Protecting Your Client’s Data – The Eight Key Principles

There are eight key principles under the Data Protection Act 1998 that any person or organisation handling data must comply with. These are:


  1. Personal data must be processed fairly and lawfully
  2. Personal data must be obtained only for specified and lawful purposes
  3. Personal data must be adequate, relevant and not excessive
  4. Personal data must be accurate and kept up to date
  5. Personal data must not be kept for longer than necessary
  6. Personal data must be processed in accordance with the rights of data subjects
  7. Appropriate steps should be taken against unauthorised or unlawful processing of personal data
  8. There must be adequate protection for personal data transferred outside the EEA

If your business deals with personal data, it is imperative that you understand these principles, as a breach of the Data Protection Act 1998 can lead to serious consequences.

Let’s examine each principle in more detail.

Personal data must be processed fairly and lawfully

Any institution, organisation or individual responsible for processing personal data must have a legitimate basis for collecting it. Additionally, the subject must be aware that their data is being used and their consent obtained, especially if it is of a sensitive nature.  Care must also be taken to ensure that consent has been obtained from a person authorised to give it, for example, a child’s parent or, if the subject is incapacitated, someone who has Deputyship or Power of Attorney.

Personal data must be obtained only for specified and lawful purposes

Personal data can only be obtained for:

  • one or more specified and lawful purposes; and
  • must not be further processed in a way incompatible with those purposes

The aims of this principle are to ensure that data controllers are transparent about their use of personal data and their reasons for obtaining it, as well as ensuring that personal data is only used in accordance with the reasonable expectations of the data subject.

Personal data must be adequate, relevant, and not excessive

You should not collect or keep any data that is not necessary for the purpose of your institution or organisation and the records you keep regarding your data collection should be clearly worded, with a full explanation of any abbreviations.

Personal data must be accurate and kept up to date

The source of any information you have about a person should be clearly stated in your written records and all data must be 100% accurate.

Personal data must not be kept for longer than necessary

The fifth data protection principle requires that personal data must not be kept for longer than necessary for the purposes of processing. Thus, controllers may retain data only for their specified purposes, and should regularly review it, deleting that which is no longer needed for those purposes. Complying with this principle also helps ensure that personal data held is not inaccurate, out of date or irrelevant, and therefore ties in closely with the third and fourth data protection principles.

Personal data must be processed in accordance with the rights of data subjects

To comply with this requirement, data controllers must ensure that they:

  • provide information in response to a subject access request
  • prevent processing likely to cause unwarranted damage or distress to the data subject or other person
  • comply with a notice to prevent processing for the purposes of direct marketing, and
  • comply with a notice objecting to the taking of automated decisions

There must be measures against unauthorised or unlawful processing of personal data

The seventh data protection principle requires that data controllers take appropriate technical and organisational measures against unauthorised or unlawful processing of, and accidental loss of or damage to personal data.

More stringent measures will be required for sensitive personal data, e.g. financial or medical information and organisations should have regard to technological development and the cost of implementing any such developments.

There must be adequate protection for personal data transferred outside the EEA

You cannot transfer data to a country outside the EEA unless:

  • you have express consent from the subject
  • the data has been made anonymous
  • the country it is being transferred to has adequate levels of data protection
  • there is a contract in place with the data recipients that details the necessary protection precautions

To get in touch with an IT law specialist who can assist you with understanding your data protection obligations or represent you if your rights have been breached, search through Solicitors Guru today.

More articles on It Law


Google+ Twitter Facebook
Thanks for your feedback!
We will review it shortly.