IS&CP, Other documents 4aPage 1 of 4

Summary of Data Protection

The Eight Principles

There are eight data protection principles in the Data Protection Act which we are required to comply with. They are sometimes referred to as the “principles of good information handling”. The principles apply to all personal data processed by us.

Personal data covers both facts and opinions about an individual. It also includes information regarding our intentions towards an individual, although in some limited circumstances exemptions will apply. The Data Protection Act controls all processing, which means anything we do with personal information, including but not limited to collecting, storing, sharing and destroying it.

The information below on the principles is only a brief summary. If you are not sure whether processing would be allowed under the Act, you can ask ISIS for advice.

First principle: data shall be fairly and lawfully processed

Data is only fairly and lawfully processed if we process it with the consent of the data subject or if the processing is necessary. It could be considered necessary to protect the life of the subject or because we are obliged to undertake the processing in order to meet our statutory or legal obligations. Processing is also considered necessary if it is for the prevention or detection of crime. If the data is sensitive within the definitions of the Act, consent must be explicit consent.

For processing to be considered to be fair, the data subjects should be provided with the identity of the data controller (Essex County Council), the purpose(s) for which the data is being processed and any further relevant information, such as our intention to share it with another organisation or how long it will be retained.

Second principle : data shall be processed for limited purposes;

If we collect information for a specific purpose, our use of that information must be limited to that purpose or one very closely linked to the original purpose. An example of this is if we collect information in order to pay school uniform grants in September 2000, we would not be allowed to use that information as a mailing list for a library service. However, we would be allowed to use it to ask whether the applicants would like to apply for the same grant the following year.

Third principle : data shall be adequate, relevant and not excessive;

We must identify the minimum amount of information that is required in order properly to fulfil our purpose. If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases. It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used.

Changes in circumstances or failure to keep the information up to date may mean that information that was originally adequate becomes inadequate. If information is kept for longer than necessary then it may be both irrelevant and excessive.

Fourth principle : data shall be accurate

Information is inaccurate if it is incorrect or misleading. We do not contravene this principle if we hold inaccurate information that has been provided to us by the data subject or third party if we have taken reasonable steps to ensure the accuracy of the data.

Fifth principle : data shall not be kept longer than necessary

We should review personal data regularly and delete information which is no longer required, although we must take account of statutory and recommended minimum retention periods. Subject to certain conditions, the Act allows us to keep indefinitely personal data processed only for historical, statistical or research purposes. ECC has a retention and destruction schedule that gives guidance in this area.

Sixth principle : data shall be processed in accordance with the data subject's rights

The data subject has certain rights which must be respected, although there are specified limited circumstances when these rights do not apply. In general, we must provide information in response to requests from data subjects to see their data and we must comply if the data subject asks us not to process their information. We must not use information for direct marketing unless the data subject has given their consent.

Seventh principle : data shall be secure

We must ensure a level of security appropriate to the harm that might result from a breach of security; and the nature of the data to be protected. This includes both technological and physical measures and taking reasonable steps to ensure the reliability of staff that access personal data.

Eighth principle : data shall not transferred be to countries without adequate protection

Data is protected in most European countries. Many other countries are not considered to have adequate protection for personal data. Putting personal information on the internet, where it can be accessed by people across the world, may not comply with this principle.

Summary of Data Protection

Checklist of Security Controls

This extract from the Information Commissioner’s legal guidance to the requirements of the Data Protection Act 1998 is not a comprehensive list; it is illustrative only.

  1. Security management
  2. does the data controller have a security policy setting out management commitment to information security within the organisation?
  3. is responsibility for the organisation’s security policy clearly placed on a particular person or department?
  4. are sufficient resources and facilities made available to enable that responsibility to be fulfilled?
  1. Controlling access to information:
  2. is access to the building or room controlled or can anybody walk in?
  3. can casual passers-by read information off screens or documents?
  4. are passwords known only to authorised people and are the passwords changed regularly?
  5. do passwords give access to all levels of the system or only to those personal data with which that employee should be concerned?
  6. is there a procedure for cleaning media (such as tapes and disks) before they are reused or are new data merely written over old? In the latter case is there a possibility of the old data reaching somebody who is not authorised to receive it? (e.g. as a result of the disposal of redundant equipment).
  7. is printed material disposed of securely, for example, by shredding?
  8. is there a procedure for authenticating the identity of a person to whom personal data may be disclosed over the telephone prior to the disclosure of the personal data?
  9. is there a procedure covering the temporary removal of personal data from the data controller’s premises, for example, for staff to work on at home? What security measures are individual members of staff required to take in such circumstances?
  10. are responsibilities for security clearly defined between a data processor and its customers?
  1. Ensuring business continuity:
  2. are the precautions against burglary, fire or natural disaster adequate?
  3. is the system capable of checking that the data are valid and initiating the production of back-up copies? If so, is full use made of these facilities?
  4. are back-up copies of all the data stored separately from the live files?
  5. is there protection against corruption by viruses or other forms of intrusion?
  6. Staff selection and training:
  7. is proper weight given to the discretion and integrity of staff when they are being considered for employment or promotion or for a move to an area where they will have access to personal data?
  8. are the staff aware of their responsibilities? Have they been given adequate training and is their knowledge kept up to date?
  9. do disciplinary rules and procedures take account of the requirements of the Act? Are these rules enforced?
  10. does an employee found to be unreliable have his or her access to personal data withdrawn immediately?
  11. are staff made aware that data should only be accessed for business purposes and not for their own private purposes?
  1. Detecting and dealing with breaches of security:
  2. do systems keep audit trails so that access to personal data is logged and can be attributed to a particular person?
  3. are breaches of security properly investigated and remedied; particularly when damage or distress could be caused to an individual?

If you fail to follow the Information Security and Communication Policy or the supporting standards or procedures, a disciplinary investigation may follow, or we may terminate contracts under which your business provides services to EssexCounty Council. Fraud or deliberate serious breaches of policy, standards or procedures may result in legal proceedings against you.

Version 2.0June 2005