Data Protection Act's Eight Principles
(And Why are There Now Only Seven?)
Having governed data protection within the UK for twenty years, the Data Protection Act (DPA) 1998 was updated in 2018 to incorporate a Europe-wide standard, whilst also address the many changes, developments and revolutions that had taken place in the world of personal data.
Though personal data was of course an important asset in 1998, by 2018, the landscape of data collection, handling and implications had radically altered and the many questions regarding individual data rights had firmly arrived into the mainstream.
With so many high-profile data breaches, many of which affecting millions of individuals, governments around the world have been forced to address the existing holes within legislation, whilst strengthening and extending the control consumers have over their own information, and approaching the subject of data protection in a more holistic manner.
Now, two years on from the introduction of the General Data Protection Regulation and the DPA 2018, those asking: ‘what are the eight principles of the Data Protection Act? may have a little catching up to do. Luckily, as security awareness training company we’re here to help fill you in.
How Has DPA Changed?
Under the UK’s DPA 1998, eight data protection principles existed at the centre of this regulation. By 2018 these principles were developed further by the European Union’s GDPR and made a part of UK law within the Data Protection Act 2018.
With a great deal of cross-over between the DPA 1998 and 2018, much of the current regulation regarding data protection is greatly similar to the previous laws. Below we can see how these previous eight principles of data protection have been incorporated and developed by the GDPR, and what, if any, their equivalents and differences are.
What are the Eight Principles of the Data Protection Act?
|Principle 1 – fair and lawful||Principle (a) – lawfulness, fairness and transparency|
|Principle 2 – purposes||Principle (b) – purpose limitation|
|Principle 3 – adequacy||Principle (c) – data minimisation|
|Principle 4 – accuracy||Principle (d) – accuracy|
|Principle 5 - retention||Principle (e) – storage limitation|
|Principle 6 – rights||No principle – separate provisions in Chapter III|
|Principle 7 – security||Principle (f) – integrity and confidentiality|
|Principle 8 – international transfers||No principle – separate provisions in Chapter V|
|(no equivalent)||Accountability principle|
Though there is a great amount of similarity between both the DPA 1998 and the incorporation of the GDPR into UK law, to best understand where companies and organisation stand within the British context, and to a lesser extend the Europe as a whole, it’s worth taking a closer look at the current seven principles.
Seven Principles of Data Protection
Having looked at the changes from the DPA 1998 to the 2018 legislation, it’s worth noting that these following seven principles are designed to be the foundation upon which organisation should build all their data protection practices. Now in 2020, it is vital that all organisations dealing with personal data, understand and abide by these increasingly universal data protection principles.
- Lawfulness, fairness and transparency
As well as continuing the Data Protection standard/principle of lawfulness and fairness, this new standard also seeks to ensure that users can understand what it is there are signing up to when they hand over personal data. This principle requires that organisations use language that is ‘clear, plain and accurate’ as to what a data subject is consenting to, thus helping to ensure the data rights and legal protections.
- Purpose limitation
This principle stipulates that personal data, which is collected for a specific, previously stated and understood purpose, must not then be used for other applications. Though the GDPR states that this principle of purpose limitation is not incompatible with processing under grounds of public interest, scientific or statistical purposes or for historical research, it limits the extent to which organisations can ‘multi-purpose’ personal data.
- Data minimisation
Ensuring that the extent or amount of data collected and/or processed is adequate, relevant and limited to the intended purpose, the principle of data minimisation is to curtail any organisation seeking to effectively hoard data without a clear rationale.
Not exactly representing a significant step forward in data protection, and present within the DPA 1998, this principle makes organisation responsible for either updating inaccurate information or getting rid of it.
- Storage limitation
Like the preceding ‘retention’ principle, storage limitation restricts organisations from keeping hold of data for indefinite periods of time, or beyond that of its intended purpose. Again, purposes of public interest, archiving, scientific or historical research or statistics may act as reasons for an organisation retaining personal data, but these reasons must be justifiable and documented.
