Annex H The Eight Principles of the Data Protection Act 1988 Below you will find a list of and

information on the 8 principles of the Data Protection Act 1988. This information and further information on the Data Protection Act can be obtained from the nformation !ommissioner"s #ffice and is a$ailable at www.ico.%o$.u&. 'chedule 1 to the Data Protection Act lists the data protection principles in the followin% terms( 1. Personal data shall be processed fairly and lawfully and) in particular) shall not be processed unless * +a, at least one of the conditions in 'chedule - is met) and +b, in the case of sensiti$e personal data) at least one of the conditions in 'chedule . is also met. -. Personal data shall be obtained only for one or more specified and lawful purposes) and shall not be further processed in any manner incompatible with that purpose or those purposes. .. Personal data shall be ade/uate) rele$ant and not excessi$e in relation to the purpose or purposes for which they are processed. 0. Personal data shall be accurate and) where necessary) &ept up to date. 1. Personal data processed for any purpose or purposes shall not be &ept for lon%er than is necessary for that purpose or those purposes. 2. Personal data shall be processed in accordance with the ri%hts of data sub3ects under this Act. 4. Appropriate technical and or%anisational measures shall be ta&en a%ainst unauthorised or unlawful processin% of personal data and a%ainst accidental loss or destruction of) or dama%e to) personal data. 8. Personal data shall not be transferred to a country or territory outside the 5uropean 5conomic Area unless that country or territory ensures an ade/uate le$el of protection for the ri%hts and freedoms of data sub3ects in relation to the processin% of personal data.

1. The Data Protection Act says that( Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a at least one of the conditions in !chedule " is #et, and

(b in the case of sensiti$e personal data, at least one of the conditions in !chedule % is also #et& This is the first data protection principle. n practice) it means that you must(

ha$e le%itimate %rounds for collectin% and usin% the personal data6 not use the data in ways that ha$e un3ustified ad$erse effects on the indi$iduals concerned6 be transparent about how you intend to use the data) and %i$e indi$iduals appropriate pri$acy notices when collectin% their personal data6 handle people"s personal data only in ways they would reasonably expect6 and ma&e sure you do not do anythin% unlawful with the data.

-. The Data Protection Act says that( Personal data shall be obtained only for one or #ore specified and lawful purposes, and shall not be further processed in any #anner inco#patible with that purpose or those purposes&

This re/uirement +the second data protection principle, aims to ensure that or%anisations are open about their reasons for obtainin% personal data) and that what they do with the information is in line with the reasonable expectations of the indi$iduals concerned. There are clear lin&s with other data protection principles * in particular the first principle) which re/uires personal data to be processed fairly and lawfully. f you obtain personal data for an unlawful purpose) for example) you will be in breach of both the first data protection principle and this one. Howe$er) if you comply with your obli%ations under the other data protection principles) you are also li&ely to comply with this principle) or at least you will not do anythin% that harms indi$iduals. n practice) the second data protection principle means that you must( be clear from the outset about why you are collectin% personal data and what you intend to do with it6 comply with the Act"s fair processin% re/uirements * includin% the duty to %i$e pri$acy notices to indi$iduals when collectin% their personal data comply with what the Act says about notifyin% the nformation !ommissioner6 and ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the ori%inally specified purpose) the new use or disclosure is fair.

..The Act says that( Personal data shall be ade'uate, rele$ant and not e(cessi$e in relation to the purpose or purposes for which they are processed& This is the third data protection principle. n practice) it means you should ensure that6

 you hold personal data about an indi$idual that is sufficient for the purpose you are holdin% it for in relation to that indi$idual6 and purpose. you do not hold more information than you need for that

0. The Act says that( Personal data shall be accurate and, where necessary, )ept up to date&

This is the fourth data protection principle. Althou%h this principle sounds strai%htforward) the law reco%nises that it may not be practical to double7 chec& the accuracy of e$ery item of personal data you recei$e. 'o the Act ma&es special pro$ision about the accuracy of information that indi$iduals pro$ide about themsel$es) or that is obtained from third parties. To comply with these pro$isions you should(

ta&e reasonable steps to ensure the accuracy of any personal data you obtain6 ensure that the source of any personal data is clear6 carefully consider any challen%es to the accuracy of information6 and consider whether it is necessary to update the information.

1. The Act does not set out any specific minimum or maximum periods for retainin% personal data. nstead) it says that(

Personal data processed for any purpose or purposes shall not be )ept for longer than is necessary for that purpose or those purposes& This is the fifth data protection principle. n practice) it means that you will need to( re$iew the len%th of time you &eep personal data6 consider the purpose or purposes you hold the information for in decidin% whether +and for how lon%, to retain it6 securely delete information that is no lon%er needed for this purpose or these purposes6 and update) archi$e or securely delete information if it %oes out of date.

2. The Data Protection Act %i$es ri%hts to indi$iduals in respect of the personal data that or%anisations hold about them. The Act says that(

Personal data shall be processed in accordance with the rights of data sub*ects under this Act& This is the sixth data protection principle) and the ri%hts of indi$iduals that it refers to are( a ri%ht of access to a copy of the information comprised in their personal data6 a ri%ht to ob3ect to processin% that is li&ely to cause or is causin% dama%e or distress6 a ri%ht to pre$ent processin% for direct mar&etin%6 a ri%ht to ob3ect to decisions bein% ta&en by automated means6

a ri%ht in certain circumstances to ha$e inaccurate personal data rectified) bloc&ed) erased or destroyed6 and a ri%ht to claim compensation for dama%es caused by a breach of the Act.

4. The Data Protection Act says that(

Appropriate technical and organisational #easures shall be ta)en against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or da#age to, personal data& This is the se$enth data protection principle. n practice) it means you must ha$e appropriate security to pre$ent the personal data you hold bein% accidentally or deliberately compromised. n particular) you will need to( desi%n and or%anise your security to fit the nature of the personal data you hold and the harm that may result from a security breach6 be clear about who in your or%anisation is responsible for ensurin% information security6 ma&e sure you ha$e the ri%ht physical and technical security) bac&ed up by robust policies and procedures and reliable) well7trained staff6 and be ready to respond to any breach of security swiftly and effecti$ely.

8.The Data Protection Act says that( Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an ade'uate le$el of protection for the rights and freedo#s of data sub*ects in relation to the processing of personal data& This is the ei%hth data protection principle) but other principles of the Act will also usually be rele$ant to sendin% personal data o$erseas. 8or example) the first principle +relatin% to fair and lawful processin%, will in most cases re/uire you to inform indi$iduals about disclosures of their personal data to third parties o$erseas. The se$enth principle +concernin% information security, will also be rele$ant to how the information is sent and the necessity to ha$e contracts in place when usin% subcontractors abroad. The Act also sets out the situations where the ei%hth principle does not apply) and these situations are also considered in more detail in this section.