The Eight Data Protection Principles

Anyone processing personal data must comply with the eight enforceable principles of good practice. Here is a checklist.

Data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the data subject's rights;
  • secure; and
  • not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the ‘data controller’ towards the individual, although in some limited circumstances exemptions will apply. Where personal data is concerned, the definition of ‘processing’ becomes very wide. For example, it incorporates the concepts of ‘obtaining, holding and disclosing’ data.

The Office of the Information Commissioner has now published a consolidated version of the guidance on data protection issues in employment. This brings together the four existing guides on recruitment and selection, employee records, monitoring at work and medical information and is intended to provide employers with a complete manual on data protection in the workplace.