Chapter 15Business property■alignment, combination, blocking, erasure or destruc-
tion of the data.
The data protection principles
As under the 1984 Act, the DPA 1998 sets out eight data
protection principles, which must be complied with by
data controllers, subject to any exemption. The principles
are as follows:
1 Personal data shall be processed fairly and lawfully,
and, in particular, shall not be processed unless –
(a)at least one of the conditions in Sch 2 is met, and
(b)in the case of sensitive personal data, at least one of
the conditions in Sch 3 is also met.
At least one of the following Sch 2 conditions for
processing must be met:
■the data subject has given his consent to processing;
■the processing is necessary in relation to a contract to
which the data subject is party;
■the processing is necessary to comply with a legal
obligation to which the data controller is subject;
■the processing is necessary to protect the vital inter-
ests of the data subject (i.e. matters of life or death);
■the processing is necessary for the administration of
justice, for the exercise of any statutory functions, or
any functions of the Crown, ministers or government
departments or other public functions carried out in
the public interest;
■the processing is necessary for the legitimate interests
of the data controller, except where the processing is
unwarranted because of the prejudice to the rights,
freedoms and legitimate interests of the data subject.
The DPA 1998 introduces special rules prohibiting
the processing of sensitive personal data revealing, for
example, racial or ethnic origin, political opinions, reli-
gious or philosophical beliefs, trade union membership,
criminal proceedings or convictions and data concern-
ing health or sexual life.
At least one of the Sch 3 conditions relating to pro-
cessing sensitive data must be satisfied, in addition to
one of the conditions applying to all personal data. The
conditions include:
■the data subject has given his explicit consent;
■the processing is necessary for the purposes of fulfil-
ling legal obligations in relation to employment;
■the processing is necessary to protect the vital inter-
ests of the data subject or another person and the data
subject cannot give consent or the data controller
cannot reasonably be expected to gain consent, or the
data subject has unreasonably withheld consent and
the processing is necessary to protect the vital inter-
ests of another person;
■the processing is carried out by not-for-profit organ-
isations which exist for political, philosophical, reli-
gious and trade union purposes, subject to certain
requirements;
■the personal data have been deliberately made public
by the data subject;
■the processing is necessary in connection with legal
proceedings, obtaining legal advice, or establishing,
exercising or defending legal rights;
■the processing is necessary for medical purposes;
■the processing relates to racial or ethnic origins and
the processing is necessary for equal opportunities
monitoring.
As well as fulfilling one of the conditions for process-
ing personal data, data controllers must also ensure that
the processing is carried out fairly in accordance with
the fair processing code. The code requires that data is
obtained fairly (i.e. the provider of data must not be
misled or deceived) and that certain information is pro-
vided to the data subject.
2 Personal data shall be obtained only for one or
more specified and lawful purposes, and shall not be
further processed in any manner incompatible with
that purpose or those purposes.There are two methods
by which a data controller can specify the purposes for
which the data is obtained. First, by giving notice to the
data subject in accordance with the fair processing code,
and, secondly, by notifying the Information Commis-
sioner under the notification procedures.
3 Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes for
which they are processed.Data users must be selective
about the data held; it must relate directly to the pur-
poses for which it is obtained.
4 Personal data shall be accurate and, where necessary,
kept up to date.Data controllers should take steps to
check the accuracy of information. Data subjects have
the right to compensation for damage caused by inaccur-
ate data. Files should be reviewed from time to time to
update the information.445