Privacy notices under the DPA 1998 [Archived]
Privacy notices under the DPA 1998 [Archived]

The following Information Law guidance note provides comprehensive and up to date legal information covering:

  • Privacy notices under the DPA 1998 [Archived]
  • Processing personal data fairly and lawfully
  • Code of practice—privacy notices, transparency and control
  • How to prepare
  • What to include in a privacy notice
  • Using a privacy notice to gain consent for data processing
  • Format and style
  • Implementing the privacy notice
  • Privacy notices under the GDPR

ARCHIVED: This archived Practice Note provides information on the data protection regime before 25 May 2018 and reflects the position under the Data Protection Act 1998. This Practice Note is for background information only and is not maintained.

STOP PRESS: The General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR) (applicable from 25 May 2018) introduces substantial amendments to EU and UK data protection law and replaces the Data Protection Act 1998 (DPA 1998) and Directive 95/46/EC (the Data Protection Directive) from that date.

This Practice Note will be updated to reflect the changes to data protection law as a result of the GDPR regime in due course. In the meantime for further information, see Practice Note: The General Data Protection Regulation (GDPR) and the main section of this Practice Note: Privacy notices under the GDPR below.

For a comprehensive introduction to the GDPR, collating key practical guidance, see: GDPR toolkit.

Processing personal data fairly and lawfully

The first data protection principle set out in Schedule 1, Part I to the Data Protection Act 1998 (DPA 1998) requires data controllers to:

  1. process personal data fairly and lawfully

  2. meet at least one of the conditions for processing in DPA 1998, Sch 2, and

  3. in the case of sensitive personal data, meet at least one of the conditions for processing in DPA 1998,