Data Protection Act

From Higher Computing Science
Jump to: navigation, search

Key points

  • Data processing is all around us. Personal data is used by companies and organisations all the time.
  • When data is personal, it must be handled carefully.
  • Data subjects are people that have data stored in computer systems, online or offline.
  • Data users are people that work for a company that processes data
  • Data controllers are the people in companies who are in control of the processing of data.
  • According to the data protection principles outlined in the Act, all data needs to be processed fairly - this means that data should only be used in the relevant context.
  • All data must be kept up to date and stored securely.


Data protection principles

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. About the rights of individuals e.g. personal data shall be processed in accordance with the rights of data subjects (individuals).
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the Wikipedia:European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Conditions relevant to the first principle

Personal data should only be processed fairly and lawfully. In order for data to be classed as 'fairly processed', at least one of these six conditions must be applicable to that data (Schedule 2).

  1. The data subject (the person whose data is stored) has consented ("given their permission") to the processing;
  2. Processing is necessary for the performance of, or commencing, a contract;
  3. Processing is required under a legal obligation (other than one stated in the contract);
  4. Processing is necessary to protect the vital interests of the data subject;
  5. Processing is necessary to carry out any public functions;
  6. Processing is necessary in order to pursue the legitimate interests of the "data controller" or "third parties" (unless it could unjustifiably prejudice the interests of the data subject).


Except under the below mentioned exceptions, the individual needs to consent to the collection of their personal information and its use in the purpose(s) in question. The European Data Protection Directive defines consent as “…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”, meaning the individual may signify agreement other than in writing. However, non-communication should not be interpreted as consent.

Additionally, consent should be appropriate to the age and capacity of the individual and other circumstances of the case. E.g., if an organisation "intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this." And even when consent is given, it shouldn't be assumed to last forever. Although in most cases consent lasts for as long as the personal data needs to be processed, individuals may be able to withdraw their consent, depending on the nature of the consent and the circumstances in which the personal information is being collected and used.

The Data Protection Act also specifies that sensitive personal data must be processed according to a stricter set of conditions, in particular any consent must be explicit.


Further information

Test yourself

Teaching resources