There are eight key principles under the Data Protection Act 1998 that any person or organisation handling data must comply with. These are:
If your business deals with personal data, it is imperative that you understand these principles, as a breach of the Data Protection Act 1998 can lead to serious consequences.
Let’s examine each principle in more detail.
Any institution, organisation or individual responsible for processing personal data must have a legitimate basis for collecting it. Additionally, the subject must be aware that their data is being used and their consent obtained, especially if it is of a sensitive nature. Care must also be taken to ensure that consent has been obtained from a person authorised to give it, for example, a child’s parent or, if the subject is incapacitated, someone who has Deputyship or Power of Attorney.
Personal data can only be obtained for:
The aims of this principle are to ensure that data controllers are transparent about their use of personal data and their reasons for obtaining it, as well as ensuring that personal data is only used in accordance with the reasonable expectations of the data subject.
You should not collect or keep any data that is not necessary for the purpose of your institution or organisation and the records you keep regarding your data collection should be clearly worded, with a full explanation of any abbreviations.
The source of any information you have about a person should be clearly stated in your written records and all data must be 100% accurate.
The fifth data protection principle requires that personal data must not be kept for longer than necessary for the purposes of processing. Thus, controllers may retain data only for their specified purposes, and should regularly review it, deleting that which is no longer needed for those purposes. Complying with this principle also helps ensure that personal data held is not inaccurate, out of date or irrelevant, and therefore ties in closely with the third and fourth data protection principles.
To comply with this requirement, data controllers must ensure that they:
The seventh data protection principle requires that data controllers take appropriate technical and organisational measures against unauthorised or unlawful processing of, and accidental loss of or damage to personal data.
More stringent measures will be required for sensitive personal data, e.g. financial or medical information and organisations should have regard to technological development and the cost of implementing any such developments.
You cannot transfer data to a country outside the EEA unless:
To get in touch with an IT law specialist who can assist you with understanding your data protection obligations or represent you if your rights have been breached, search through Solicitors Guru today.