Data Protection Act's Eight Principles

(And Why are There Now Only Seven?)

Having governed data protection within the UK for twenty years, the Data Protection Act (DPA) 1998 was updated in 2018 to incorporate a Europe-wide standard, whilst also address the many changes, developments and revolutions that had taken place in the world of personal data.

Though personal data was of course an important asset in 1998, by 2018, the landscape of data collection, handling and implications had radically altered and the many questions regarding individual data rights had firmly arrived into the mainstream.

With so many high-profile data breaches, many of which affecting millions of individuals, governments around the world have been forced to address the existing holes within legislation, whilst strengthening and extending the control consumers have over their own information, and approaching the subject of data protection in a more holistic manner.

Now, after the introduction of the General Data Protection Regulation and the DPA 2018, those asking: ‘what are the eight principles of the Data Protection Act? may have a little catching up to do. Luckily, as security awareness training company we’re here to help fill you in.

How Has DPA Changed?

Under the UK’s DPA 1998, eight data protection principles existed at the centre of this regulation. By 2018 these principles were developed further by the European Union’s GDPR and made a part of UK law within the Data Protection Act 2018.

With a great deal of cross-over between the DPA 1998 and 2018, much of the current regulation regarding data protection is greatly similar to the previous laws. Below we can see how these previous eight principles of data protection have been incorporated and developed by the GDPR, and what, if any, their equivalents and differences are.

What are the Eight Principles of the Data Protection Act?

Though there is a great amount of similarity between both the DPA 1998 and the incorporation of the GDPR into UK law, to best understand where companies and organisation stand within the British context, and to a lesser extend the Europe as a whole, it’s worth taking a closer look at the current seven principles.

Seven Principles of Data Protection

Having looked at the changes from the DPA 1998 to the 2018 legislation, it’s worth noting that these following seven principles are designed to be the foundation upon which organisation should build all their data protection practices. Now, it is vital that all organisations dealing with personal data, understand and abide by these increasingly universal data protection principles.

1. Lawfulness, fairness and transparency

As well as continuing the Data Protection standard/principle of lawfulness and fairness, this new standard also seeks to ensure that users can understand what it is there are signing up to when they hand over personal data. This principle requires that organisations use language that is ‘clear, plain and accurate’ as to what a data subject is consenting to, thus helping to ensure the data rights and legal protections.

2. Purpose limitation

This principle stipulates that personal data, which is collected for a specific, previously stated and understood purpose, must not then be used for other applications. Though the GDPR states that this principle of purpose limitation is not incompatible with processing under grounds of public interest, scientific or statistical purposes or for historical research, it limits the extent to which organisations can ‘multi-purpose’ personal data.

3. Data minimisation

Ensuring that the extent or amount of data collected and/or processed is adequate, relevant and limited to the intended purpose, the principle of data minimisation is to curtail any organisation seeking to effectively hoard data without a clear rationale.

4. Accuracy

Not exactly representing a significant step forward in data protection, and present within the DPA 1998, this principle makes organisation responsible for either updating inaccurate information or getting rid of it.

5. Storage limitation

Like the preceding ‘retention’ principle, storage limitation restricts organisations from keeping hold of data for indefinite periods of time, or beyond that of its intended purpose. Again, purposes of public interest, archiving, scientific or historical research or statistics may act as reasons for an organisation retaining personal data, but these reasons must be justifiable and documented.

6. Integrity and confidentiality

Previously known as the ‘security’ principle, integrity and confidentiality of personal data must be upheld with the appropriate security measures. As with many of the other principles, there is an inherent responsibility to implement both physical and technological controls to ensure compliance.

7. Accountability

With no previous principle within the DPA 1998, the accountability principle requires organisations to take responsibility for the personal data being handled and their compliance with the other six principles. Appropriate measures and records are also required to be in place as to demonstrate compliance.

International Transfer of Data (Principle 8 of the DPA 1998)

Previously included as a principle of the DPA 1998, within the GDPR and the DPA 2018 the stipulations regarding the international transfer of data are not included as a key ‘principle’. Detailed within Chapter 5 of the GDPR, the transfer of personal data to countries or organisations outside of the direct jurisdiction of the GDPR are sufficiently compliant with the standards laid forth by the legislation.

“All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.”

More information relating to how Chapter 5 of the GDPR has been incorporated into the UK’s Data Protection Act is provided by the Information Commissioner’s Office.

Individual Rights

As well as developing and advancing the principles surrounding data protection, both the GDPR and DPA 2018 forward the individual rights of citizens and their respective personal data.

The GDPR provides the following corresponding rights for individuals:

1. The right to be informed

Both data processors and controllers are now obliged to provide information to data subjects about the personal data being collected, how it is going to be used, who it will be shared with, for how long it will be kept and the purpose of its processing.

2. The right of access

With request, individual data subjects are entitled to confirmation that their data is being processed, access to that data as well as further information regarding any automated decision making, or the envisioned period of retention.

3. The right to rectification

With its corresponding principle in ‘accuracy’, data subjects hold the right to have personal data rectified should it be either inaccurate or incomplete.

4. The right to erasure

Also known as ‘the right to be forgotten’, this right allows data subjects to request the removal or deletion of data in the eventuality there is no compelling reason for its continued processing or availability. This right may in some circumstances also obligate, for instance, a search engine company to remove certain results, or limit their discoverability.

5. The right to restrict processing

Processing is any operation performed on personal data. This includes using, viewing, altering or deleting the data. Individuals may block or suppress processing of personal data for the following reasons: Inaccurate data, the unlawful processing of that data or a pending objection to processing the data by the data subject

6. The right to data portability

Allowing individuals to obtain and reuse their personal data across different services, this right means an individual’s data should be available in a commonly used machine-readable format, in a way which allows data not to be constantly resubmitted.

7. The right to object

Allowing individual to object (for certain reasons) to the processing of their personal data, as well as obliging organisations to inform individuals of this right at the time of first communication.

8. Rights in relation to automated decision making and profiling.

One of the more detailed and technical rights afforded under the GDPR, among other things, entitles individuals either opt out of automated decision-making processes, challenge decisions, and/or have automated decisions reviewed by a human.