The Data Protection Act 1998 The Eight Principles

Background The data protection act of 1998 brings together access rights, previously dealt with under separate legislation, such as the individual’s right to access their own health and education records, and to obtain a copy of their credit reference file. The act also contains a direct requirement to comply with the protection principles (which I will be concentrating on in my presentation), and places stricter conditions on the processing of sensitive data. Under the act individuals have greater rights to object to processing likely to cause substantial damage or distress, and have a new express right to prevent their data being used for direct marketing.

The Principles The data protection act reads that users should comply with these eight data protection principles Data must be fairly and lawfully processed Data must be processed for limited purposes Data must be adequate, relevant and not excessive Data should be accurate Data must not be kept longer than necessary Data must be processed in accordance with the data subject’s rights Data must be secure Data must not be transferred to countries without adequate protection

Principle Definition Principle 1: Personal data must be processed fairly and lawfully and must not be processed unless at least one of the following conditions has been met – (a) The data subject has consented to the processing (b) The processing is necessary for the performance of a contract to which the data subject is a party (c) The processing is necessary for compliance with any legal obligation (d) The processing is necessary to protect the subject’s vital interests (e) The processing is necessary for the administration of justice (f) The processing is necessary for the purposes of legitimate interests pursued by the data controller or third parties to whom the data is disclosed

Principle Definition Principle 2: Personal data must be obtained only for one or more specified and lawful purpose(s) and must not be further processed in a way that is incompatible with such purpose(s).

Principle Definition Principle 3: Personal data must be adequate, relevant and not excessive in relation to the purpose(s) for which processed

Principle Definition Principle 4: Personal data must be accurate and, where necessary, kept up to date.

Principle Definition Principle 5: Personal data processed for any purpose(s) must be kept for longer than is necessary for the purpose(s)

Principle Definition Principle 6: Personal data must be processed in accordance with a data subject’s rights under the Act.

Principle Definition Principle 7: Appropriate technical and organisational measures must be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to personal data.

Principle Definition Principle 8: Subject to schedule 4, personal data must not be transferred to country outside of the European economic area (EEA) unless that country ensures an adequate level of protection for the rights and freedoms of data subjects so far as the processing of personal data is concerned.

Conclusion Thanks to the introduction of the data protection Act 1998 illegal data exposure has dropped by over 70% although there are still people out there who can find ways around security measures created by professionals and infringe the law dramatically. The data protection act has definitely helped data protection a lot but more still needs to be done if there is to be a 100% block on illegal data exposure.