What are the data protection principles?
Organisations need to comply with the data protection principles whenever they processed (eg obtaining or recording) personal data (eg names, addresses and information about racial/ethnic origin). These principles are set out in the UK GDPR and include:
-
the accountability principle - the organisation processing the data is responsible for and must be able to demonstrate compliance with the law on data protection
-
lawfulness, fairness and transparency - any personal data collected must be processed fairly, lawfully and in a transparent manner
-
purpose limitation - personal data should only be collected for specified, explicit and legitimate purposes
-
data minimisation - personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed
-
accuracy - any personal data must be accurate and kept up to date
-
storage limitation - personal data must not be kept for longer than necessary
-
integrity and confidentiality (security) - personal data must be processed in a way that ensures the appropriate security of the data
For more information, read Data protection.
Why are the principles important?
These data protection principles are the fundamental building blocks of the UK GDPR - compliance with the principles is important as it helps to ensure good data protection practice. Failure to comply with the principles can leave organisations open to fines of up to £17.5 million, or 4% of your total worldwide annual turnover, whichever is higher.
How to comply with data protection principles
Anyone processing personal data should ensure compliance with the principles and make sure they have appropriate safeguards (eg clear policies) in place.
This is especially important where an Appropriate policy document (APD) is being completed. This document outlines an organisation’s compliance measures for special category 'sensitive' personal data (eg information about racial/ethnic origin, physical/mental health, sexual life and biometrics) and criminal offence data (eg criminal convictions and offences or related security measures). Read Appropriate policy documents for more information. APDs cover an organisation's procedures for ensuring compliance with data protection principles, which involves listing the different data protection principles and setting out how each of them is complied with.
Accountability principle
The accountability principle requires organisations to take responsibility for what they do with personal data and how they comply with the other data protection principles. This involves having appropriate measures and records in place to be able to demonstrate compliance. Such measures include:
-
appointing a data protection officer (DPO) - a person responsible for ensuring data protection compliance in your business
-
keeping a record of data processing activities - including why the data is processed, how long data will be retained for and who data will be shared with
-
having relevant policies in place - including, data retention policies, information security policies and privacy notices
-
documenting when data will be shared with third parties - for example, using a data processing agreement
-
carrying out data protection impact assessments (DPIAs) for any processing that is likely to result in a high risk to individuals
Lawfulness, fairness and transparency
Organisations need to ensure that personal data is processed fairly, lawfully and in a transparent manner.
Lawfulness
Processing personal data ‘lawfully’ involves identifying a specific lawful ground for the processing. Examples of lawful grounds for processing include the organisation having a legitimate interest in the processing and the data subject (ie the individual the data relates to) consenting to the processing. For more information on this, read Processing personal data. Where special category 'sensitive' personal data and/or criminal offence data is processed, further conditions for processing also need to be identified. Read Compliance for DPIAs for more information.
Fairness
Processing personal data ‘fairly’ generally involves the personal data being processed in a way that people would reasonably expect and that the data use will not have an unjustified adverse effect on them. Organisations will need to consider:
-
how personal data is obtained - if people are deceived or misled when the personal data is obtained, this is likely to be unfair
-
how the data processing affects the interests of the people concerned (individually and as a group) - data obtained and used fairly in relation to most of the data subjects, but unfairly in relation to one data subject, there may still be a breach of this principle
-
whether any negative effects are justified - personal data may at times be used in a way that negatively affects an individual without this necessarily being unfair, provided that such a detriment is justified
Transparency
Processing data in a transparent manner involves an organisation making ‘appropriate privacy information’ available. This involves, but is not limited to, the organisation being clear, open and honest with people about:
-
who the organisation is and how it can be contacted
-
the contact details of a DPO, where one exists
-
how and why the personal data is being processed
-
the lawful basis for the processing
-
the legitimate interests in the processing, where appropriate
-
who else the personal data is shared with
-
how long personal data will be kept for
-
the rights available to data subjects in respect of the processing (eg the right to have inaccurate data corrected, to have data erased and the right to object to the use of data)
-
where applicable, how data subjects can withdraw consent for the processing
-
how data subjects can complain to a supervisory authority (like the Information Commissioner’s Office (ICO))
Transparency is particularly important where an organisation does not have a direct relationship with data subjects and instead obtains data from another source (eg a third-party service provider collecting data via a mobile app). In some cases, data subjects may not know that their data is being collected and used in this way (known as ‘invisible processing’), which affects their ability to assert their rights over their data.
Organisations should ensure that they inform data subjects about any processing in an easily accessible and understandable way, using clear and plain language (eg by making a privacy notice available). If data subjects know from the start what their data will be used for, they will be able to make an informed decision about entering into a relationship. A Website privacy policy can be created to set out an organisation’s practices in relation to the collection, storage and use of personal data gathered.
