Site guide

My attempt at simplifying the Data Protection Act.

My blog updates

  • Grand Central: Great trains, terrible terms
    Feb 26, 2010
    Recently I travelled to York on Grand Central Railway. I really like their train service because you pay the same fare whether you buy your ticket in advance, at the station, or on the train. ...
  • Filling cabinet breaches
    Feb 1, 2010
    I like to analyse the ICO's undertakings and enforcement notices to see whether there are lessons you can learn from other people's unfortunate mistakes. ...
  • Data Sharing and the Blue Badge Parking Scheme
    Jan 13, 2010
    Back in 2008 the government announced that they were going to reform some of the ways the disabled parking / blue-badge scheme worked to reduce the amount of fraudulent use. ...
  • The future of privacy talk at ORG
    Dec 6, 2009
    Bruce Schneier spoke on the subject of The Future of Privacy at the Open Rights Group on Friday. ...
  • Abuse of radio buttons and check boxes
    Dec 5, 2009
    I’m particularly sensitive to interface design and I saw a real horror this week. ...
CISSP Logo

Principle 2

Tell people what you will do with their data, do nothing more

What the Act says

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

What this means

This second principle is pretty simple and complements the first principle. It says:

  1. You have to inform the Data Subject what you’re going do with their data
  2. You can’t do anything else with that data

1. How to inform the Data Subject

There are two ways that you can inform the Data Subject of the purpose of the processing – and we’ve already discussed them.

  1. It could be included as part of your registration / notification.
  2. It could be part of the fair processing notice you gave to the Data Subject to fulfil your Principle 1 requirements.

2. Is the processing incompatible?

The exact bit of processing you do has to be compatible with the one of the reasons that you gave to the Data Subject. For example if you said you were going to use personal data for keeping a membership database, but the processing you were about to do was to export the data to send it to a marketing company – then this would be incompatible. The best way I have of explaining this is to ask yourself (based on the purposes you defined) would the Data Subject expect you to be doing this with their data or would they find it surprising?

How to test

Remember, to comply with the Act you should test every bit of processing of each bit of data against all eight principles.

The two tests that the second principle gives are:

  1. Is this processing included in the fair processing notice you gave to the data Subject or in your registration / notification with the Information Commissioner?
  2. Assuming the Data Subject read it, would they expect me to be doing this with their personal data?

Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.