BCS/DIP/CORE/DATA Protection Principles

Data protection Principles

Principle1 : Information must be processed fairly and lawfully

This means that any personal data collected by an organisation must be provided with the consent of the individual. This is commonly identified by written disclaimers in purchase contracts that are signed. To be seen as acting fairly, the collecting company must be transparent and ensure clients are fully informed and understand what will happen to their personal information.

In other words - be honest. You must gain permission to use any collected data and let the individuals know exactly what it will be used for.

Principle2 : Information collected must be processed for limited purposes

This means that collected information must only be held and used for the reasons given to the ICO and the customer. Personal information must not be processed in any manner incompatible with the original purpose(s). If a company wishes to use certain information for purposes outside of the original need they must gain further permission from the individual.

In other words - don’t be cheeky. Only use the data that you have collected for the reasons you promised.

Principle3: Information collected must be adequate, relevant and not excessive

This means that all data collected must be necessary to complete the needs of the company. An organisation should not ask for or hold any personal data that is outside their concern. They will be in breach of the Data Protection Act if they hold data irrelevant to their purpose.

In other words - don’t be greedy. Collect only data that you need to know and not additional data that may be useful to you in the future.

Principle4: Information collected must be accurate and up to date

Data controllers must make every effort available to ensure the information they use is accurate. This is because often the information held is sensitive and its inaccurate use could result in misrepresentation on behalf of the customer.

In other words – make sure your data is true. If any suspicion exists that the information is inaccurate – check with the individual.

Principle5: Information must not be held for longer than is necessary

The Data Protection Act states that a company must not hold onto data for any longer than is necessary. For example, if a company were to keep a credit card detail several years after a contract has terminated. Companies are encouraged conduct regular reviews of the personal data they hold and securely destroy any information that is no longer relevant.

In other words - don’t hoard. Only keep hold of old files if really needed or if you are required to by law.

Principle6: Information must be processed in accordance with the individual’s rights

The individual’s rights that this principle refers to include:

- A right of access to a copy of their information which is held;

- A right to object to processing their data;

- A right to prevent processing for direct marketing;

- A right to have inaccurate personal data rectified, blocked, erased, or destroyed;

- A claim to compensation for damaged caused by a breach of the act.

In other words – give the individual access. It is their data you’re holding, they should have a say in how it is used.

Principle7: Information must be kept secure

If a company is holding and using data on behalf of a third-party, it is their duty to ensure it is kept secure. The most common breaches of the Data Protection Act relate to data exposure – where a company or organisation loses a computer device containing personal data. As well as the obvious distress this can have on the individuals involved (often having to cancel credit card details or other details susceptible to fraud) it can also act as a significant black spot on a firm’s reputation. The ICO is also not adverse to fining organisations responsible for negligence.

In other words – don’t be careless. You must ensure that measures exist to keep the personal data you are responsible for out of the wrong hands.

Principle8: Information should not be transferred outside the European Economic Area unless adequate levels of protection exist.

This means that any data relating to third-parties must not be stored overseas – unless adequate safe harbouring laws are met. For example, if you are planning to store personal information overseas you must inform the individuals concerned in accordance with principle one (fair and lawful processing). Should a company wish to store personal data overseas, they must receive consent from the individual clients. They should also be given clear and free access to remove that data from storage when desired.

In other words – keep your customers informed. Don’t store their data in grey areas without their specific consent.

Summary

The Data Protection Principles

1.       Personal data shall be processed fairly and lawfully and not processed unless certain conditions are met and in the case of "sensitive" personal data further conditions are met. [processing includes collection]

2.       Personal data shall be obtained for one or more specified and lawful purposes and must not be processed in any manner that is incompatible with that purpose or purposes.

3.       Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4.       Personal data shall be accurate and, where necessary, kept up to date.

5.       Personal data held for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6.       Personal data shall be processed in accordance with the rights of data subjects under the 1998 Act. [An individual shall be entitled at reasonable intervals and without undue delay or expense:

* to be informed by any data user whether he holds personal data of which that individual is the subject; and to access to any such data held by a data user;