Purpose limitation
Personal data should only be collected for specified, explicit and legitimate purposes and should not be further processed in a manner that is incompatible with these purposes. In practice this involves organisations:
-
being clear from the start as to why personal data is being collected and what will be done with this data
-
complying obligations to specify and records the purposes for processing
-
complying with transparency obligations to inform data subjects about the purposes for processing (eg by setting this out in an easily accessible and understandable privacy notice)
-
ensuring that, if data is to be processed for a different purpose than originally specified, this new use is fair, lawful and transparent
Where an organisation's purpose for processing changes over time or an organisation wishes to process data for a new purpose which it did not originally anticipate, the data can only be processed if:
-
the new purpose is compatible with the originally specified purpose
-
the organisation obtains the data subject’s specific consent for the new purpose, or
-
the organisation can identify and point to a clear legal provision requiring or allowing the new processing in the public interest (eg a new function for a public authority)
Under the GDPR, processing for archiving purposes in the public interest, scientific or historical research purposes and statistical purposes is always considered a compatible purpose. In other situations, to determine whether a new purpose is compatible, organisations will need to consider:
-
any connections between the original purpose and the new purpose
-
the context in which the personal data was originally collected (especially the relationship between the organisation and data subject and what they would reasonably expect)
-
the nature of the personal data (eg if it is particularly sensitive)
-
the potential consequences of the new processing for the data subject
-
if appropriate safeguards (eg encryption or pseudonymisation) exist
Generally speaking, if a new purpose is very different from the original purpose, unexpected or would have an unjustified impact on the data subject, it is likely incompatible with the original purpose.
Where the new purpose is compatible, a new lawful basis for processing is not needed. However, organisations should bear in mind that if they originally collected the data on the basis of consent, they will typically have to gain the data subjects’ consent again to ensure the new processing is fair and lawful. Organisations should also make sure that their privacy information is updated, to ensure that the processing remains transparent.
Data minimisation
Organisations should ensure that the personal data they process is adequate (ie sufficient to properly fulfil the specified purpose), relevant (ie has a rational link to the specified purpose) and limited to what is necessary for the purposes for which it is processed. In other words, organisations should identify the minimum amount of personal data they need to fulfil their purpose and hold no more than that amount. This is particularly important where special category 'sensitive' personal data and/or criminal offence data is being processed. Moreover, organisations should make sure not to process personal data that is insufficient and, therefore, inadequate for their intended purposes.
To determine the necessary amount of personal data, organisations should clearly consider their specified purpose and the data subjects in question. Depending on the situation, individual data subjects may need to be considered separately or groups of data subjects sharing relevant characteristics may be considered together.
The personal data should be sufficient to help organisations achieve their intended purpose, but should not be more than strictly necessary to do this. Similarly, personal data will only be relevant and adequate if it actually helps organisations achieve their purpose. If this is not the case, the data is likely inadequate.
Organisations should also remember to periodically review their processing, to ensure that the personal data they hold is still relevant and adequate for their purposes. Any data that is no longer needed should be deleted.
Accuracy
Organisations must make sure that personal data is not inaccurate and that it is kept up to date. The DPA sets out that personal data is ‘inaccurate’ if it is ‘incorrect or misleading as to any matter of fact’. This means that organisations must be clear about what they intended the personal data record to show, bearing in mind that any data processing may affect whether it is accurate or not. For example, a historical record is not inaccurate because the personal data in question has changed; however, the record must clearly indicate that it is a historical record.
To ensure personal data is not inaccurate or misleading, organisations should:
-
accurately record the information provided
-
accurately record the source of the information
-
take reasonable steps in the circumstances to ensure the accuracy of the information
-
carefully consider any challenges to the accuracy of the information
In practice, organisations should:
-
take reasonable steps to ensure the accuracy of personal data
-
ensure that the source and status of personal data is clear
-
carefully consider any challenges to the accuracy of the personal data
-
consider if it is necessary to periodically update the personal data (and if so, how a process to review and update personal data can be put in place and maintained)
Mistakes
Data processed by an organisation may at times include mistakes. While individuals may not want their records reflecting inaccurate information (eg a penalty that was later refunded), organisations may need their records to accurately reflect the order of events (eg that a penalty was imposed but later refunded). Keeping a record of the mistake and its correction might also be in the individual’s best interests. When records about mistakes are kept, care must be taken to ensure these records are not misleading about the facts - for example, by adding a clear note that a mistake was made. Organisations should have a clear policy (or procedure) in place, outlining how mistakes are handled.
