So, the key to complying with the Data Protection Act is to follow the eight data protection principles. It is essential for you to understand and follow these when conducting RSG business.
Principle 1 – Fair & Lawful
In practice, this principle means that you must:
- Have legitimate grounds for collecting and using the personal data.
- Not use the data in ways that have unjustified adverse effects on the individuals concerned.
- Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data.
- Handle people’s personal data only in ways they would reasonably expect.
- Make sure you do not do anything unlawful with the data.
Principle 2 – Purposes
The Data Protection Act says that, personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
This means you should:
- Comply with what the Act says about notifying the Information Commissioner.
- Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
Principle 3 – Adequacy
The Act says that, personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
In practice, this means you should ensure that you:
- Hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual.
- Do not hold more information than you need for that purpose.
So, you should identify the minimum amount of personal data you need to properly fulfill your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.
Principle 4 – Accuracy
The Act says that, personal data shall be accurate and, where necessary, kept up to date.
To comply with these provisions you should:
- Take reasonable steps to ensure the accuracy of any personal data you obtain.
- Ensure that the source of any personal data is clear.
- Carefully consider any challenges to the accuracy of information.
- Consider whether it is necessary to update the information.
Principle 5 – Retention
The Act does not set out any specific minimum or maximum periods for retaining personal data. Instead, it says that, personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
In practice, this means that you will need to:
- Review the length of time you keep personal data.
- Consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it.
- Securely delete information that is no longer needed for this purpose or these purposes.
- Update, archive or securely delete information if it goes out of date.
Principle 6 – Rights
The Act says that, personal data shall be processed in accordance with the rights of data subjects under this Act.
The rights it refers to are, a right:
- of access to a copy of the information comprised in their personal data;
- to object to processing that is likely to cause or is causing damage or distress;
- to prevent processing for direct marketing;
- to object to decisions being taken by automated means;
- (in certain circumstances) to have inaccurate personal data rectified, blocked, erased or destroyed;
- to claim compensation for damages caused by a breach of the Act.
Principle 7 – Security
The Act says that, appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
This means that you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised.
In particular, you will need to:
- design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
- be clear about who in your organisation is responsible for ensuring information security;
- make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and
- be ready to respond to any breach of security swiftly and effectively.
Principle 8 – Location
The Act says that, personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This means you should check where you are sending our data!
