Data Protection Principles

Data Protection Logo

The eight data protection principles

Principle 1: Personal information must be fairly and lawfully processed

In practice, it means that you must:

  • Have legitimate grounds for collecting and using the personal data
  • Not use the data in ways that have unjustified adverse effects on the individuals concerned
  • Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data
  • Handle people's personal data only in ways they would reasonably expect
  • Make sure you do not do anything unlawful with the data

Principle 2: Personal information must be processed for limited purposes

In practice, the second data protection principle means that you must:

  • Be clear from the outset about why you are collecting personal data and what you intend to do with it
  • Comply with the Act's fair processing requirements - including the duty to give privacy notices to individuals when collecting their personal data
  • Comply with what the Act says about notifying the Information Commissioner
  • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair

Principle 3: Personal information must be adequate, relevant and not excessive

In practice, it means you should ensure that:

  • You hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual
  • You do not hold more information than you need for that purpose

So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as 'data minimisation'.

Principle 4: Personal information must be accurate and up to date

Although this principle sounds straightforward, the law recognises that it may not be practical to double-check the accuracy of every item of personal data you receive. So the Act makes special provision about the accuracy of information that individuals provide about themselves, or that is obtained from third parties.

To comply with these provisions you should:

  • Take reasonable steps to ensure the accuracy of any personal data you obtain
  • Ensure that the source of any personal data is clear
  • Carefully consider any challenges to the accuracy of information
  • Consider whether it is necessary to update the information

Principle 5: Personal information must not be kept for longer than is necessary

In practice, it means that you will need to:

  • Review the length of time you keep personal data
  • Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it
  • Securely delete information that is no longer needed for this purpose or these purposes
  • Update, archive or securely delete information if it goes out of date

Principle 6: Personal information must be processed in line with the data subjects' rights

The rights of individuals that this principle refers to are:

  • A right of access to a copy of the information comprised in their personal data
  • A right to object to processing that is likely to cause or is causing damage or distress
  • A right to prevent processing for direct marketing
  • A right to object to decisions being taken by automated means
  • A right in certain circumstances to have inaccurate personal data rectified, blocked, erased or destroyed
  • A right to claim compensation for damages caused by a breach of the Act

Principle 7: Personal information must be secure

In practice, it means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. In particular, you will need to:

  • Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
  • Be clear about who in your organisation is responsible for ensuring information security
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
  • Be ready to respond to any breach of security swiftly and effectively

Principle 8: Personal information must not be transferred to other countries without adequate protection

This is the eighth data protection principle, but other principles of the Act will also usually be relevant to sending personal data overseas. For example, the first principle (relating to fair and lawful processing) will in most cases require you to inform individuals about disclosures of their personal data to third parties overseas. The seventh principle (concerning information security) will also be relevant to how the information is sent and the necessity to have contracts in place when using subcontractors abroad.

The Act also sets out the situations where the eighth principle does not apply. These situations are considered in more detail on the ICO website but you can also contact the data protection officer for further information.

If you are considering sending personal data outside the EEA, there is a checklist to help you decide if the eighth principle applies and, if so, how to comply with it to make a transfer. For further information please contact the data protection officer.

Contact us

For more information or specific enquiries, please contact the Information Office: