The Data Protection Act

The 8 core Data Protection Act principles are:

  1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –
    1. at least one of the conditions in Schedule 2 is met, and
    2. in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
  2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  4. Personal data shall be accurate and, where necessary, kept up to date.
  5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
  6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
  8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.


Data means information which –

    1. is being processed by means of equipment operating automatically in response to instructions given for that purpose,
    2. is recorded with the intention that it should be processed by means of such equipment,
    3. is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
    4. does not fall within paragraph A, B or C but forms part of an accessible record as defined by section 68 of the Data Protection Act, or
    5. is recorded information held by a public authority and does not fall within any of paragraphs A to D.

Paragraphs A and B make it clear that information that is held on computer, or is intended to be held on computer, is data. So data is also information recorded on paper if you intend to put it on computer.


Personal data means data, which relates to a living individual who can be identified –

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,

and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual.


The Data Controller is a person who (either alone, or jointly, or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.


The Data Processor is any person (other than an employee of the Data Controller) who processes data on behalf of the Data Controller.

The Data Processor and the Data Controller must agree to –

  • what data is extracted;
  • the frequency and schedule of data extraction;
  • where the data is extracted to;
  • and what the data will be used for.