Professional Documents
Culture Documents
This course provides an overview of the Data Protection Act, the complementary legislation to the
GDPR in the UK.
The Data Protection Act controls how your personal data (or information) is used by organisations,
businesses or the government. Everyone responsible for using data has to follow strict rules called
‘data protection principles.'
This module will provide an overview of the key areas of the Data Protection Act and the UK ICO
(Information Commissioners Office).
The UK ICO defines personal data - or Personal Identifiable Information (PII) - as data which relates to
a living individual who can be identified:
(b) from those data and other information which is in the possession of, or is likely to come into the
possession of, the data controller, and includes any expression of opinion about the individual and
any indication of the intentions of the data controller or any other person in respect of the individual.
The UK ICO defines sensitive personal data - or Sensitive Personal Information (SPI) - as personal data
consisting of information as to:
(d) whether they are a member of a trade union (within the meaning of the Trade Union and Labour
Relations (Consolidation) Act 1992)
(h) any proceedings for any offence committed or alleged to have been committed by them, the
disposal of such proceedings or the sentence of any court in such proceedings
The act regulates the “processing” of personal data. Processing, in relation to information or data,
means obtaining, recording or holding said information or data, or carrying out any operation or set
of operations on it, including:
This is the first data protection principle. In practice, it means that you must:
Have legitimate grounds for collecting and using the personal data
Not use the data in ways that have unjustified adverse effects on the individuals concerned
Be transparent about how you intend to use the data, and give individuals appropriate privacy
notices when collecting their personal data
Handle people’s personal data only in ways they would reasonably expect
Principle 2 – Purposes
Be clear from the outset about why you are collecting personal data and what you intend to do with
it
Comply with the Act’s fair processing requirements – including the duty to give privacy notices to
individuals when collecting their personal data
Comply with what the Act says about notifying the ICO
Ensure that, if you wish to use or disclose the personal data for any purpose that is additional to, or
different from the originally specified purpose, the new use or disclosure is fair
Principle 3 – Adequacy
This is the third data protection principle. In practice, it means you should ensure that:
Any personal data held is adequate and relevant to the purpose for which it was processed
Principle 4 – Accuracy
This is the fourth data protection principle. In practice, it means you should:
Take reasonable steps to ensure the accuracy of any personal data you obtain
Principle 5 – Retention
This is the fifth data protection principle. In practice, it means that you will need to:
Review the length of time you keep personal data
Consider the purpose or purposes you hold the information for in deciding whether, and for how
long, to retain it
Securely delete information that is no longer needed for this purpose or these purposes
Principle 6 - Rights
This is the sixth data protection principle, and the rights of individuals that it refers to are:
A right, in certain circumstances, to have inaccurate personal data rectified, blocked, erased or
destroyed
Principle 7 - Security
This is the seventh data protection principle. In practice, it means you must have appropriate security
to prevent the personal data you hold being accidentally or deliberately compromised. In particular,
you will need to:
Design and organise your security to fit the nature of the personal data you hold, and the harm that
may result from a security breach
Be clear about who in your organisation is responsible for ensuring information security
Make sure you have the right physical and technical security, backed up by robust policies and
procedures, and reliable, well-trained staff
Personal data shall not be transferred to a country or territory outside the EEA unless that country or
territory ensures an adequate level of protection for the rights and freedoms of data subjects in
relation to the processing of personal data.
Yes