Opinions
A record of an opinion is not necessarily inaccurate personal data simply because an individual disagrees with it (or it is later proved to be wrong). When recording opinions, an organisation’s record must clearly indicate that it is an opinion and, where appropriate, whose opinion it is. If it later becomes clear that the opinion was based on inaccurate data, this should be recorded to ensure that the records are not misleading. If the accuracy of an opinion is challenged, it’s considered good practice to make a note about the challenge and the reason for it. Organisations should have a clear policy (or procedure) in place, outlining how opinions are recorded and handled.
Challenges to data accuracy
Individuals have the right to challenge the accuracy of personal data held on them and ask for it to be corrected (known as ‘data rectification requests’). If an organisation receives such a request, it should consider if the information is accurate and, if it is not, it should delete or correct it.
While individuals don’t have the right to have data erased simply because it is inaccurate, organisations are required to take all reasonable steps to erase or rectify inaccurate data without delay. In some cases, it may be reasonable to delete data. If an individual asks for inaccurate data to be deleted it is, therefore, good practice to consider this request.
Storage limitation
Organisations must ensure that personal data is not kept for longer than necessary. The personal data processed in addition to the purpose for processing need to be carefully considered in deciding on a reasonable data retention period. Generally, personal data can be kept for as long as there is a purpose for processing, however, personal data should not be kept indefinitely ‘just in case’, or if there is only a small change that it will be used. Data retention periods should be clearly set out in a data retention policy. Ask a lawyer if you require a data retention policy.
Organisations should bear in mind that certain personal data can be retained indefinitely, provided that it is being held for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes. However, this must be the organisation's only purpose for retaining the data indefinitely (ie the personal data cannot later be used for another purpose). Where data is retained indefinitely, organisations must have appropriate safeguards (eg data pseudonymisation) in place to protect data subjects.
For more information on these purposes, read the ICO’s guidance on Archiving in the public interest and Research and statistics.
Integrity and confidentiality (security)
Organisations must make sure that personal data is processed in a way that ensures appropriate security of the data (including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage) using appropriate technical or organisational measures. In other words, organisations must have appropriate security in place to prevent personal data from being accidentally or deliberately compromised. What is appropriate will depend on the risks presented by the processing and should be considered in relation to the state of the art and costs of implementation and the nature, scope, context and purpose of the processing.
This means that organisations need to assess their information risk by reviewing the personal data they hold and how they use it, in order to assess how valuable, sensitive or confidential it is, and what damage or distress may be caused if the data was compromised. To do this, organisations should consider:
-
the nature and extent of their premises and computer systems
-
the number of staff they have and how much access they have to the personal data
-
any personal data held or used by a data process (ie the party acting on behalf of, and only on the instructions of, the organisation)
Organisational measures
There are a variety of organisational measures organisations can consider taking, including carrying out information risk assessments. However, the most important thing is that security awareness exists within an organisation, for example, by having an employee with day-to-day responsibility for information security.
Organisations can also consider having in place (and regularly reviewing) an information security policy, outlining security and other related matters (eg access to equipment given to anyone outside the organisation and business continuity arrangements identifying how any personal data will be protected and recovered). This can help demonstrate how they are taking steps to comply with the security principle. Ask a lawyer if you require an information security policy.
Technical measures
This includes physical and computer/IT security (also known as ‘cybersecurity’). For physical security measures, organisations should consider things like:
-
the quality of doors and locks, and the protection of their premises (eg by alarms, security lighting or CCTV)
-
how access to the premises is controlled, and how visitors are supervised
-
how any paper and electronic waste is disposed of
-
how any IT equipment, particularly mobile devices are kept secure
For cybersecurity measures, organisations should consider things like:
-
system security (ie the security of the organisation’s network and information systems, including those which process personal data)
-
data security (ie the security of data held within the organisation’s systems - eg having appropriate access controls in place and holding the securely)
-
online security (eg the security of the organisation’s website and any other online service or application that it uses)
-
device security (including policies on ‘bringing-your-own-device’ to work)
Organisations should also bear in mind:
-
that their cybersecurity measures must be appropriate to the size and use of their network and information systems
-
the state of technological development and the costs of implementation
-
that their security must be appropriate to their business practices (eg if staff can work remotely, measures must be put in place so that security is not compromised)
-
any measures implemented must be appropriate to the nature of the personal data help and the harm that might result from any compromise
A good starting point for organisations is to comply with Cyber Essentials, a government scheme setting out basic technical controls.
Where an organisation operates in an industry that has specific security requirements or requires adherence to certain frameworks or standards, any relevant technical measures in place should be set out in the APD. While following such requirements will not necessarily mean that the organisation is complying with the security principle, the ICO will consider any measures implemented carefully. It may be the case that any technical measures required by the organisation’s industry contribute to its overall security.
For more information on the different data protection principles, read the ICO’s guidance.
If you have any questions or require assistance, Ask a lawyer.