Organisations processing personal data must comply with the principles below:
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
Amongst the key conditions in Schedule 2 are that either the data controller has the consent of the data subject or the processing is necessary to fulfil a contract with the data subject or to comply with other legal obligations.
Special conditions apply to sensitive personal data, which is defined as information relating to race or ethnic origin, political opinions, religious beliefs, physical/mental health, trade union membership, sexual life or criminal activities. These data cannot be processed in most circumstances unless the data subject has given explicit consent to the processing, or the processing is necessary for strictly limited purposes which are defined (e.g. the administration of justice).
Personal data shall be obtained for one or more lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
It is important to be aware of the discipline that this implies. Material in a file may in the normal course of events be used for a number of purposes. It is now clear that use must adhere strictly to the purposes to which the attention of the data subject has been drawn.
Thus in future information obtained for the purpose of student records cannot be used for the purpose of, e.g., fund raising, unless the student has given prior consent.
Personal data shall be adequate, relevant and not excessive for the purpose or purposes for which they are processed.
This implies not only that compiling too much information should be avoided, but also that sufficient information should be obtained for the proper performance of the operation.
Personal data shall be accurate and, where necessary, kept up to date.
This principle requires that the data controller take reasonable steps to ensure the accuracy of data or, where the data subject has expressed a view that the data is inaccurate, that the data records that view.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this act.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Thus data must be kept secure. It is the responsibility of the data controller to take reasonable steps to ensure the reliability of any employees who have access to personal data. In addition, if the data controller is using a third party processor then he must ensure that there is a contract in place with that data processor which provides for appropriate security measures.
Central administration, departments and faculties should consider the way in which manual as well as electronic data are held, to ensure that they comply with the requirements as to security.
Personal data shall not be transferred to a country or territory outside the European Economic Area (the 15 EU member states together with Norway, Iceland and Liechtenstein) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to processing of personal data. This principle does not apply where the data subject has given consent to the transfer or where the transfer is necessary for a contract with the data subject.
Personal data published on the web is available to any country in the world, including those outside the European Economic Area. To avoid breaching the 8th principle, and to ensure that the processing is ‘fair’, as required by the 1st principle, personal data should not be placed on the web without the consent of the individual concerned.
Transfers of personal data to the United States were permitted under a ‘Safe Harbor’ agreement between the EU and the Unites States. However, in October 2015, the European Court of Justice ruled that the Safe Harbor agreement was no longer valid. For those wishing to transfer personal data to the United States, the main alternatives are the adoption of contractual provisions that conform to ‘model clauses’ approved by the European Commission or transfers that are made with the consent of the individual.