The First Principle
Personal data shall be processed fairly and lawfully.
This means that information obtained from and about you must have been obtained honestly, without deception or misleading means. It also means you should have been informed truthfully and in writing about the purposes for which your information were obtained and processed. You should also be supplied with any other relevant information to make the processing fair.
Your consent is not necessary for your information to be processed fairly and lawfully if the purpose
- is for the prevention and detection of crime;
- is to comply with a duty of care to you; or
- if the data controller needs to process your information to pursue its legitimate interest. However, processing to pursue a legitimate interest should not infringe your rights and legitimate interests, such as your right of respect for a private life given by Article 8 of the Human Rights Act, unless there is a compelling reason.
If your consent is obtained to process your personal data then your consent must be informed and freely given. Signing a consent form may not provide valid consent if the purposes listed on the consent form are untruthful or if you are unaware of what you are consenting to. If your consent is obtained under pressure from the data controller such that you will suffer detriment if you do not give consent, then this too will not be valid consent as it will not have been freely given.
Sensitive data about you, such as information about your sex life/orientation, your physical or mental health or condition, your religious and political views and any information about past criminal convictions can be processed without your consent if
- the processing is in connection with legal proceedings/advice;
- or the processing is in the substantial public interest. It is unlikely that a substantial public interest will exist to justify processing your sensitive data without your consent.
Otherwise your sensitive data can only be processed if your written and detailed consent is obtained.
The Second Principle
Personal data processed for one purpose shall not be used for another purpose.
Information processed about you cannot be used for a purpose other than is specified in a notice supplied to you that sets out the purposes for which your data are being processed. This notice must be truthful about the purposes for which your data are being processed.
The Third Principle
Personal data shall be adequate, relevant and not excessive for the purpose for which they are processed.
Information held about you must be minimal but should not deliberately omit relevant details that may cause you harm or distress. Personal data must be relevant to the stated purposes for which they are processed.
The Fourth Principle
Personal data shall be accurate and, where necessary, kept up to date.
The Fifth Principle
Personal data shall not be processed for longer than is necessary for the stated purpose(s).
Once a service has been supplied to you, any personal information obtained from you should be destroyed unless there are good reasons for keeping it.
The Sixth Principle
Personal data shall be processed in accordance with your rights.
This means you have a right of inspection and to a copy of the personal data being processed about you.
The Seventh Principle
Personal data shall be safeguarded against fire, flood, theft and other damage and against unauthorised disclosure to third parties.
The Eight Principle
Personal data shall not be transeferred to other countries unless adequate data protection exists in those countries.