The principles of data protection

The principles of data protection

The Data Protection legislation states that anyone processing personal data must comply with seven principles. These principles are legally enforceable.

The principles require that personal information:

1. Shall be processed lawfully, fairly and transparently;

The council will:

• ensure that personal data is only processed where a lawful basis applies, and where processing is otherwise lawful,
• only process personal data fairly, and will ensure that data subjects are not misled about the purposes of any processing, and
• ensure that data subjects receive full privacy information so that any processing of personal data is transparent.

2. Shall be processed specifically, explicitly and legitimately;

The council will:

• only collect personal data for specified, explicit and legitimate purposes, and we will inform data subjects what those purposes are in a privacy notice, and
• not use personal data for purposes that are incompatible with the purposes for which it was collected. If we do use personal data for a new purpose that is compatible, we will inform the data subject first.

3. Shall be adequate, relevant and not excessive;

The council will only collect the minimum personal data that we need for the purpose for which it is collected. We will ensure that the data we collect is adequate and relevant.

4. Shall be accurate and kept up to date;

The council will ensure that personal data is accurate, and kept up to date where necessary. We will take particular care to do this where our use of the personal data has a significant impact on individuals.

5. Shall be kept for no longer than is necessary;

The council will only keep personal data in identifiable form as long as is necessary for the purposes for which it is collected, or where we have a legal obligation to do so. Once we no longer need personal data it shall be deleted or rendered permanently anonymous.

6. Shall be processed in a manner that ensures appropriate security, and;

The council will ensure that there are appropriate organisational and technical measures in place to protect personal data

7. The council shall be able to demonstrate compliance with the above.

The council will:

• ensure that records are kept of all personal data processing activities, and that these are provided to the Information Commissioner on request,
• carry out a Data Protection Impact Assessment (DPIA) for any high risk personal data processing, and consult the Information Commissioner if appropriate,
• ensure that a Data Protection Officer (DPO) is appointed to provide independent advice and monitoring of the council’s personal data handling, and that this person has access to report to the highest management level of the council, and
• have in place internal processes to ensure that personal data is only collected, used or handled in a way that is compliant with data protection law.

The Data Protection legislation provides conditions for the processing of any personal data that must be met. It also makes a distinction between personal data, “special category” (sensitive) personal data and criminal conviction personal data. Special category personal data requires stricter conditions for processing.