Data Protection Act 1998

The Eight Data Protection Principles

These principles are contained in the 1998 Act and apply to the processing of all personal data.

1. Personal data shall be processed fairly & lawfully and, in particular, shall not be processed unless:

a) at least one of the conditions in Schedule 2 is met;

b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purposes or purposes for which they are processed.

4. Personal data shall be accurate and where necessary kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

What do schedules 2 and 3 say?

When processing any personal data you must ensure that at least one of the following criteria applies (Schedule 2):

• The individual has given consent;

• The processing needs to be done for the individual to enter into a contract, or to have a contract set up, or is necessary to comply with any legal obligation other than that imposed by contract;

• The processing is necessary in order to protect the vital interests of the data subject;

• Processing is necessary for the administration of justice, exercise of functions conferred under an Act of Parliament, exercise of functions of the Crown, or the exercise of other functions of a public nature in the public interest.

• Processing is necessary for the legitimate interests of the data controller, except where this may prejudice the rights and freedoms and legitimate interests of the data subject - this purpose may be regulated by specific orders of the Secretary of State.

In addition, certain types of data are considered to be "sensitive", and to process them one or more of these criteria must also be met (Schedule 3):

• the data subject has given explicit consent

• processing is necessary to comply with the law in connection with employment

• processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by the data subject

• processing is carried out for legitimate activities by any body which is not conducted for profit or exists for political, religious or trade union purposes, and carries out appropriate safeguards, relates only to members or regular contacts, and does not involve disclosure without the consent of the data subject

• the information has been made public as a result of steps deliberately taken by the data subject

• processing is necessary in connection with legal proceedings, obtaining legal advice or defending legal rights

• processing is necessary for the administration of justice, exercise of functions conferred by an enactment, exercise of any functions of the Crown

• processing is necessary for medical purposes and is undertaken by a health professional, or one with an equivalent duty of confidentiality

• processing information as to racial or ethnic origin is necessary for equal opportunity purposes, subject to appropriate safeguards for the rights and freedoms of the data subject

• any other purpose specified in an order made by the Secretary of State .

Sensitive Personal Data is defined as one or more of the following pieces of data about the data subject:

• Racial or ethnic origin;

• Political opinions;

• Religious beliefs or beliefs of a similar nature;

• Membership of a Trade Union

• Physical or mental health or condition;

• Sexual life;

• Commission or alleged commission of any offence. Proceedings, disposal or court sentence.