Cybersecurity Statistics
Data Protection Act
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR).
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- race
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- genetics
- biometrics (where used for identification)
- health
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
Your rights
Under the Data Protection Act 2018, you have the right to find out what information the government and other organisations store about you. These include the right to:
- be informed about how your data is being used
- access personal data
- have incorrect data updated
- have data erased
- stop or restrict the processing of your data
- data portability (allowing you to get and reuse your data for different services)
- object to how your data is processed in certain circumstances
You also have rights when an organisation is using your personal data for:
- automated decision-making processes (without human involvement)
- profiling, for example to predict your behaviour or interests
Requesting Access to Your Personal Data
To obtain a copy of the personal data that an organization holds about you, simply send them a written request.
For public organizations, direct your inquiry to their Data Protection Officer (DPO), whose contact details can typically be found in the organization’s privacy notice.
If there is no designated DPO or if you are unsure whom to contact, address your correspondence to the company secretary.
Response Timeframe
The organization is obligated to provide you with the data they hold about you promptly, and no later than one month from the date of your request.
In certain cases, such as requests that are particularly complex or involve multiple data types, the organization may extend the deadline by an additional two months. If an extension is necessary, the organization must inform you within one month of your request, explaining the reasons for the delay.
Exceptions to Disclosure
There are specific circumstances where organizations are permitted to withhold information. These include situations related to:
- Crime prevention, detection, or investigation
- National security or military matters
- Tax assessment or collection
- Judicial or ministerial roles
Organizations are not required to disclose the reasons for withholding this information.
Fees for Requests
Accessing your personal data is generally free. However, organizations may charge an administrative fee under certain conditions, such as:
- Requests for extensive amounts of data
- Requests that require significant time and effort to fulfill
Filing a Complaint
If you believe that your data has been mishandled or that the organization responsible for safeguarding it has failed to do so, you should immediately notify the organization of your concerns.