Profile information Member settings
Sign up Sign in

Data protection and privacy

Make sure you know your rights and responsibilities regarding personal data


Data protection and privacy FAQs

  • How to protect data and privacy rights

    In the UK, the main legislation governing the collection, processing and distribution of personal data is the Data Protection Act 2018 (the DPA) which is enforced by the Information Commissioner's Office (ICO). The DPA is the legislation that implements the UK General Data Protection Regulations (the GDPR).

  • What is personal data?

    Personal data is information relating to individuals who can be personally identified from that data (on its own or with other data held). Personal data can be held electronically or physically and includes names, addresses (including email addresses), dates of birth and online identifiers (eg IP addresses).

    There is a further 'special category' of personal data which is subject to more restrictions. Special categories of personal data include information about racial or ethnic origin, sexual life and physical or mental health or condition.

    For more information, read Data protection.

  • What rights do you have in relation to your data?

    You have certain rights relating to data held about you, including:

    • the right to access your data and be informed about how your data is being processed

    • the right to have your data rectified if it's inaccurate or incomplete

    • the right to object to the processing

    • the right to have your data erased in certain circumstances

    For more information, read Data protection requests.

  • How can I access data held on me by businesses?

    Under section 45 of the DPA, individuals can make subject access requests (also known as ‘SARs’ or ‘data protection requests’) to businesses and other organisations that hold their personal data. A SAR is a written request to a company or organisation asking for access to the personal information it holds on you and can be made to find out a variety of things, including:

    • details of the personal data that is being processed (ie a copy of the data)

    • the reasons why this data is being processed

    • how this data was sourced (if available)

    • which other organisations or individuals have access to the data

    For more information, read Making data subject access requests.

  • How can I ask for my data to be corrected?

    Under article 16 of the GDPR, individuals have the ‘right to rectification’, allowing them to request that any inaccurate personal data held by businesses or other organisations about them is corrected. If the data is incomplete, individuals can also request that organisations add more information.

    Making a request for data rectification can be made verbally or in writing, clearly stating that the accuracy of the data is being challenged and should be corrected and, where possible, providing evidence of the inaccuracy.

    For more information, read Data rectification requests.

  • How can I object to the processing of my data?

    Under article 21 of the GDPR, individuals have the right to object to organisations processing their personal data. This effectively means that organisations can be stopped or prevented from using an individual’s data.

    The right to object depends on the organisation’s purpose and lawful grounds for processing and an objection can typically only be made if data is used for:

    • direct marketing purposes

    • statistical purposes or scientific or historical research

    • tasks carried out that are in the public interest

    • the exercise of official authority

    • the organisation’s legitimate interest

    For more information, read Objecting to the use of personal data.

  • How can I request that my data be deleted?

    Under article 17 of the GDPR, individuals have the ‘right to erasure’, allowing them to have their personal data deleted from businesses or other organisations. The right to erasure only applies in certain circumstances (eg an individual initially consented to their data being used but has now withdrawn that consent or where it is no longer necessary for the organisation to keep the data for its original purpose). 

    For more information, read Making data deletion requests.

  • Who needs to comply with data protection laws?

    Generally, anyone who processes personal data needs to comply with data protection laws. 'Processing' is any use of personal data (other than for personal reasons) and includes obtaining, storing and retrieving personal data. Read Processing personal data for more information.

    This means that businesses and private individuals alike will need to comply with data protection laws where they process personal data belonging to ‘data subjects’ (ie natural persons from whom or about whom they collect information). For example, an online business may collect personal data about its customers (ie the people buying its products) and its staff. On the other hand, a private individual may collect personal data where they run a blog (eg by collecting users’ names and email addresses through a blog contact form).

  • Can my employer process personal data relating to my health (eg vaccination status)?

    Health data (ie any information relating to your health, including, for example, Coronavirus (COVID-19) vaccination status) is special category personal data that is awarded greater protection than other forms of personal data (eg names and contact details).

    The processing of personal health data is generally not permitted unless the use of the data is fair, relevant and necessary for a specific purpose. For example, your employer may be able to process your personal health data in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health. 

    Where your employer processes health data (eg checking or recording your Coronavirus (COVID-19) vaccination status), their responses for doing so must be clear and transparent. This generally means that employers need a specific reason for processing your health data and cannot be recording it ‘just in case’.

    For more information on employers processing your health data in relation to your Coronavirus (COVID-19) vaccination status, read How to record the Coronavirus (COVID-19) vaccination status of staff.

  • What documents do I need if I run a blog?

    Even when you run a personal blog, you still need to make sure that you comply with data protection laws. To do this, it is recommended that you have a variety of documents available on your website for visitors to view, including:

    • a Privacy policy (if you are collecting personal data from website users). This document should let your website users know who you are, why you are collecting their data, what you are doing with their data and how long it will be stored

    • a privacy notice (if you are holding and using people’s personal data). This document explains who the data controller (ie the party determining the purposes and means of processing personal data) is, who the Data Protection Officer (ie the individual responsible for ensuring data protection compliance within the business) is, and describes the purpose of collecting, using, disclosing and storing a person's personal data

    • a Cookie policy (if your blog uses cookies - small text files placed on a user’s computer or smartphone, commonly used to collect personal data). This should let your website users know about the website’s use of cookies. You can also have an integrated cookie policy in your Privacy policy (as is the case with Rocket Lawyer's template)

    • Website terms and conditions - this document governs the use of your website and to sets out the legal rights and obligations between you and your users

    For more information, read How to set up your blog.

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer On Call Solicitors

Legal guides

  1. Freedom of information requests
    5 min read
  2. Making subject access requests
    5 min read
  3. Data protection requests
    6 min read
  4. Making data deletion requests
    7 min read
  5. Data rectification requests
    6 min read
  6. Objecting to the use of personal data
    5 min read
  7. How to set up your blog
    6 min read
  8. Processing personal data
    3 min read
  9. Data privacy and cookies
    3 min read
  10. Consent for GDPR
    4 min read
  11. Data protection for private landlords
    3 min read
  12. How to record the Coronavirus (COVID-19) vaccination status of staff
    8 min read
  13. Data protection for Test and Trace and Coronavirus (COVID-19) mitigation
    10 min read

Looking for something else?