Understanding data protection

Use this page to understand what data protection is and why it matters. This should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.

Data protection law aims to make sure that personal data is gathered, stored and used responsibly and transparently. It gives people ownership of information about themselves. It works to limit how organisations use that data and forces them to use it responsibly.

The relevant law in the UK is the Data Protection Act 2018. It was updated in 2019 with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations. The law and regulations align law in the UK closely to GDPR, the primary European regulation on data protection.

The ICO is the UK’s independent body that is responsible for promoting and regulating data protection. We link to their advice throughout this page.

Use the ICO’s small organisation home page.

The exact nature of personal data is very complicated and varies from situation to situation. The legal definition of personal data in the UK is ‘any information relating to an identified or identifiable natural person’. That means that personal data is information about a person who can be:

• directly identified from the information
• indirectly identified from that information in combination with other information.

For many organisations, personal data is the most obviously identifiable information about a person. Name, age, email address, full postal address or full postcode are all examples of 'personal data'.

Sometimes it’s less obvious that information is personal data. For example, technical information that can identify people, such as their computer’s IP address, is also considered 'personal data'.

You could hold data on a wide range of people – from past volunteers, to people who give you donations, and many others.

It isn’t only information you are directly collecting about people that counts. It could also be information people give you about others.

There are also types of legally defined sensitive personal data. This is called special category data. It includes:

• personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership
• genetic data
• biometric data (where used for identification)
• data about health
• data about a person’s sex life
• data about a person’s sexual orientation.

There are similar rules for data about criminal allegations, proceedings or convictions.

If special category data can be connected to a person there are additional rules to follow.

Find out more about special category data from the ICO.

You need to know and understand what the legal principles of data protection are and what they mean for your organisation. They are as follows.

Lawfulness, fairness and transparency

• Use data legally under a permitted lawful basis.
• Use data fairly, being clear, open and honest with people whose data you hold.

Purpose limitation and data minimisation

• Collect only what you need and use it as you planned and communicated you would.

Accuracy

• Keep your records up to date.

Storage limitation and integrity and confidentiality

• Store data securely and confidentially.

Accountability

• Take responsibility for what you do with data.
• Have records and policies that show what you’re doing with data.

Find the full legal wording of the principles on the ICO’s website

For more on each of these areas see our our steps to improve data protection in your organisation.

The purpose of the data protection principles is to keep people safe and respect their rights.

People have a right to:

• understand what data organisations have about them and how it is being used
• see that information and get their own copy of it to use however they want
• correct the information if it is wrong
• ask for it to be deleted or limit how it is used
• complain if they don’t like things an organisation is doing with their data.

• We all need to comply with data protection to safeguard the people we work with.
• The data protection principles are sound. Following them will help you to be an ethical organisation.
• The reputational risk if someone discovers you are not following the principles is significant.
• There are financial penalties for breaking the rules.
• The ICO wants to make it easy for you. They produce lots of checklists and tools you can use.