Data Protection Principles
The Data Protection Act controls how personal information is used by organisations, businesses or the government.
Everyone responsible for using data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
Principle 1 – Processing personal data fairly and lawfully
The Data Protection Act requires you to process personal data fairly and lawfully.
The requirement to process personal data fairly and lawfully is set out in the first data protection principle and is one of eight such principles at the heart of data protection.
The main purpose of these principles is to protect the interests of the individuals whose personal data is being processed. They apply to everything you do with personal data, except where you are entitled to an exemption.
So the key to complying with the Data Protection Act is to follow the eight data protection principles.
To comply with the first data protection principle you must:
Conditions for Processing
- have legitimate grounds for collecting and using the personal data;
- not use the data in ways that have unjustified adverse effects on the individuals concerned;
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices
- when collecting their personal data;
- handle people’s personal data only in ways they would reasonably expect; and
- make sure you do not do anything unlawful with the data.
The first data protection principle requires, among other things, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data.
Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information.
The conditions for processing take account of the nature of the personal data in question. The conditions that need to be met are more exacting when the information being processed is sensitive personal data, such as information about an individual’s health or criminal record.
If you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. If it is, then you are very likely to identify a condition for processing that fits your purpose.
Being able to satisfy a condition for processing will not on its own guarantee that the processing is fair and lawful – fairness and legality must still be looked at separately.
So it makes sense to ensure that what you want to do with personal data is fair and lawful before worrying about the conditions for processing set out in the Act.
Principle 2 – Processing personal data for specified purposes
The second data protection principle aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.
There are clear links with other data protection principles – in particular the first principle, which requires personal data to be processed fairly and lawfully. If you obtain personal data for an unlawful purpose, for example, you will be in breach of both the first data protection principle and this one.
However, if you comply with your obligations under the other data protection principles, you are also likely to comply with this principle, or at least you will not do anything that harms individuals.
In practice, the second data protection principle means that you must:
- be clear from the outset about why you are collecting personal data and what you intend to do with it;
- comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
- comply with what the Act says about notifying the Information Commissioner; and
ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
Principle 3 –The amount of personal data you may hold
The Data Protection Act requires you to ensure you only collect the personal data you need for the purposes you have specified. You are also required to ensure that the personal data you collect is sufficient for the purpose for which it was collected.
These requirements of data adequacy and data minimisation are covered by principle 3 of the Data Protection Act. It is the first of three principles, along with principles 4 and 5, covering information standards. In practice, it means you should ensure that:
- you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
- you do not hold more information than you need for that purpose.
So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.
Principle 4 – Keeping personal data accurate and up to date
The second of the principles covering information standards, principle 4 covers the accuracy of personal data. The Data Protection Act imposes obligations on you to ensure the accuracy of the personal data you process. It must also be kept up to date where necessary.
This requirement is closely linked with the requirement under principle 3 that personal data is adequate. Ensuring the accuracy of personal data will assist you in complying with this requirement as well.
The law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties.
To comply with these provisions you should:
Rights to Correct or Delete Inaccurate Information
- take reasonable steps to ensure the accuracy of any personal data you obtain;
- ensure that the source of any personal data is clear;
- carefully consider any challenges to the accuracy of information; and
consider whether it is necessary to update the information.
The fourth data protection principle requires personal data to be accurate (see Keeping personal data accurate and up to date). Where it is inaccurate, the individual concerned has a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. In addition, where an individual has suffered damage in circumstances that would result in compensation being awarded and there is a substantial risk of another breach, then the court may make a similar order in respect of the personal data in question.
Principle 5 – Retaining personal data
The last of the three information standards principles, principle 5 requires you to retain personal data no longer than is necessary for the purpose you obtained it for. This principle has close links with both principles 3 and 4. Ensuring personal data is disposed of when no longer needed will reduce the risk that it will become inaccurate, out of date or irrelevant.
The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes;
- update, archive or securely delete information if it goes out of date.
Principle 6 – The rights of individuals
The Data Protection Act gives rights to individuals in respect of the personal data that organisations hold about them. This is the sixth data protection principle, and the rights of individuals that it refers to are:
- a right of access to a copy of the information comprised in their personal data;
- a right to object to processing that is likely to cause or is causing damage or distress;
- a right to prevent processing for direct marketing;
- a right to object to decisions being taken by automated means;
- a right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed;
- a right to claim compensation for damages caused by a breach of the Act.
What are individuals entitled to?
This right, commonly referred to as subject access, is created by section 7 of the Data Protection Act. It is most often used by individuals who want to see a copy of the information an organisation holds about them. However, the right of access goes further than this, and an individual who makes a written request and pays a fee is entitled to be:
- told whether any personal data is being processed;
- given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
- given a copy of the information comprising the data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit, or an assessment of performance at work (except where this information is a trade secret). Other rights relating to these types of decisions are dealt with in more detail in Automated decision taking.
In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it. However, some types of personal data are exempt from the right of subject access and so cannot be obtained by making a subject access request.
If an individual objects to processing
The Act refers to the “right to prevent processing”. Although this may give the impression that an individual can simply demand that an organisation stops processing personal data about them, or stops processing it in a particular way, the right is often overstated. In practice, it is much more limited. An individual has a right to object to processing only if it causes unwarranted and substantial damage or distress. If it does, they have the right to require an organisation to stop (or not to begin) the processing in question.
The Act does not define what is meant by unwarranted and substantial damage or distress. However, in most cases:
- substantial damage would be financial loss or physical harm; and
- substantial distress would be a level of upset, or emotional or mental pain, that goes beyond annoyance or irritation, strong dislike, or a feeling that the processing is morally abhorrent.
