Responsibilities of data controllers: The Eight Principles

All data controllersdata controller: a company or an individual that collects and stores data about people must keep to the Eight Principles of Data Protection.

When you read about these, you may find them called "The Data Protection Principles". You may be asked about these in the exam.

The Eight Principles of Data Protection

For the personal data that controllers store and process:

1. It must be collected and used fairly and inside the law.
2. It must only be held and used for the reasons given to the Information Commissionerinformation commissioner: the individual responsible for enforcing the Data Protection Act.
3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
4. The informationinformation: data with context or meaning held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the datadata: information without context, eg a list of students with numbers beside their names is data, when it's made clear that those numbers represent their placing in a 100 metre race, the data becomes information.
5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
7. The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
8. The files may not be transferred outside of the European Economic Area (that's the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPAData Protection Act 1998 (DPA): legislation passed by parliament that governs the protection of personal data in the UK has led to some countries passing similar laws to allow computer data centres to be located in their area.