5 Personal data processed for any purpose or pur-
poses shall not be kept for longer than is necessary for
that purpose or purposes.Once the specific purpose for
which the data was collected has been achieved, the data
should be destroyed.
6 Personal data shall be processed in accordance with
the rights of data subjects under this Act. A data con-
troller will contravene this principle if he or she fails to
supply information following a subject access request or
fails to comply with certain other notices under the DPA
1998.
7 Appropriate technical and organisational measures
shall be taken against unauthorised or unlawful pro-
cessing of personal data and against accidental loss or
destruction of, or damage to, personal data.Data con-
trollers and data processors must take steps to secure the
personal data they hold. The level of security will depend
on the nature of the personal data and the damage likely
to be caused by a breach of the principle and the meas-
ures necessary to ensure security.
8 Personal data shall not be transferred to a country
or territory outside the European Economic Area,
unless that country or territory ensures an adequate
level of protection for the rights and freedoms of data
subjects in relation to the processing of personal data.
This principle will not apply in certain circumstances, for
example where the data subject consents to the transfer
or the transfer is necessary for reasons of public interest
or in connection with legal proceedings.
Notification
The 1984 Act established a Data Protection Register, which
was open to public inspection. The DPA 1998 introduces
a new simpler notification system. A data controller will
be required to provide the following information:
■the data controller’s name and address;
■the name and address of any representative;
■a description of the personal data being processed
and the category of data subject to which they relate;
■a description of the purpose(s) for which the data are
being processed;
■a description of any recipients of the data;
■a name or description of countries outside the European
Economic Area to which the data may be transferred;
■a statement that the personal data are exempt and
notification does not extend to that data;
■a general description of security measures to protect
the data (this information will not appear on the
register).
The notification requirements do not apply to man-
ual data contained within a relevant filing system or data
within non-automated accessible records.
The period of notification lasts for one year and the
fee (in 2008) is £35.
It is an offence to process personal data without noti-
fication, unless it can be shown that a person exercised
all due diligence to comply with the requirements. Offences
are triable either by magistrates or in the Crown Court.
If convicted, the offender is liable to a fine of £5,000 in
the magistrates’ court or an unlimited fine in the Crown
Court.
Business organisations should decide who will take
responsibility for ensuring that the organisation complies
with the requirements of the DPA 1998. The duties of
such a data protection officer must be defined and lines
of responsibility established. The data protection officer
should ensure that the notification requirements are com-
plied with and the entry in the register kept up to date.
This includes devising a system to monitor any changes
taking place so that they can be recorded on the register.Information Commissioner
In addition to maintaining the Register, the Commis-
sioner is charged with promoting good practice by data
controllers and in particular promoting observance of
the data protection principles. The Commissioner is under
a duty to make an assessment of whether processing of
personal data is being carried out in compliance with the
DPA 1998, if so requested.
The Commissioner has the power to issue the follow-
ing notices:
1 An enforcement noticerequires a data controller to
observe the data protection principles.
2 An information noticerequires a data controller to
provide information relating to a request for assessment
or to compliance with the data protection principles
within a specified time.
3 A special information noticemay be served to ascer-
tain whether personal data are being processed only for
special purposes or with a view to the publication of any
journalistic, literary or artistic material not previously
published by the data controller.Part 4Business resources