This guide explains the effect and purpose of each principle that relates to data protection. The independent authority of the UK was formulated to promote openness and preserve information rights by the public bodies and guarantee individuals’ data privacy. If you are entitled to a daily responsibility for data protection then this guide is specifically meant for you. We will first highlight the key definitions of the data protection act before looking into the principles and the conditions for processing.
Key Definitions of the Data Protection Act
In order to judge how the Data Protection Act applies, you will have to consider the meanings of a defined term. In this section, we will only explain the key definitions of the Data Protection Act.
- Personal Data
- Sensitive Personal Data
- Data subject
- Data controller
- Data processor
- Third Party
- The right of accessing a copy of information described in their personal data
- The right of object to processing that can cause or is causing distress or damage
- Right to halt direct marketing processing
- Right to turn down the decisions used by automated means.
- Right to rectify, erase, block or destroy personal data that is inaccurate
- Right to claim compensation for distractions or damages that were caused by a breach of the Act.
- The Data subject should consent to the processing of their personal data
- If it relates to a contract entered by an individual.
- If a legal obligation applies to you.
- Process conforms to the condition of ‘legitimate interests’.
- For exercising statutory, governmental and public functions or for administering justice.
- Registering with the ICO
- Give privacy notices
- Grant personal data access by the subject
- Not disclose any personal information to the third parties.
Data is the information processed by means of equipment that operates automatically in response to the given instructions for that purpose.
This is data which relates to living person who can be recognized from the information that is held by the data controller.
This is the personal data comprised of information about the ethnic or racial origin of the data subject, religious beliefs, political opinions, physical condition, and mental health.
According to information data, processing means retrieving, recording or holding the data or set of operations on the information. This includes alteration or adaptation of the data or information.
The data subject is an individual treated as the subject of personal data. The Act does not recognize a data subject as an individual who cannot be distinguished or identified from others.
This is a person who dictates the manner or purpose in which personal data should be, are to be, or to be processed. This can be an individual, organization or other corporate bodies of persons.
Data processor is any individual who processes the information in the place of the data controller.
A third party refers to any person other than the data subject or data controller, or any other person authorized to process data for the data processor and data controller.
The Data Protection Principles
There are eight principles in the Data Protection Act that promote openness by the public bodies and ensure data privacy for individuals. They include:
Principle 1 – Fair and Lawful Processing Of Personal Data
Any personal data should be processed lawfully and fairly. The main aim of this principle is to offer protection to the interests of persons to whom the personal data is being processed. It applies to everything you do with the personal data unless you are entitled to an exemption.
The Act specifies that personal data will not be processed if not done in a fair and in a manner that conforms to the law.
This means that you are required to have grounds that are legitimate for the collection and usage of the personal data.
Principle 2 – Processing Personal Data For Specified Purposes
Personal data can only be processed if you have a legitimate intent as to why you want to do so and that any processing must be done in a fair and lawful manner.
The Act says that you can only obtain personal information for a purpose that is specified to be lawful and cannot be processed further if it is incompatible with the purpose for which it was obtained.
This aims to ensure that public bodies have open reasons as to why they obtain personal data and that they intend to use the information according to reasonable expectations of the concerned individuals.
Principle 3 – The Amount of Personal Data You May Hold
According to the Data Protection Act, you should only obtain the personal data you require for the purpose in which you have specified. It is also necessary to ensure that the personal data you have collected is sufficient for the purpose why it was collected.
The Act specifies that you should have adequate data that is relevant and does not exceed the purpose for which they are being processed.
Practically, it means that you should not hold more information than what you needed for the purpose.
Principle 4 – Keep Personal Data Accurate And Up to Date
The obligations imposed by the Data Protection Act requires you to ensure the accuracy of the personal data you are processing. It must also be maintained where necessary to be up to date.
The Act specifies that personal data needs to be accurate and if possible, to be current with your intentions.
This principle might sound straightforward but double-checking the accuracy of every personal data may not be practical according to the law. Ensure that any personal data you collect is accurate and that there is a clear source of the information obtained.
Principle 5 – Retaining Personal Data
This principle requires you to dispose of any personal data obtained when no longer needed. The main purpose is to minimize the risk that arises out of inaccuracy, irrelevancy and being out of date.
The Act specifies that you cannot keep personal information for longer than intended.
Practically, it implies that you should review the duration you intend to keep the personal data and securely delete information that might not be needed for the purposes in which they were obtained.
Principle 6 – The Rights of Individuals
There are various rights provided by the Data Protection Act in respect of the personal data held by the organizations.
The Act specifies that you can only process personal data in compliance with the rights of the data subjects under the Act.
Some of the rights referred by this principle include:
Principle 7 – Information Security
This principle will help you to determine how you can manage the security of personal data you are holding. Information security does not have a one-size-fits-all solution. The appropriate security measures for an organization are based on its circumstances. Therefore, if you want to decide the level of security you need, then you will have to adopt a risk-based approach.
The Act specifies that unlawful and unauthorized processing of personal data will attract stringent technical and organizational measures. This also applies where there is a destruction of, accidental loss or damage to the personal data.
Practically, you should organize and design your security to conform to the nature of the personal data you are holding and the harm that may likely occur as a result of security breach.
Principle 8 – Sending Personal Data outside the European Economic Area
This principle offers practical advice to organizations or companies that want to transmit personal data outside the EEA (European Economic Area).
The Act specifies that you cannot transfer any personal data to a territory or a country that is outside the EEA unless that territory or country provides an adequate level of protection for the freedoms and rights of data subjects associated with the processing of personal data.
However, other principles of the Data Protection Act will also be appropriate when you want to send personal data overseas.
Conditions for Processing
The nature of the personal data in question is taken into account by the conditions for processing. The best approach to determining if you have a legit reason for processing personal data is by focusing on a fair intent as to why you want to use it. If right, then you can easily identify a condition for processing that suits your purpose.
The Schedule 2 and 3 of the Act highlights the conditions for processing. You should meet at least one of the following conditions each time you process data:
The Data Protection Act sets out rights and duties that are meant to apply generally. However, the Act also has some exceptions to accommodate special circumstances.
You will be exempted from the requirement depending on the circumstances if an exception applies to:
You can only be exempted depending on your primary reason to process the personal data in question. Each exemption should be considered on a case-by-case basis. This is because they only allow you to deviate from the general requirements of the Act to a minimum extent that is necessary to protect specific activities or functions concerned by the exemptions.