- Integrity and confidentiality
Previously known as the ‘security’ principle, integrity and confidentiality of personal data must be upheld with the appropriate security measures. As with many of the other principles, there is an inherent responsibility to implement both physical and technological controls to ensure compliance.
With no previous principle within the DPA 1998, the accountability principle requires organisations to take responsibility for the personal data being handled and their compliance with the other six principles. Appropriate measures and records are also required to be in place as to demonstrate compliance.
International Transfer of Data (Principle 8 of the DPA 1998)
Previously included as a principle of the DPA 1998, within the GDPR and the DPA 2018 the stipulations regarding the international transfer of data are not included as a key ‘principle’. Detailed within Chapter 5 of the GDPR, the transfer of personal data to countries or organisations outside of the direct jurisdiction of the GDPR are sufficiently compliant with the standards laid forth by the legislation.
“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”
More information relating to how Chapter 5 of the GDPR has been incorporated into the UK’s Data Protection Act is provided by the Information Commissioner’s Office here.
As well as developing and advancing the principles surrounding data protection, both the GDPR and DPA 2018 forward the individual rights of citizens and their respective personal data.
The GDPR provides the following corresponding rights for individuals:
- The right to be informed
Both data processors and controllers are now obliged to provide information to data subjects about the personal data being collected, how it is going to be used, who it will be shared with, for how long it will be kept and the purpose of its processing.
- The right of access
With request, individual data subjects are entitled to confirmation that their data is being processed, access to that data as well as further information regarding any automated decision making, or the envisioned period of retention.
- The right to rectification
With its corresponding principle in ‘accuracy’, data subjects hold the right to have personal data rectified should it be either inaccurate or incomplete.
- The right to erasure
Also known as ‘the right to be forgotten’, this right allows data subjects to request the removal or deletion of data in the eventuality there is no compelling reason for its continued processing or availability. This right may in some circumstances also obligate, for instance, a search engine company to remove certain results, or limit their discoverability.
- The right to restrict processing
Processing is any operation performed on personal data. This includes using, viewing, altering or deleting the data. Individuals may block or suppress processing of personal data for the following reasons: Inaccurate data, the unlawful processing of that data or a pending objection to processing the data by the data subject
- The right to data portability
Allowing individuals to obtain and reuse their personal data across different services, this right means an individual’s data should be available in a commonly used machine-readable format, in a way which allows data not to be constantly resubmitted.
- The right to object
Allowing individual to object (for certain reasons) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication.
- Rights in relation to automated decision making and profiling.
One of the more detailed and technical rights afforded under the GDPR, among other things, entitles individuals either opt out of automated decision-making processes, challenge decisions, and/or have automated decisions reviewed by a human. More about this right can be found here.
Security Awareness for your Organisation
Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.
Kayleigh talks about her favourite Information Security tutorial, Encouraging a Secure Culture, which explains the importance of building a secure culture.
Norfund Breach, Celebrity Data hack, and Ransomware Research - InfoSec Round Up, May 15th 2020
4 Key Information Security Risks for remote work during lockdown. Blog from Information Security Awareness training provider Hut Six Security.
Top Cyber Security Awareness Training Topics · Phishing · Web Safety · Passwords · Malware · Mobile Devices · Wi-Fi · Social Engineering · Encryption · Backups · Sensitive Information.
Hackers Target Universities, LoveBug Virus, and Tokopedia Breach: InfoSec Round Up: May 8th 2020
Who is Responsible for Enforcing the Data Protection Act? Information security awareness blog by Information Security training provider Hut Six Security
Priya, our Customer Success Specialist, talks about her favourite tutorial, Social Media & Privacy, which explains the dangers of social media sites and how to stay safe.
NCSC Campaign, Warwick University Breach, and Kinomap: InfoSec Round-Up: April 20th - 30th 2020
Are there any exemptions to the Dta Protection Act? Blog by Information Security Awareness Training provider Hut Six Security.
Simon Fraser, our Managing Director, talks about his favourite tutorial, Assessing your Risk, which explains how businesses can assess the likelihood of a security risk occurring