Home > yourrights > privacy/Data Protection > Data Protection
> Overview of data protection principles
Overview of data protection principles
One of the main ways in which your rights are protected under the DPA is by imposing a duty on those who handle your personal data to do so in accordance with the Data Protection Principles. There are eight Data Protection Principles, which are set out in Schedule 1 to the DPA. All those responsible for processing personal information (known in the DPA as “data controllers”) must comply with the Principles unless a specific exemption applies.
First Principle
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
The First Principle introduces the requirement that, in order to be fair and lawful under the DPA, personal data cannot be handled unless at least one of the conditions in Schedule 2 of the DPA is met and, in the case of the processing of sensitive personal data at least one of the conditions in Schedule 3 is also met.
The first condition in Schedule 2 is that the data controller has obtained your consent. However, consent is only one of the conditions and processing or your personal data without your consent may be fair and lawful provided that the data controller can show that one of the other conditions is met. For instance processing will be fair and lawful if that the processing is necessary to fulfil a contract or to comply with other legal obligations.
Special conditions apply to the handling of sensitive personal data, which is defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. This type of information cannot be processed in most circumstances unless you have given your explicit consent to the processing, or the processing is necessary for strictly limited purposes (e.g. for the administration of justice).
The conditions required to comply with the First Data Protection Principle are set out more fully on the section Legitimate Processing.
Second Principle
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”.
This means that the data controller must have a valid reason to collect your personal data and must inform you what that reason is. Data collected for one reason cannot be used for any other unrelated purpose. For example, if a company holds your name and address for a particular purpose, it cannot give that information to a mail order company without your permission.
If a data controller wishes to use your data for an unspecified purpose, they must obtain your express consent to do so.
Third Principle
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
In other words, only data really necessary for the purpose stated should be collected. It is not acceptable for a data controller to hold information on the basis that it might possibly be useful in the future without a view of how it will be used.
If a data controller fails to keep their information up to date, information that was originally “adequate” may become inadequate. If they keep data for longer than necessary then the data may well become irrelevant and excessive.
In the case of Community Charge Registration Officer of Runnymede BC v Data Protection Registrar, the Tribunal held that public bodies which had the power to require people to provide personal information were under a particular duty to ensure that the information they requested was always adequate, relevant and not excessive.
In many cases, data controllers will be able to remedy possible breaches of the Principle by the erasing or adding to data so that the information is no longer excessive, inadequate, or irrelevant.
Fourth Principle
“Personal data shall be accurate and, where necessary, kept up to date”.
The Fourth Principle means that obsolete and erroneous information must be removed or updated. The DPA states that data are inaccurate if they are incorrect or misleading in any matter of fact. Therefore opinions will not be covered by the Principle.
The Principle will not be breached if:
- the data controller has taken reasonable steps to ensure the accuracy of the data; or
- they have recorded the data subject’s view that the data are inaccurate.
Regarding the second part of the Principle, the purpose for which the data are held will be relevant to whether updating is necessary. For example, if the data are intended to be used merely as an historical record, updating would be inappropriate. However, where data are used to decide whether to grant credit or some other benefit it is important that the information is current.
You may be entitled to compensation if you suffer loss or harm due to inaccuracies in your personal records. This is discussed under Rights and Remedies.
Fifth Principle
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
To comply with this Principle, data controllers need to review their personal data regularly and delete information which is no longer required for their purposes.
In the 2005 case of The Chief Constables of West Yorkshire, South Yorkshire and North Wales Police v Information Commissioner, the Information Tribunal held that the retention of records of criminal convictions in line with guidance by the Association of Chief Police Officers did not breach the Fifth Principle provided the records were retained for policing purposes. However, the records should be “stepped down” after a certain period of time and should not be disclosed to other parties for use in employment vetting.
This decision was reinforced by the 2008 decision of the Tribunal in The Chief Constables of Humberside, Staffordshire, Northumbria, West Midlands and Greater Manchester Police v Information Commissioner. There the Tribunal found that that the Chief Constables should not retain conviction data on the Police National Computer for if “no longer required for their core purposes”.
Certain statutes set time limits for the retention of data – for example the Police and Criminal Evidence Act 1984 and the Companies Act 1985. Recommendations as to the retention of data can also be found in Codes of Practice, for example the CCTV Code of Practice published by the Information Commissioner.
Sixth Principle
“Personal data shall be processed in accordance with the rights of data subjects under this Act”.
This means that the data controller must comply with the provisions set out in the DPA as to individuals’ rights, such as the right to subject access and the right to have inaccurate information corrected.
Further information on this is contained in the Rights and Remedies section.
Seventh Principle
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
This Principle requires the data controller to take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held; the harm that may be caused to individuals if the security of the information was breached; the cost of implementing security measures; and the current state of technological development.
Data controllers also need to be aware of the Financial Service Authority’s Principles for Business, which require firms to take reasonable care to organise and control their affairs responsibly and effectively. In 2006, the FSA fined Nationwide £980,000 in respect of a stolen laptop which could have been used to further financial crime.
Eighth Principle
“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data”.
The European Economic Area (“The EEA”) consists of the fifteen EU Member States together with Iceland, Liechtenstein and Norway. Personal data may move freely between these states.
The Eighth Principle requires that in order for data to be transferred outside this area, the country to which the data is to be transferred must provide an adequate level of protection. This will depend on various factors, including the law in force in the country or territory in question, the international obligations of that country or territory and the nature of the data to be transferred.
The “Safe Harbor” Privacy Principles agreed between the European Commission and the US in 2000 mean that personal information may be transferred to the US where the company involved has fulfilled specific conditions.
Schedule 4 of the DPA provides for circumstances in which the Eighth Principle does not apply to a transfer. These include where the data subject has given their consent to the transfer; where the transfer is necessary for the completion of a contract; for reasons of “substantial public interest” or for legal proceedings.
