Principles

Introduction

The Data Protection Act 1998 has eight Data Protection Principles. These set out what is expected of all data controllers and their employees. (Although the 1984 Act also had eight Principles, the new ones are not exactly the same as those in the old Act.)

The Principles are set out in Schedule 1 Part 1 of the 1998 Act. Schedule 1 Part 2 interprets most of the Principles.

The eight Data Protection Principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed (unless it complies with sets of conditions). (Detail)
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. (Detail)
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. (Detail)
  4. Personal data shall be accurate and, where necessary, kept up to date. (Detail)
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. (Detail)
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act. (Detail)
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. (Detail)
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. (Detail)

These are explained more fully below.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #1

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

Conditions for Processing (Schedule 2 of the Act)

At least one of the following conditions must be met in the case of all processing of personal data (except where a relevant exemption applies):

The Information Commissioner considers that reliance on this condition may only be claimed where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital Accident & Emergency Department treating the data subject after a serious road accident. (Edge Hill, 1999)

Conditions for Processing Sensitive Data (Schedule 3 of the Act)

The Act introduces categories of sensitive personal data, namely, personal data consisting of information as to:

This sensitive data cannot be processed unless it comes under one of a number of special cases, such as these:

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #2

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

Unlike the 1984 Act, there are two means by which a data controller may specify the purpose for which the personal data are obtained, namely:

Case study In 1998 an employee of the National Westminster Bank was found supplying information about customers to his father, a private investigator. The employee was found guilty; the fines and court costs amounted to over 9000.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #3

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

This is similar to the fourth Principle in the 1984 Act, though the definition of processing used to be narrower.

Case study When the Poll Tax was introduced several years ago, local authorities had to collect information on every citizen. A few authorities decided that, while they were at it, the questionnaires could ask for other interesting items of information. The DP Registrar forced them to change their questionnaires - at great expense - as this extra data was excessive for the purposes of Poll Tax collection.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #4

Personal data shall be accurate and, where necessary, kept up to date.

Data are inaccurate if they are incorrect or misleading as to any matter of fact.

This Principle is not contravened because of any inaccuracy in personal data which accurately record information obtained from the data subject in a case where the data controller has taken reasonable steps to ensure the accuracy of the data.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #5

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

If you plan to retain personal data for historical analysis, identifying trends or data mining, you must register this in the Data Protection Register. Failure to do this may result in a breach of the fifth Principle.

This is similar to the sixth Principle in the 1984 Act.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #6

Personal data shall be processed in accordance with the rights of data subjects under this Act.

This Principle is contravened if, but only if, the data controller/processor:

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #7

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

The Act gives some further guidance on matters which should be taken into account in deciding whether security measures are "appropriate". These are:

Where the data processor is not an employee of the data controller, that data processor must give sufficient written guarantees about the security measures and the data controller must take reasonable steps to ensure compliance.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Principle #8

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The European Economic Area consists of the EU Member States together with Iceland, Liechtenstein and Norway.

At the time of writing, the United States is not considered to have adequate safeguards in place to give assurance that personal data will be protected adequately. This is of special significance to organisations that have outsourced data to companies that process it on computers in the United States. (See the US Department of Commerce information on "safe harbor".)

It might be sufficient to write into the contract of your outsourcing company that they must comply with the terms of the UK's Data Protection Act 1998 (Classe, 1999 and Phillips, 1999).

This principle also affects organisations wishing to ship/transmit data to foreign countries - such as India - where it can be processed more cheaply. Companies with head offices outside the EEA will also have to realise they may no longer be able satisfy requests to send personal data to head office.

Schedule 4 the Act does provide some exceptions to this Principle, for example, where each data subject has given consent to the transfer.

The Information Commissioner has provided extensive advice on the issue of transborder flows.

Go to principle #1, #2, #3, #4, #5, #6, #7, #8


Important notice

What you read here is only a summary to introduce the concepts. You should not rely on it to build a legal case or safeguard your legal position. The University of Glamorgan and its employees cannot be held responsible for any legal or other redress due to errors in the notes. Seek professional legal advice before acting on what you read here.


UpOther topics Comments please to: dwfarthi@glam.ac.uk © 1999, 2001, 2004, University of Glamorgan