There are some complete exemptions and some partial exemptions where personal data is not covered by the 1998 Act. These mean that the people storing data (the data controllers) do not need to keep to the rules.
Any personal data that is held for a national security reason is not covered. So MI5 and MI6 don't have to follow the rules if the data requested could harm national security. If challenged, the security services are able to apply for a certificate from the Home Secretary as proof that the exemption is required.
Personal data held by an individual only for the purposes of their personal, family or household affairs. eg a list of your friends' names, birthdays and addresses does not have to keep to the rules.
Some personal data has partial exemption from the rules of the DPA. The main examples of this are:
The taxman or police do not have to disclose information held or processed to prevent crime or taxation fraud. Criminals cannot see their police files. Tax or VAT investigators do not have to show people their files.
A data subject has no right to see information stored about him if it is to do with his/her health. This allows doctors to keep information from patients if they think it is in their best interests.
A school pupil has no right of access to personal files, or to exam results before publication.
A data controller can keep data for any length of time if it is being used for statistical, historical or research purposes.
Some research by journalists and academics is exempt if it is in the public interest or does not identify individuals.
Employment references written by a previous employer are exempt.
Planning information about staff in a company is exempt, as it may damage the business to disclose it.