What is illegal under the data protection Act?

Asked by: Filomena Breitenberg II  |  Last update: June 7, 2026
Score: 4.8/5 (20 votes)

Under a Data Protection Act (like the UK's DPA 2018 or similar US laws), it's illegal to misuse personal data, including collecting it unfairly, failing to secure it, processing it without a lawful basis (like consent), not respecting data subject rights (access, deletion), losing data, making misleading privacy claims, or obstructing data protection authorities. Key illegal actions involve unauthorized access, processing sensitive data incorrectly, and hindering investigations.

What is not covered by data protection law?

Domestic purposes – personal data processed in the course of a purely personal or household activity, with no connection to a professional or commercial activity, is outside the UK GDPR's scope.

What are the 8 rules of the Data Protection Act?

Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.

What is covered under the Data Protection Act?

The Act works in two ways: it provides individuals with rights, including the right to know what information is held about them and the right to access that information. it states that anyone who processes personal information must comply with the principles in the Act.

What are the three rights under the Privacy Act?

The three primary rights under the U.S. Privacy Act of 1974 are the right to access your federal agency records, the right to amend inaccurate or incomplete records, and the right to seek legal action if the government violates your privacy rights, with broader principles also protecting against unwarranted disclosures and mandating agency accountability. 

GDPR explained: How the new data protection act could change your life

28 related questions found

What is a violation of the Privacy Act?

What Is a Violation of Privacy? The unauthorized disclosure, collection, or handling of an individual's personal identifiable information (PII) in a manner that violates laws relating to the protection of consumer information is considered a violation of privacy.

What is exempt from the Data Protection Act?

(1)Personal data are exempt from the non-disclosure provisions where the disclosure is required by or under any enactment, by any rule of law or by the order of a court. (b)for the purpose of obtaining legal advice, or is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

What rights do I have under the DPA?

What individual rights are provided by Part 3 of the DPA 2018: law enforcement processing?

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure or restrict processing; and.
  • the right not to be subject to automated decision-making.

What are examples of sensitive personal data?

Definition of Sensitive Personal Information

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Trade union membership.
  • Genetic data.
  • Biometric data.
  • Health data.
  • Sexual orientation or sex life.

What are the golden rules of data protection?

This module introduces the six fundamental principles of personal data protection: purpose, accuracy, transparency, minimization, security and retention period.

What happens if you violate GDPR?

83(4) GDPR sets forth fines of up to 10 million euros, or, in the case of an undertaking, up to 2% of its entire global turnover of the preceding fiscal year, whichever is higher. Especially important here, is that the term “undertaking” is equivalent to that used in Art.

What are the exemptions under DPA 1998?

Exemptions under the DPA 1998 were pivotal in balancing individual data rights against other competing interests. One significant exemption pertained to national security, where data processing activities carried out for safeguarding national security were not bound by certain restrictions of the DPA 1998.

What are the three types of personal data breach?

There are three kinds of personal data breaches:

  • Confidential breach. Unauthorised or accidental disclosure of, or access to, personal data.
  • Integrity breach. Unauthorised or accidental alteration of personal data.
  • Availability breach. Accidental or unauthorised loss of access to, or destruction of personal data.

What is not a form of personal data?

Information concerning a 'legal' rather than a 'natural' person is not personal data. Consequently, information about a limited company or another legal entity, which might have a legal personality separate to its owners or directors, does not constitute personal data and does not fall within the scope of the UK GDPR.

What are examples of non-personal data?

Non-personal data can further be classified as: (i) Public non-personal data: data collected or generated by the government in course of publicly funded works. For example, anonymised data of land records or vehicle registration can be considered as public non-personal data.

What are the five rights of individuals?

The human rights that are covered by the Act

Article 2: Right to life. Article 3: Freedom from torture and inhuman or degrading treatment. Article 4: Freedom from slavery and forced labour. Article 5: Right to liberty and security.

What constitutes a dpa breach?

What is a personal data breach? A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.

Can I ask a company to delete my personal data?

The right to get your data deleted is also known as the 'right to erasure'. You can ask an organisation that holds data about you to delete that data. In some circumstances, they must then do so. You may sometimes hear this called the 'right to be forgotten'.

What are the three rules of the data protection Act?

Data Protection Act 1998 principles

Principle 1 – Fair and Lawful. Principle 2 – Purposes. Principle 3 – Adequacy.

What is prohibited data?

Prohibited Data means data that would allow the identification of a specific natural person (rather than their device), such as telephone number, email address, government issued identification number, name, or postal address.

Which type of information is exempt?

Exemption 1: Information that is classified to protect national security. Exemption 2: Information related solely to the internal personnel rules and practices of an agency. Exemption 3: Information that is prohibited from disclosure by another federal law.

Does the DPA apply to all organizations?

Any business that collects personal data and uses third-party services to process that information needs a data protection agreement (DPA).

What is Article 5 of the DPA?

5 GDPR Principles relating to processing of personal data. Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency');

What are the 4 A's of data security?

The adoption of the 4A Data Security Governance framework—comprising Access, Authorization, Authentication, and Audit—serves as a cornerstone in enabling secure, scalable, and role-based access to enterprise data assets.