Business | How enterprise must respond to the stay within the new GDPR laws.

Your Rights and the Law | A section of parliamentary regulations activated by authorized legal entities.

Note: The ICO can investigate your claim on your behalf. They can also take action against anyone who misuses personal data. The ICO website has further information on how to make a data protection complaint.

Data Protection Principles for Citizens Living in the United Kingdom