Preventing direct marketing
Individuals have the right to prevent their personal data being processed for direct marketing. An individual can, at any time, give you written notice to stop (or not begin) using their personal data for direct marketing. Any individual can exercise this right, and if you receive a notice you must comply within a reasonable period.
The Act includes some help on what is meant by “direct marketing” in a data protection context. The table below sets out the factors that are used to identify direct marketing material.
Directed to particular individuals
Lots of people receive “junk mail” that is not addressed to a particular person but to “the occupier”. This type of marketing is not directed at an individual and so is not direct marketing for the purposes of the Act. This kind of mail, posted through every letterbox on a street, includes leaflets like takeaway menus and information about clothing collections.
Communication by whatever means
The common image of direct marketing is that of mailshots or telemarketing. However, for the purposes of the Act it also includes all other means by which you might contact individuals, such as emails and text messages.
Advertising or marketing material
Direct marketing does not just refer to selling products or services to individuals. It includes promoting particular views or campaigns, such as those of a political party or charity. So, even if you are using personal data to elicit support for a good cause rather than to sell goods, you are still carrying out direct marketing and would have to comply with a written notice to stop.
Automated Decision Taking
The right of subject access allows an individual access to information about the reasoning behind any decisions taken by automated means. The Act complements this provision by including rights that relate to automated decision taking. Consequently:
- an individual can give written notice requiring you not to take any automated decisions using their personal data;
- even if they have not given notice, an individual should be informed when such a decision has been taken; and
- an individual can ask you to reconsider a decision taken by automated means.
These rights can be seen as safeguards against the risk that a potentially damaging decision is taken without human intervention. We explain below what is meant by automated decision taking and how the rights work in practice.
The number of organisations who take significant decisions about individuals by wholly automated means is relatively small – there is often some human intervention in making the decisions.
However, it is sensible to identify whether any of the operations you perform on personal data constitute “automated decisions”. This will help you decide whether you need to have procedures to deal with the rights of individuals in these cases.
If an individual suffers damage because you have breached the Act, they are entitled to claim compensation from you. This right can only be enforced through the courts. The Act allows you to defend a claim for compensation on the basis that you took all reasonable care in the circumstances to avoid the breach.
Principle 7 – Information security
There is no “one size fits all” solution to information security. The security measures that are appropriate for an organisation will depend on its circumstances, so you should adopt a risk-based approach to deciding what level of security you need.
This is the seventh data protection principle. In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach;
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
Principle 8 – Sending personal data outside the European Economic Area (EEA)
The Data Protection Act says that:
Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using sub-contractors abroad.
If you are considering sending personal data outside the EEA, work through the following checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer.
1. Do you need to transfer personal data abroad?
Can you achieve your objectives without processing personal data at all? For example, could the information be anonymised?
2. Are you transferring the data to a country outside the EEA or will it just be in transit through a non-EEA country?
If data is only in transit through a non-EEA country, there is no transfer outside the EEA. Note that if you add personal data to a website based in the EU that is accessed in a country outside the EEA, there will be a transfer of data outside the EEA.
3. Have you complied with all the other data protection principles?
If you transfer personal data outside the EEA, you are required to comply with all the principles and the Act as a whole, not just the eighth principle relating to international data transfers.
4. Is the transfer to a country outside the EEA?
There are no restrictions on the transfer of personal data to EEA countries.
5. Is the transfer to a country on the EU Commission’s list of countries or territories providing adequate protection for the rights and freedoms of data subjects in connection with the processing of their personal data?
Transfers may be made to any country or territory in respect of which the Commission has made a ‘positive finding of adequacy’.
6. If the transfer is to the United States of America, has the US recipient of the data signed up to the US Department of Commerce Safe Harbor Scheme?
The Safe Harbor scheme is recognised by the European Commission as providing adequate protection for the rights of individuals in connection with the transfer of their personal data to signatories of the scheme in the USA.
7. Is the personal data passenger name record information (PNR)?
The agreement made between the EU and the USA (to legitimise and regulate the transfer of PNR from EU Airlines to the US Department of Homeland Security) is regarded as providing adequate protection for the rights of the data subjects whose personal data (in the form of PNR) is transferred. Arrangements also exist between the European Commission, Canada and Australia.
If you decide you need to transfer personal data outside the EEA, and the recipient is not in a country subject to a Commission ‘positive finding of adequacy’ nor signed up to the Safe Harbor Scheme, you will need to assess whether the proposed transfer will provide an adequate level of protection for the rights of the data subjects in connection with the transfer/processing of their personal data.
8. Can you make an assessment that the level of protection for data subjects’ rights is ‘adequate in all the circumstances of the case’?
9. If not, can you put in place adequate safeguards to protect the rights of the data subjects whose data is to be transferred?
Adequate safeguards may be put in place in a number of ways including using Model Contract Clauses, Binding Corporate Rules or Binding Corporate Rules for Processors (BCRs) or other contractual arrangements. Where “adequate safeguards” are established, the rights of data subjects continue to be protected even after their data has been transferred outside the EEA.
10. Can you rely on another exception from the restriction on international transfers of personal data?
Schedule 4 DPA concerns “Cases where the Eighth Principle does not apply”. It covers BCRs, model contract clauses, and the use of other contractual clauses as well as a number of other exceptions to the restriction on overseas data transfers. If you are able to rely on an exception, the transfer may take place even though there is no other protection for individuals’ rights.