- This Chapter sets out the six data protection principles as follows—
- section 86 sets out the first data protection principle (requirement that processing be lawful, fair and transparent);
- section 87 sets out the second data protection principle (requirement that the purposes of processing be specified, explicit and legitimate);
- section 88 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
- section 89 sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
- section 90 sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
- section 91 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
- Each of sections 86, 87 and 91 makes provision to supplement the principle to which it relates.
The data protection principles
The first data protection principle
- The first data protection principle is that the processing of personal data must be—
- lawful, and
- fair and transparent.
- The processing of personal data is lawful only if and to the extent that—
- at least one of the conditions in Schedule 9 is met, and
- in the case of sensitive processing, at least one of the conditions in Schedule 10 is also met.
- The Secretary of State may by regulations amend Schedule 10—
- by adding conditions;
- by omitting conditions added by regulations under paragraph (a).
- Regulations under subsection (3) are subject to the affirmative resolution procedure.
- In determining whether the processing of personal data is fair and transparent, regard is to be had to the method by which it is obtained.
- For the purposes of subsection (5), data is to be treated as obtained fairly and transparently if it consists of information obtained from a person who—
- is authorised by an enactment to supply it, or
- is required to supply it by an enactment or by an international obligation of the United Kingdom.
- In this section, “sensitive processing” means—
- the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
- the processing of genetic data for the purpose of uniquely identifying an individual;
- the processing of biometric data for the purpose of uniquely identifying an individual;
- the processing of data concerning health;
- the processing of data concerning an individual’s sex life or sexual orientation;
- the processing of personal data as to—
- the commission or alleged commission of an offence by an individual, or
- proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.
The second data protection principle
- The second data protection principle is that—
- the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and
- personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.
- Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
- Personal data collected by a controller for one purpose may be processed for any other purpose of the controller that collected the data or any purpose of another controller provided that—
- the controller is authorised by law to process the data for that purpose, and
- the processing is necessary and proportionate to that other purpose.
- Processing of personal data is to be regarded as compatible with the purpose for which it is collected if the processing—
- consists of—
- processing for archiving purposes in the public interest,
- processing for the purposes of scientific or historical research, or
- processing for statistical purposes, and
- is subject to appropriate safeguards for the rights and freedoms of the data subject.
- consists of—
The third data protection principle
The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
The fourth data protection principle
The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.
The fifth data protection principle
The fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed.
The sixth data protection principle
- The sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.
- The risks referred to in subsection (1) include (but are not limited to) accidental or unauthorised access to, or destruction, loss, use, modification or disclosure of, personal data.