The 8 Principles of the Data Protection Act 1998
The 8 Data Protection Act principles outline the requirements of the legislation, now in force.
Personal data must be:
- Processed fairly and lawfully.
- Processed only for one or more specified and lawful purpose.
- Adequate, relevant and not excessive for those purposes.
- Accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected or destroyed if the personal information is inaccurate to any matter of fact.
- Kept for no longer than is necessary for the purposes it is being processed.
- Processed in line with the rights of individuals - this includes the right to be informed of all the information held about them, to prevent processing of their personal information for marketing purposes, and to compensation if they can prove they have been damaged by a data controller's non-compliance with the Act.
- Secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf.
- Not transferred to countries outside the European Economic Area - the EU plus Norway, Iceland and Liechtenstein - that do not have adequate protection for individuals' personal information, unless a condition from Schedule four of the Act can be met.
Source: Business Link - Practical advice for businesses
Compliance checklist - Data protection act 1998