Main Menu

My Account
Online Free Samples
   Free sample   Principles of data protection act

Principles Of Data Protection Act: A Detailed Analysis


Task: Write down a comprehensive account of the principles of data protection act.


The Data Protection Act of 1988 is focused in this report to convey the major actions towards the protection of crucial and vulnerable data. The individuals or the corporate units operating with any sort of information or data regarding the public are bound under the provisions of the Data Protection Act 1988. The influence laid by the principles of data protection act starts from the collection of the required data with the last stage of deleting the collected information. The scope and seriousness of Data processing are very high in the industries related to Information Technology. The activities of such companies like data alteration, implication, retrieval, transmission, and deletion are considered under the guidelines of this law.

It was to cover the discrepancies in the Data Protection act of 1984 that the parliament of the United Kingdom had passed the bill of the Data Protection Act in 1998. The principles of this act came into force from the year 1999. The public's information is handled by following the principles of data protection act (Iversen et al., 2006). The violation of the underlaid principles would lead to the breach of the privacy rights of the individuals. Hence the related laws are mandatory to be followed by the associated bodies. The act ensures the individuals themselves have ownership and control over their respective personal data (Jay & Hamilton, 1999).

The protection of privacy rights is majorly covered under the principles of data protection act, and it provides transparency over how personal information is dealt with by a secondary body. It is by following the framework mentioned down by the principles of data protection act that the communication media companies would devise out their marketing strategies. The scope of the law doesn’t cover the domestic level of managing the information like keeping a personal address book. Though if the same data is used for some business or other intention, then the principles of data protection act are mandatory to be followed in the context. It is the data controlling authority and the associated computer bureau which is held liable for the breach of private information under this act.

The UK's legislative assembly had passed its first data protection act in the year 1984 to lay down additional protection of the public's data. After a detailed analysis and contemplation, the principles of it were adopted by the European parliament. The European parliament had provided a new dimension to the act by providing by implying it on the aspect of data transfer. This act's provisions checked the data manipulation by the large entities and the emerging information technology companies. The engaged parties in the data transfer could only utilize the customer data for a specific purpose, and any breach in this restriction would levy legal liabilities. The consent of the person should be taken before transferring the related information to the third party. The law had stated down the time limit to which the companies could hold the public's specific private data. This law's jurisdiction is implacable on both the manual and online transfer of information (Carey, 2018). The principles of data protection act have laid down the definition for the terms Personal Data and Processing.

A special body of Data Protection registrar was organized by the government which acted as a regular body that supervised the implementation of the principles of data protection act. The same law was later amended as the data protection Act of 1998 that referred to the specific European Union Directives 95/46/EC (Peto, 2004). The guidelines mentioned under the updated law has changed the name of the Data protection registrar to Data Protection Commissioner. The updated law focused on spreading awareness among the public regarding effective measures to prevent the breach of privacy rights. The Data protection commissioner directly reports to the parliament, and Richard Thomas currently holds the office. The updated guidelines and the good practices in the modern IT sector were put forward by the new principles of data protection act in 1998. The common public could also be provided with the service of commissioner when applied. The data controllers are provided with the facility of legal service by the commissioner when required. Some of the relevant set of documents regarding this service is mentioned down in the below section of this report on principles of data protection act (Romanosky & Acquisti, 2009).

Code of Practice in Telecommunications Directory Information and Fair Processing.

Code of Practice for CCTV users

Code of Practices on Employment Practices

Principles of Data Protection Act

  • In no condition, the personal data of citizens should leave the jurisdiction of the European Economic Area. The transfer could only be done when the required security and protection level is provided to the data. In no way the right of freedom of an individual should be breached. The proper principles laid down by the legislation should be strictly followed while processing private information.
  • The processing of data should only be commenced after legally following the framework.
  • The unlawful processing of personal information should be checked by implying the most modern and proper technologies. The personal data should be deleted after the intended use, and any accidental loss or misappropriation should be legally punished.
  • There should be a legal reason behind collecting the personal data, and the collecting body would not have any authority to process the data further for any other purpose.
  • The collecting body has no specific authority to retain the personal data beyond the mentioned time limit (Koops, 2014).

The primary section of the principles of data protection act
The data protection act's primary concept mentions that the personal data of the population should be treated only per the lawful framework. Only the below mentioned circumstances should be treated as the exception: -

  • When the collected data comes under the division of sensitive data as mentioned under Schedule 3.
  • If the collected data has any of the characteristics matching with that of the points mentioned under Schedule 2.

This section's primary section mentions that the collected personal data should only be treated and processed as per the guidelines mentioned under the respective law. The concept behind fair processing restricts the authorities from misleadingly processing the information. There should be no form of any deception while dealing with the information of individuals. It is the collection and arrangement of the personal data, which is specifically mentioned in the initial section of this law (Rumbold & Pierscionek, 2017). The data collector should justify the proper reason behind collecting the data before the government authorities. The handling of such data should not adversely affect individuals.

