A www-teach-ict.com miniwebsite
Home1. Home
Introduction to the Data Protection Act2. Introduction
Development the Data Protection Act3. Development
What the DPA provides4. Provisions
The eight principles of the Data Protect Act5. Principles
Sensitive Data definition6. Sensitive Data
Consent and the Data Protection Act7. Consent
Who does the Data Protection Act apply to8. Application
Data Protection Act Rights9. Your Rights
Data Protection Act Exemptions10. Exemptions
DPA Information Commissioner11. Commissioner
Data Protection Act terms12. Glossary
Try these great search terms!

Data Protection

Information Commissioner

Data Security

Encryption

Direct Mail

Direct Marketing

Data Mining

5. The Eight Principles

Data controllers must follow the Eight principles of the Act. 

These are:

 

Scales of Justice

Unlike the 1984 Act, the 1998 Act applies to paper records as well as electronic records, but only from 23 October 2007.

 

 

  1. Personal data should be obtained and processed fairly and lawfully. 

    A data subject must be informed that data is being collected and what it is to be used for.  A data subject will usually have to have given written permission before sensitive personal data can be gathered or processed (see next page).

  2. Personal data can be held only for specified and lawful purposes.

    For example, data on new-born babies that is held by a maternity unit should not be used to generate mail shots advertising baby products.

  3. Personal data should be adequate, relevant and not excessive for the required purpose.

    An organisation's employee records are unlikely to require the marital status and details of an employee's children.  A car insurance company does not need to know what financial commitments you have.

  4. The personal data should be accurate and kept up-to-date. 

    Companies should do their best to make sure that they do not record the wrong facts about a data subject.  If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect

  5. The personal data should not be kept for longer than is necessary for the purpose for which it is collected.

    Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on.  However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants. 

  6. Data must be processed in accordance with the rights of the data subjects.  This gives individuals the right to inspect the information held on them. 

    A Data Subject (e.g you) has the right to have inaccurate data corrected. For example, it is not unusual for an individual to be refused a credit card because of some inaccuracy in their data record - you can ask to see the data that caused the decision and if it is incorrect, you can instruct the data source to change their records.

  7. Appropriate security measures must be taken against unauthorised access. 

    This means information has to be kept safe from hackers and employees who don't have rights to see it.  Data must also be safeguarded against accidental loss.

  8. Personal data cannot be transferred to  countries outside the European Union unless the country provides an adequate level of protection.

    This was a new principle in the 1998 Act.

 

 

Copyright © 2006 www.teach-ict.com