3. The Eight Principles

Data Controllers must ensure that their organisation follows the eight principles of the Data Protection Act when dealing with personal data.

 

 

Principle (official version)
Principle (simplified)
Meaning

Personal data shall be processed fairly and lawfully

 

Personal data should be obtained and processed fairly and lawfully

This means that you should be told about data which is being collected about you and should be asked for your permission to collect it.

You should also be made aware of the reason why the data is to be collected and for what it will be used.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes

Personal data can be held only for specified and lawful purposes

The Data Controller has to state why they want to collect and store information when they apply for permission to be able to do so. If they use the data they have collected for other purposes, they are breaking the law.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed

Personal data should be adequate, relevant and not excessive for the required purpose

Organisations should only collect the data that they need and no more. Your school needs to know your parent's phone number in case they need to contact them in an emergency. However, they do not need to know what your grandmother's name is, nor do they need to know your eye co lour. They should not ask, nor should they store such details since this would be excessive and would not be required to help with your education.

Personal data shall be accurate and, where necessary, kept up-to-date

Personal data should be accurate and kept up-to-date

Companies should do their best to make sure that they do not record the wrong facts about a data subject. Your school probably asks your parents to check a form once a year to make sure that the phone number and address on the school system is still correct.If a person asks for the information to be changed, the company should comply if it can be proved that the information is indeed incorrect.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or purposes

Personal data should not be kept for longer than is necessary

Organisations should only keep personal data for a reasonable length of time. Hospitals might need to keep patient records for 25 years or more, that is acceptable since they may need that information to treat an illness later on. However, there is no need for a personnel department to keep the application forms of unsuccessful job applicants.

Personal data shall be processed in accordance with the rights of data subjects under this Act

Data must be processed in accordance with the rights of the data subject

People have the right to inspect the information held on them (except in certain circumstance - see later). If the data being held on them is incorrect, they have the right to have it changed.

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data

Appropriate security measures must be taken against unauthorised access

This means information has to be kept safe from hackers and employees who don't have rights to see it. Data must also be safeguarded against accidental loss.

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

Personal data cannot be transferred to countries outside the E. U. unless the country has similar legislation to the D.P.A.

This means that if a company wishes to share data with an organisation in a different country, that country must have similar laws to our Data Protection Act in place.

 

challenge see if you can find out one extra fact on this topic that we haven't already told you

Click on this link: Data Protection Principles