The Data Protection Principles set out in the Act operate as a mandatory code for processing personal data. (The definition of "processing" is very wide under the Act and covers everything from obtaining and gathering in information to using the information and, eventually, destroying the information.)
The eight principles can be summarised as follows:
- personal data shall be processed fairly and lawfully.
- personal data obtained for one purpose shall not be used in a manner which is incompatible with that original purpose.
- personal data should be adequate, relevant and not excessive.
- personal data should be accurate and, where necessary, kept up to date.
- personal data shall not be kept for longer than is necessary.
- personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998.
- appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Subject to certain exceptions, members of the public are entitled to see any personal information held about themselves, to receive a copy of such information, to have it corrected where necessary and, in certain circumstances, to claim compensation for a failure to comply with the Act. The Act specifically states that all subject access requests must be made in writing. Generally speaking, a subject access request must be complied with within 40 days of receipt.