Key Principles of the Data Protection Act
The Data Protection Act is made up of eight, essential principles that all data-handling businesses must follow. The purpose of the data protection principles is to protect the individuals whose personal data is being processed and apply to everything that you do with people’s personal data.
The Data Protection Act Key Principles:
- Personal data shall be processed fairly and lawfully – the data subject must give their consent and remain fully informed. You must have a legitimate reason for the processing and only use it for the reason identified.
- Personal data shall be obtained only for one or more specified and lawful purposes – this purpose must be registered with the ICO and data subjects must be made aware of the purpose for data collection from the outset. This is often done using a notification clause which makes the individual aware of how their personal data will be used and that it will be treated confidentially, plus an option to opt out.
- Personal data shall be adequate, relevant and not excessive – personal data should only be kept for the duration of time and in the quantity needed to complete the intended purpose and then destroyed.
- Personal data shall be accurate and, where necessary, kept up to date – whilst in use, data must be monitored for accuracy and updated where necessary.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes – after the intended purpose is complete, personal data must be securely deleted or destroyed.
- Personal data must be processed in accordance with the rights of the individual – data subjects have a ‘right to subject access’ and are entitled to obtain a copy of their personal data that you hold. You can charge a maximum of £10 for subject access.
- Personal data must be kept secure in order to prevent loss or unauthorised disclosure – the level of security should reflect the potential harm that could result from misuse or loss of the data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area – you may only send personal data to a country or territory outside the EEA if they can ensure an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.
Subscribe for the latest Hub updates! Tell us what you're interested in hearing about: