DATA PROTECTION ACT 1998
THE EIGHT DATA PROTECTION PRINCIPLES
OG 58 B4 - 14 March 2012
Purpose: This guidance sets out in full the eight Data Protection Principles. A summary of the Data Protection Principles can be found in OG 58 A3.
1. The First Principle
2. The Second Principle
3. The Third Principle
4. The Fourth Principle
5. The Fifth Principle
6. The Sixth Principle
7. The Seventh Principle
8. The Eighth Principle
Meaning of expressions - list of Glossary terms used in this Guidance
Index to further related information
The 'fair processing code' is divided into (a) fair obtaining of personal data and (b) providing information to data subjects about the processing. To ensure that data can be said to have been 'fairly obtained' data controllers must not mislead or deceive data subjects as to the purpose or purposes of the processing. Personal data will be treated as having been fairly obtained if they have been obtained from a person who is either authorised or required under any enactment or international obligation to supply such data (such as the Charities Act 2011, for example).
Unless it would involve a disproportionate effort or unless the recording or disclosing of data is necessary for compliance with a legal (as opposed to contractual) obligation, data controllers must inform data subjects of their identity (or the identity of their representative), the purpose(s) for which the data are intended to be processed and any further information, having regard to the specific circumstances in which the data are to be processed, to enable the processing to be fair. As guidance in this latter respect, data controllers are advised to consider the extent to which the use of personal data by them is or is not reasonably foreseeable by the data subjects. To the extent that it would not be reasonably foreseeable, data controllers should ensure that they provide such further information as may be necessary.
All this information should be 'readily available' to data subjects, either by providing it at the time the data is requested, or at the time it is received (if it has been supplied by a third party) or when the data subject requests it.
One of the conditions for processing is that it is carried on with the consent of the data subject. In some cases implied consent may be sufficient. In others nothing less than clear written consent will suffice. A blanket consent to the processing of personal data is unlikely to be sufficient as a basis on which to process personal data, particularly sensitive data. The more ambiguous the consent being relied upon by data controllers the more likely there are to be questions about its existence or validity.
'Consent' is not defined in the 1998 Act but is defined in the EC Directive as ". . . any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." The fact that the data subject must "signify" their agreement means that there must be some active communication between the parties. Consent cannot be inferred from non-response to a communication (eg failure to return a notice of objection to the processing) neither is it valid where it has been obtained under duress or on the basis of misleading information. Passive consent can be inferred from a failure to tick an "opt-out" box on a form or other communication (inviting the individual to tick if they object to receiving future mailings of a specified type for example). Even where consent has been given it will not necessarily endure forever. In most cases consent will endure for as long as the processing to which it relates continues (or longer if that is appropriate in the circumstances) and provided the individual has not withdrawn their consent.
In the case of processing sensitive personal data the consent of the data subject must be 'explicit', ie should be absolutely clear.
OG 58 C5 sets out a decision tree showing some of the main things to consider when processing personal data, in particular when determining whether that processing is fair and lawful.
A data controller may specify the purpose(s) for which the personal data are obtained:
A notice to a data subject should state why the personal data are being processed and provide an indication of the likely recipients of the data. Where personal data are disclosed to other persons, consideration should be given to the purpose(s) for which they are intended to be processed by that other person. For example, companies which sell on customer lists to other companies should notify data subjects of this fact and explain the intentions of the purchasers of the lists, who will usually wish to market to some or all of the customers on the lists. Regard should also be had to section 11 of the 1998 Act which allows data subjects the right to prevent processing for the purposes of direct marketing.
Data controllers should ensure they do not obtain more data than they need and discard any irrelevant data. It may be that certain information is required in relation to some data subjects but not others. Where that is the case, care should be exercised to ensure that the same level of information is not obtained from all data subjects.
Data are inaccurate if they are incorrect or misleading as to any matter of fact. It is not enough for data controllers to rely on the fact that the personal data were provided by the data subject or third party as evidence of their accuracy. Data controllers should take reasonable steps to ensure the accuracy of the data which they process and, if the data subject believes the data are inaccurate, the data should indicate that fact.
When deciding what action to take regarding ensuring the accuracy of data, data controllers are advised to consider:
Data controllers need only keep data up to date 'where necessary'. For example, if the purpose of the data processing is to establish an historical record it would defeat that purpose to update it. In most cases, however, it will be in the interests of the data controller to keep data up to date. It is therefore advisable to carry out regular reviews of that data and keep a record of the date of the last review. Particular care should be taken if the fact that data are out of date may cause damage or distress to the data subject.
Data should be reviewed regularly and what is no longer required should be discarded. In some cases data may be legitimately retained for many years, such as where it could relate to a potential legal claim (in which case the data should be retained until the time limit for bringing action has expired).
"Personal data shall be processed in accordance with the rights of data subjects under this Act."
A person will contravene this Principle if, and only if, they:
"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."
Data controllers need to take "appropriate" security measures (both technical and organisational) to ensure personal data they hold are protected, having regard to:
Technical measures might include:
Organisational measures might include:
"Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."
Personal data are transferred to a country or territory outside the EEA whenever the data are disclosed or made readily available in such a place. This means that if an organisation places personal data on its website, because that information can be accessed from anywhere in the world, the organisation may be in breach of this principle. If the level of data protection in the country or territory of destination is "adequate" there is no breach of this principle. However, this does not apply to a public register which is exempt from this Principle.
The following words and phrases are defined in the Glossary of Terms:
sensitive personal data
Go to: Index to further related information
© 2012 Crown Copyright Copyright Notice | Disclaimer and Privacy Statement | Cookies