The Data Protection Act (DPA) is a fundamental piece of UK law that governs the protection of personal data. The 1998 Act is the most recent iteration of the law, supplanting an earlier statute from 1984. The Act itself does not mention privacy, but was ratified by UK parliament to bring UK law into line with the 1995 European Data Protection Directive, which enshrines European citizens' right to privacy regarding the processing of their personal data.
Although there are some exemptions, any individual or organisation retaining personal data for anything other than domestic (personal) purposes is legally obliged to comply with the Data Protection Act.
The Eight Principles Of The DPA
The Act itself sets down eight data protection principles, which can be read in full, together with compliance examples, on the Information Commissioner's Office (ICO) website: ICO Data Protection Guide.
In layman's terms, the principles are as follows
Data can only be used for the explicit purpose for which it was gathered.
Data cannot be released to a third party without the consent of the individual it refers to, unless there is a lawful reason to do so - for instance, the prevention or detection of criminal activity.
Citizens have a legal right to access any data held about them in most circumstances. Exclusions might apply if information is held for the prevention or detection of criminal activity.
Personal data cannot be kept for longer than is necessary and must be kept up to date.
All organisations that process personal data must be enrolled onto the Register of Data Controllers database, which is managed by the ICO. Only a few organisations that conduct the simplest forms of processing are exempt from this rule.
If personal data is factually incorrect, the individual that information pertains to has a legal right to see that it is corrected.
Any organisation or individual holding personal data for anything other than domestic purposes is required to have appropriate technical and organisational measures in place. These might include technical security features such as network firewalls and organisational security features such as the provision of relevant staff training.
Personal data cannot be transferred outside the European Economic Area unless the individual it pertains to has given their consent, or unless the country or territory it is being sent to can ensure adequate protections are in place.
Discussion
How the Act applies to customer call recordings
The term 'call recording' is not specifically mentioned anywhere in the DPA, which may suggest that the law is open to interpretation.
That said, the Act does explicitly refer to the 'processing' of information or data as "obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including: a) organisation, adaptation or alteration of the information or data; b) retrieval, consultation or use of the information or data; c) disclosure of the information or data by transmission, dissemination or otherwise making available; or ...