principles of data protection.
Processing is guided by
eight principles, and they can be summarised by saying that the data
must be obtained fairly and lawfully, the subject should be told who is
doing the processing, why the information is being processed and to whom
it will be disclosed. Processing must be in accordance with the original
purpose, and the information must be accurate and up to date, but not
kept for longer than is necessary.
The person to whom
the data refers.
The person or
organisation that is responsible for the data.
Personal Data (or
is data from which it is
possible to identify a living individual, either directly from
that information or from additional information that is held by, or
might be held by, anyone processing that data. This includes
- expressions of
opinion about the individual,
- the intentions
of the data controller or any other person in respect of the
There are two kinds of
personal data, normal data and sensitive data. Normal data
are low-level material like name and address, phone number, hair colour
and the like. Sensitive data covers political affiliations, ethnicity,
physical or mental health, sexual life and so on. When it comes to
disclosure, a data controller can sometimes take implicit permission to
disclose normal data if there is a good reason, but sensitive data will
always require explicit permission.
covers almost any conceivable use of data, including obtaining,
recording, holding, organising, adapting, altering, retrieving,
consulting, using, disclosing, blocking, erasing or destroying the
information or data. This means, for example, that simply holding data
constitutes processing for the purposes of the 1998 Act, so keeping
information ‘just in case’, is not acceptable.