The Data Protection Act 1998
The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. This framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect the privacy of their personal details.
The legislation itself is complex and, in places, hard to understand. However, it is underpinned by a set of eight straightforward principles.
The Act covers information contained in a ‘relevant filing system’ in a structured format. It is good practice to assume that all manual/paper records of personal data are covered. Manual/paper records must be kept securely.
The Eight Data Protection Principles
The Act requires that the following eight principles should apply to personal data collected, held and stored:
1 Processed fairly
Personal data shall be processed fairly and lawfully.
In practice, it means that you must:
- have legitimate grounds for collecting and using the personal data,
- not use the data in ways that have unjustified adverse effects on the individuals concerned,
- be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data,
- handle people’s personal data only in ways they would reasonably expect,
- make sure you do not do anything unlawful with the data.