The Law Shop is now closed. Please click here to find out more.

Data Protection Principles

The Data Protection Act 1996 has eight Data Protection Principles. If you process personal information then you must abide by these unless there is a certain exemption.

First Principle

“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

  • at the very least one of the conditions in Schedule two is satisfied, and
  • at the very least one of the conditions of Schedule three is met, when considering personal data.”

The First Principle gives the requirement that personal data must not be handled unless at least one of the conditions in Schedule two of the DPA is satisfied, and in the situation of the handling of sensitive personal data, at least one of the rules in Schedule three must be satisfied.

The first condition in Schedule 2 is that the controller of the data has acquired your permission. However, permission is just one of the conditions and processing or your personal data without your permission may be fair and legal, as long as the data controller can prove that one of the other requirements is satisfied.

For example, processing will be fair and legal if the processing is needed to abide by an agreement or to satisfy other legal obligations. Certain conditions are applicable to the treatment of important personal data, which is considered information relating to race or ethnic origin, political views, religion, health, union membership, sexual matters or criminality.

This sort of information can’t be processed in the majority of situations unless you have given your permission to the processing, or the processing is needed for very limited purposes.

Second Principle

“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”

The meaning of this is that the data controller must have a good and reasonable reason to have your personal data and must tell why. Data collected for a certain reason must not be for any other reason. If they want to have your data for an unspecified reason then they need your permission.

Third Principle

“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.”

Another way of putting this is that the only data really needed for the reason mentioned should be collected. It is unacceptable for a data controller to retain information for the reason that it could be of use later on without knowing how it will be used.

When the data controller does not keep information up to date, information that was originally “adequate” may cease to be.

In many situations data controllers will be able to put right potential violations of this Principle by destroying or contributing to data so that it is no longer inadequate or not relevant.

Fourth Principle

“Personal data shall be accurate and, where necessary, kept up to date.”

The Fourth Principle means that obsolete and wrong information must be deleted or brought up to date. The DPA says that data is inaccurate if the date is not correct or is misleading. Opinions are not covered by this Principle.

This Principle will not be violated if:

  • the data controller has taken note and recorded that the data subject is of the opinion that the data is wrong
  • the data controller has taken reasonable actions to make sure the data is accurate.

The data subject can be allowed compensation if they receive harm because the data is not accurate.

Fifth Principle

“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”

Data controllers are required to go over their personal data often and destroy information that is no longer needed for the purposes for which the data was intended. Holding onto the data when it is no longer required is not permissible.

Particular statutes give time limits for the keeping of specific types of data, such as the Police and Criminal Evidence Act 1984 and the Companies Act 1985.

Sixth Principle

“Personal data shall be processed in accordance with the rights of data subjects under this Act.”

This means that the data controller must comply with the provisions set out in the Data Protection Act as to individuals’ rights, such as the right to subject access and the right to have inaccurate information corrected. This ensures that personal data is not hidden away beyond the eyes of those to whom it relates.

Seventh Principle

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

This compels the data controller to makes a proper effort to ensure security, though this only consists of what is reasonable in the situation in relation to the type of information held, the harm that could be caused to people if the security of the information was violated, the financial implication of carrying out security measures, and the present state of technological development. In this way, the rights of the data subjects are balanced against reasonable expectations by the data controller.

Data controllers should know the Financial Conduct Authority’s Principles for Business, which forces firms to take reasonable care to control their actions responsibly and effectively.

Eighth Principle

“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.”

The European Economic Area is comprised of the twenty seven EU Member States together with Iceland, Norway and Liechtenstein, and personal data is free to move between these countries.

The Eighth Principle demands that there must be a proper level of protection in the country to which personal data is transferred if data is to be moved outside the EEA. The law of the country, the type of data and the nation’s international obligations dictate whether this is allowed. The “Safe Harbour” Privacy Principles allow personal information to be transferred to the US when the company involved has satisfied certain conditions.

Schedule four of the DPA shows the situations in which the Eighth Principle doesn’t apply to a transfer of personal data. Some of these are where the data subject has given their consent to the transfer and where the transfer is necessary for the completion of a contract, this approval meaning that the data can indeed be transferred.

Other legal topics that may interest you