The Seven Principles of the DPA

How Does the Data Protection Act Protect your Rights? Updating the Data Protection Act (DPA) 1998, the 2018 legislation of the same name incorporated the Europe-wide standards laid forth by the General Data Protection Regulation (GDPR). Designed to address two decades of development in technology, commerce and many of the ways in which people now think about personal data, the GDPR has undoubtedly elevated the importance of strong data protection practise.

Not only imposing certain obligations upon organisations and reinforcing many of the existing principles of UK data protection, the GDPR and the DPA 2018 also sought to further establish and extend the individual rights afforded to citizens across the UK and Europe. To understand how does the Data Protection Act protect your rights, it’s worth understanding a little about the context and aims.

Advancing the Data Protection Act

Contained within the DPA 1998, were eight principles which have since been reviewed and reimagined within the GDPR and subsequent DPA 2018 as seven, largely similar but further refined principles.

As explained by the UK’s Information Commissioner’s Office, it is upon these seven data protection principles which organisations across the UK and EU are required to build their personal data practices. The ‘accountability’ principle, as the new addition to the set of principles, as well as differentiating the two pieces of legislation, is thought of as a key advancement in this area.

Individual Rights

The right to be informed

Both processors and controllers of data are obliged to provide information to data subjects regarding how the personal data is going to be used, collected, with whom it will be shared, for how long it will be retained, and the purpose of its processing.

The right of access

Upon request, data subjects are entitled to confirmation that their data is being processed, as well as ensuring access to that data, further information regarding any automated decision making or the envisioned period of retention. Access requests must also be either complied with, or (in cases of exemption) responded to within 30 days of a request being received.

The right to rectification

With its corresponding principle in ‘accuracy’, data subjects are afforded the right to have stored personal data rectified in the event of it being either inaccurate or incomplete. Again, requests must be fulfilled within the same timely manner as access requests, and without undue delay.

The right to erasure

Colloquially known as ‘the right to be forgotten’, the right to erasure allows individuals to request the deletion or removal of data in the eventuality of no compelling reason for its continued processing.

The right to restrict processing

Defined as the viewing, altering or deletion of data, processing may be blocked or suppressed at the request of a data subject for the following reasons: unlawful processing, inaccurate data, or a pending objection to processing the data by the data subject.

The right to data portability

Allowing individuals to obtain their personal data from an organisation or organisations, this right also ensures an individual’s data should be available in a commonly used machine-readable format. Allowing a data subject to reuse data across different services in a way which does not require constant resubmission.

The right to object

This right allows an individual to object (for reasons and not others) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication. To comply with this request, an organisation is required to cease processing, or be in violation of the principle.

Rights in relation to automated decision making and profiling.

One of the more technically defined rights afforded, among other things, this allows individuals to opt out of automated decision-making processes, challenge automated decisions, and/or have automated decisions reviewed by a human. Further information regarding this right can be found here.

Key Definitions in Data Protection

Data Subject – A core concept in data protection, a data subject is the individual to which personal data relates. In other words, the subject of the given personal data.

Personal Data – In its technical data protection definition, personal data is any piece of information pertaining to an identified, or potentially identifiable individual. Purposefully defined in a rather broad sense, personal data can range from name and address, to unique online browsing data which could be combined to pinpoint a specific individual.

Data Processor – ‘Processing’ is any set of operations performed on personal data or data sets. Operations can be performed manually or with an automated system, including the transmission, viewing, use, collection, deletion or altering of the data or data set. The processor being the party responsible for these operations.

Data Controller – As the corresponding party to the data processor, the data controller is the ‘competent authority’ or party who alone or jointly determines the purpose and means of the processing. Though these are separate roles, a single organisation could fulfil the role of both controller and processor, or these responsibilities may be shared.

Data BreachReferring not only to the exfiltration of data, the term also encompasses the accidental or unlawful destruction, loss, unauthorised disclosure, alteration of, or access to, personal data.

How Does the Data Protection Act Protect your Rights?

The Data Protection Act not only establishes individual rights, but also lays out the below listed seven principles to which organisations must adhere. Failure to comply can now result in fines, handed out by the Information Commissioner, of up to 4% of annual global turnover or 20 million Euros, whichever is greater.

Fine such as this can now be handed down for the violation of any element of the data protection act, and far surpass the previous amount (under the DPA 1998) of a mere £500,000. This pre-GDPR amount being recently levied against Facebook, a sum which, if the incident in question had occurred post-GDPR, may have cost the company around £1.7 billion.

The Seven Principles of the Data Protection Act

Lawfulness, fairness and transparency

Data must be processed lawfully, transparently and fairly, as well as communicating details, regarding data collection and processing, to individuals in plain and clear language, and easily understandable by data subjects giving consent.

Purpose limitation

Not only must data be collected in a transparent manner, but the purposes stated at the point of collection must not be extended in practice. A data subject should be privy to the purpose of their data being processed, though it should be noted that processing for public interest, scientific or historical research or for statistical purposes is not necessarily considered ‘incompatible’ with this right.

Data minimisation

This principle obliges organisations to limit their collection of data to the minimum needed for the intended purpose. Rather than just hoarding enormous loads of information, a company is required to hold only what is adequate, relevant and necessary.

Accuracy

Personal data being held must be kept up to date, as well as reasonable measures being taken to ensure data is accurate. Should it be known that personal data is not accurate and cannot reasonably be corrected or rectified, then data must be erased and deleted.

Storage limitation

This principle of storage limitation obliges organisations to keep personal data no longer that necessary for the intended and previously stated reason. Though, again there are provisions allowing prolonged retention for some purposes (scientific, statistical etc.), information must not be simply kept indefinitely.

Integrity and confidentiality

Organisations must take appropriate measures to ensure the security of personal data and protect against the possibility of a data breach. Not only taking the form of technical measures (encryption, anonymisation etc.), suitable organisational measures must also be taken.

Accountability

Finally, without an equivalent within the DPA 1998, the accountability principle lays the responsibility of data protection squarely at the feet of organisations handling personal data. Not only are organisations responsible for compliance, but also for the documentation of said compliance.