Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Principle 1

Be fair when you get, use and share data

What the Act says

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless —

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

What this means

Whenever you process (and remember this basically means “each time you use”) data you have to make sure:

  1. Processing is fair to the data subject
  2. The processing doesn’t break any laws
  3. Depending on the type of data you’re processing – you also need to have a valid reason for doing what you’re doing. These are detailed in the schedules (which are like appendices) to the Act.

I’ll look at each of these three separately:

1. What is fair?

The Act is mainly concerned whether you were fair when you obtained the data you’re processing.

The ICO considers it fair if you told the person who gave you the data (remember that’s the Data Subject) who you are and what you will do with their data when they gave it to you (or if you got the data from somewhere else, you tell the data subject as soon as is practically possible). It is most important that you didn’t deceive or mislead anyone about what you plan on doing with their data.

It is this principle that created the ‘fair processing notice‘ you might have heard people talk about. When you collect data directly from a Data Subject you must tell them:

  1. Who you are (your legal identity – so the full name of your company or organisation)
  2. Why you have obtained their data and what you plan on doing with it

It is wise to have you fair processing notice checked by a lawyer.

If you get personal data from somewhere else (i.e. from another Data Controller) then you provide the fair processing information to the people whose data you’ve obtained when you start doing things with their data. (There are some exemptions and time limits for this rule, but they’re outside the scope of this general overview).

2. What is Lawful?

Obviously you need to comply with the Data Protection Act itself for processing to be lawful, and so this seems a bit of a circular requirement. There are two key things to pay attention to:

  1. That your use of the data doesn’t breach any other laws (as you’ll also end up breaking the DPA, doubling your problem).
    Other laws you should consider might include a common-law duty of confidence to the people whose data you’re processing and perhaps any industry-specific legislation. For example if you’re selling insurance and required to be licensed by the FSA, and you’re not, then when you process personal data in conjunction with an insurance sale, you’ll be breaking the DPA (but this will be the least of your worries).
  2. That you make sure you have one of the following lawful reasons for processing the data.

3. Reasons for Lawful Processing

For each piece of personal data you process, you must have with one of these valid reasons (known as schedule 2 conditions):

  1. You have the Data Subject’s consent
  2. It is necessary to carry out a contract you have with the Data Subject
  3. You have to do the processing to fulfil another legal obligation you have
  4. It is in the vital interest of the Data Subject (and this is taken to be matters of life and death)
  5. To carry out public functions (i.e. you are a public body, doing public things with the data)
  6. Necessary for your legitimate interests – although this needs to be balanced against the interests of the Data Subject.

Also, if any of the pieces of data about the Data Subject falls into one of these categories:

  • Racial or ethnic origins
  • Political views
  • Religious beliefs
  • Trade Union membership
  • Physical or mental heath
  • Sexual life
  • Details of alleged offences or legal proceedings

(these are known as Sensitive Personal Data) then you also need to make sure you have one of these reasons (these are called schedule 3 conditions):

  1. You have the Data Subject’s explicit consent
  2. To comply with employment law
  3. It is in the vital interest of the Data Subject or another person
  4. You are a not for profit political, philosophical or religious organisation or a trade-union and the processing is carried out as an integral part of what you do
  5. The Data Subject has deliberately made the data you are using public
  6. To give legal advice or to prepare and present legal matters or defending legal rights
  7. Public functions
  8. For medical purposes undertaken by health professionals
  9. For monitoring equal rights, but only if the data relates to the racial or ethnic origin
  10. Prevention and detection of crime
  11. Prevention of fraud or dishonesty
  12. The investigation of crime, fraud or dishonesty by journalists
  13. In providing counselling or advice
  14. Provision or management of insurance where the Data Subject is a specific relative of the insured person
  15. Monitoring religious or heath-based equal opportunities
  16. You are a registered political party
  17. For generalised research purposes
  18. You are a police constable

If you process any sensitive personal data and the valid reason you’re going to use is anything other than you have the Data Subject’s explicit consent then I recommend that you check the exact wording of the Act here and here to make sure that you comply. If you are relying on explicit consent then make sure you keep this somewhere safe – and be aware that explicit consent means that the Data Subject has to give you a signature or must tick a box on a web site: it has to be opt-in.

How to test

Remember, to comply with the Act you should test every bit of processing of each bit of data against all eight principles.

The two tests the first principle gives are:

  1. Did you get each bit of data fairly?
  2. Do you have a lawful reason for processing?

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.