First Principle
“Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
- at least one of the conditions in Schedule 2 is met; and
- in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.”
The First Principle introduces the requirement that, in order to be fair and lawful under the DPA, personal data cannot be handled unless at least one of the conditions in Schedule 2 of the DPA is met and, in the case of the processing of sensitive personal data at least one of the conditions in Schedule 3 is also met.
The first condition in Schedule 2 is that the data controller has obtained your consent. However, consent is only one of the conditions and processing or your personal data without your consent may be fair and lawful provided that the data controller can show that one of the other conditions is met. For instance processing will be fair and lawful if that the processing is necessary to fulfil a contract or to comply with other legal obligations.
Special conditions apply to the handling of sensitive personal data, which is defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. This type of information cannot be processed in most circumstances unless you have given your explicit consent to the processing, or the processing is necessary for strictly limited purposes (e.g. for the administration of justice).
The conditions required to comply with the First Data Protection Principle are set out more fully on the section Legitimate Processing.
Second Principle
“Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”.
This means that the data controller must have a valid reason to collect your personal data and must inform you what that reason is. Data collected for one reason cannot be used for any other unrelated purpose. For example, if a company holds your name and address for a particular purpose, it cannot give that information to a mail order company without your permission.
If a data controller wishes to use your data for an unspecified purpose, they must obtain your express consent to do so.
Third Principle
“Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed”.
In other words, only data really necessary for the purpose stated should be collected. It is not acceptable for a data controller to hold information on the basis that it might possibly be useful in the future without a view of how it will be used.
If a data controller fails to keep their information up to date, information that was originally “adequate” may become inadequate. If they keep data for longer than necessary then the data may well become irrelevant and excessive.
In the case of Community Charge Registration Officer of Runnymede BC v Data Protection Registrar, the Tribunal held that public bodies which had the power to require people to provide personal information were under a particular duty to ensure that the information they requested was always adequate, relevant and not excessive.
In many cases, data controllers will be able to remedy possible breaches of the Principle by the erasing or adding to data so that the information is no longer excessive, inadequate, or irrelevant.
Fourth Principle
“Personal data shall be accurate and, where necessary, kept up to date”.
The Fourth Principle means that obsolete and erroneous information must be removed or updated. The DPA states that data are inaccurate if they are incorrect or misleading in any matter of fact. Therefore opinions will not be covered by the Principle.
The Principle will not be breached if:
- the data controller has taken reasonable steps to ensure the accuracy of the data; or
- they have recorded the data subject’s view that the data are inaccurate.
Regarding the second part of the Principle, the purpose for which the data are held will be relevant to whether updating is necessary. For example, if the data are intended to be used merely as an historical record, updating would be inappropriate. However, where data are used to decide whether to grant credit or some other benefit it is important that the information is current.
You may be entitled to compensation if you suffer loss or harm due to inaccuracies in your personal records. This is discussed under Rights and Remedies.
Fifth Principle
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”.
To comply with this Principle, data controllers need to review their personal data regularly and delete information which is no longer required for their purposes.
In the 2005 case of The Chief Constables of West Yorkshire, South Yorkshire and North Wales Police v Information Commissioner, the Information Tribunal held that the retention of records of criminal convictions in line with guidance by the Association of Chief Police Officers did not breach the Fifth Principle provided the records were retained for policing purposes. However, the records should be “stepped down” after a certain period of time and should not be disclosed to other parties for use in employment vetting.
This decision was reinforced by the 2008 decision of the Tribunal in The Chief Constables of Humberside, Staffordshire, Northumbria, West Midlands and Greater Manchester Police v Information Commissioner. There the Tribunal found that that the Chief Constables should not retain conviction data on the Police National Computer for if “no longer required for their core purposes”.
Certain statutes set time limits for the retention of data – for example the Police and Criminal Evidence Act 1984 and the Companies Act 1985. Recommendations as to the retention of data can also be found in Codes of Practice, for example the CCTV Code of Practice published by the Information Commissioner.
Sixth Principle
“Personal data shall be processed in accordance with the rights of data subjects under this Act”.
This means that the data controller must comply with the provisions set out in the DPA as to individuals’ rights, such as the right to subject access and the right to have inaccurate information corrected.
Further information on this is contained in the Rights and Remedies section.
Seventh Principle
“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data”.
This Principle requires the data controller to take appropriate steps to ensure security, bearing in mind what is reasonable in the circumstances in relation to the nature of the information held; the harm that may be caused to individuals if the security of the information was breached; the cost of implementing security measures; and the current state of technological development.
Data controllers also need to be aware of the Financial Service Authority’s Principles for Business, which require firms to take reasonable care to organise and control their affairs responsibly and effectively. In 2006, the FSA fined Nationwide £980,000 in respect of a stolen laptop which could have been used to further financial crime.
Eighth Principle
“Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data”.
The European Economic Area (“The EEA”) consists of the fifteen EU Member States together with Iceland, Liechtenstein and Norway. Personal data may move freely between these states.
The Eighth Principle requires that in order for data to be transferred outside this area, the country to which the data is to be transferred must provide an adequate level of protection. This will depend on various factors, including the law in force in the country or territory in question, the international obligations of that country or territory and the nature of the data to be transferred.
The “Safe Harbor” Privacy Principles agreed between the European Commission and the US in 2000 mean that personal information may be transferred to the US where the company involved has fulfilled specific conditions.
Schedule 4 of the DPA provides for circumstances in which the Eighth Principle does not apply to a transfer. These include where the data subject has given their consent to the transfer; where the transfer is necessary for the completion of a contract; for reasons of “substantial public interest” or for legal proceedings.
