There are six data principles incorporated under the Data Protection Act of UK in our earlier article (here –https://worldprivacylaw.com/?p=631) we had discussed the privacy principles in general but in today’s article we will discuss the principles as provided under the statute.
1) The first Data Protection Principle (S. 35)
The first Data Protection principles is enshrined under section 35 of DPA 2018 which is “lawful and fair processing” and for that it prescribes some requirements and to achieve that it explicitly mentions that the processing is lawful only when it is based upon law and either data subject has given the consent to the processing for that purpose or the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
This rule slightly differs when there is a question of processing of sensitive information and is allowed only when the controller has an appropriate policy document in place or the processing is strictly necessary for the law enforcement purpose. Sensitive processing includes the personal data revealing racial or ethinic origin, political opinion, biometric data, individual’s sexual life or sexual orientation etc.
2) The Second Data Protection Principle (S 36)
The second Data Protection principle is enshrined under section 36 of DPA 2018, “Processing be specified, explicit and legitimate” and to achieve this the requirements are provided under the said section and says that the law enforcement purposes for which personal data is collected on any occasion must be specified, explicit and legitimate and such collected personal data must not be processed in a manner which is incompatible with the purpose for which it was collected.
Such data collected for law enforcement purposes may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that the controller is authorised by law to process the data for the other purposes and processing is necessary and proportionate to that other purposes.
3) The Third Data Protection Principle (S 37)
The third Data Protection Principle is provided under section 37 of the DPA and the principle is “personal Data be adequate, relevant and not excessive”, this means the data processed has to be adequate, relevant and not excessive in relation to the purpose for which it is processed.
In other words the data to be collected must be so much which is required so it should not be more or less but adequate to fulfil the purpose of processing.
The remaining Three Principles we shall discuss in our next article…………
Picture Credit- http://granthamhive.blogspot.com/