The eight principles of data protection state that:
- Data subjects must give their consent to processing and must remain informed. You should also have a legitimate reason for processing the data and not use the information unlawfully.
- You should only use information for the specific purpose for which you have permission. You must be explicit to the individual, from the outset, about why you are obtaining their personal data and what you are going to do with it. There should also be an opt-out clause in relation to receiving marketing.
- You should only keep personal information for the duration of time it needs to complete the original, intended purpose. You should also only hold as much personal data as you need for the purpose.
- While the data is being used for the agreed purpose, it must be monitored for accuracy and kept up-to-date.
- The Act does not give a specific minimum or maximum length of time for which you can keep data. After the purpose is completed, however, the data must be securely deleted or destroyed.
- Individuals have a right to obtain a copy of the personal data you hold on them. This is called ‘subject access’ and means you must provide them with explicit information.
- Ensure you have the right people, technology, policies and procedures in place to deal with data security.
- You may transfer personal data to countries within the EEA on the same basis as you may transfer it within the UK. Outside of the EEA you must check that there is adequate data protection in place.