It is mandated by the concept of lawful processing that the owner of the data should be notified when the related personal data is collected. The person should have high transparency over the reason behind collecting the data and the methodology in which they are processed. All the related information regarding this aspect would be provided in the Fair Processing Notice. The major set of the information listed down in the Fair Processing Notice is provided in the below section of this report on principles of data protection act (Hornung & Schnabel, 2009).

  • The major authority to whom the collected personal data should be handed over would be the agencies under government departments.
  • The individual details of the data controller who is assigned to deal with the collected personal data.
  • The major reason for collecting and processing personal information.
  • The proper steps followed while processing personal information to provide much clarity to the public.

The major parameters which satisfy the existence of fair processing.
There are certain parameters to be satisfied to ensure the existence of fair processing. It is in schedule 2 of the data protection act that the conventions regarding fair processing are done. As per the conventions mentioned under schedule 2, there are six conditions to be ensured to satisfy the existence of fair processing (Gutwirth et al., 2009). The collecting agency has no authority to process the data if any of the below-mentioned parameters are not met.

Parameters mentioned under schedule 2

  • The data controller should follow the framework mentioned in the law.
  • The data should only be used to enter into the intended contract.
  • The intended act should come under the category of implementing government activities, executing the conventions under any legal obligation, judicial administration, the activities that demand the public interest, etc.
  • The act is to satisfy the vital interest of the respective person.
  • Apart from just restrictions mentioned under the contract, the data controller can also follow the legal obligations.
  • The conventions mentioned under schedule 2 and 3 should be satisfied if the collected data is of sensitive personal data.

Parameters mentioned under schedule 3

  • The data is collected to check whether the parameter of equality of opportunity is satisfied.
  • The data subject has provided the unit with explicit consent.
  • Collected for medical purposes.
  • The data is collected to satisfy the vital requirement of the particular person.
  • Acquired to provide employment for a particular person.
  • Executing the duties of judicial bodies and executing the policies put forward by the government.
  • The task is done by a non-profit organization for social welfare activities.
  • The collection of the information is done for legal activities like defending the citizens' basic legal rights.

Secondary principle of data protection act
The major concept that the collection of personal information should be commenced only to satisfy one or more listed purposes under the law, and the further synthesis on other grounds should be strictly prohibited is mentioned under the second principle of the data protection act. The section would highlight the aspect of the intention behind collecting a specific set of information (Cate, 1994). To the ICO, the specific report and justification of why certain personal information was collected should be submitted. The information commissioner's office should be aware of every process undertaken to process the information.

To bring more clarity to the information's handling process, the data processor could convey the owner with appropriate and timely notifications. It is at the instance of collecting the data when the respective people should be notified about. The authorities must gather the consensus of the respective individuals before collecting sensitive information.

The third principle of the data protection act
The data controller is endowed with three particular liabilities under the provision of the Data Protection Act. The specific limit to which the data controller could further care out the information is mentioned, and the boundary should not be breached under any circumstance. The parameter of relevancy, adequacy, and preciseness should be sustained while dealing with the information. The interest and biasedness are totally irrelevant while synthesizing the information.

Only the required information should be identified and deduced from the available dataset so that the intended information could be processed. Only in some of the exceptional cases mentioned under the legal provisions could the information be processed to further limits. The instance could be compared to the situation when a surgeon is presented with a challenging medical condition, and the collection of private information is extremely important for the diagnosis and treatment. The family history, the medical past, etc. would be crucial for the surgeon to conduct effective treatment for the patient.

In the same manner, the conventions followed by the Human resource management department of various organizations are customized heavily, and the recruitment of the staff is only done after checking various personal attributes thoroughly. In most cases, the information is required by the authority directly for the analysis. It could be observed that the third principle of the data protection act is quite strongly linked when compared to that of the first principle of the data protection act. Whereas complete impartiality and fairness are demanded by the first principles of data protection act, the parameters of adequacy, relevance, and breach of the limit are highly concentrated by the third principle of the data protection act.

The fourth principle of the data protection act
It is being mentioned under the fourth principle of the data protection act that the retrieved data should be accurate in characteristics and should be kept up to date at every instance. The data handler's quality of the data should be ensured after checking the primary and secondary principles of data protection act. There are majorly two provisions that are mentioned under the fourth principle of the data protection act.

It is the factor of accuracy, which is considered primarily in this section. The units should follow the required process under the data controller to sustain the accuracy in the data. Any sort of ambiguity or mistake would mislead the outcome of the whole process and has the potential to mislead society towards false conception. Even a small miscalculation would generate misleading conclusions from accurate and exact data sets. Hence, the dataset, which is detailed and has a more comprehensive application, should be selected by the study's data collector. The primary principle of the data protection act will be violated if the false approach of calculation is implied by the authorities. While conducting the processes of data protection, the managing body should ensure the parameter of impartiality and accuracy for the sake of reliability (Bennett, 1992).

The authority should select only the most recently updated dataset of the personal information for conducting the processes. The criterion should be taken into account when the dataset used frequently for a period is considered for the study. A deeper approach should be taken by the data controller while considering this type of data set. It is to ensure that a high level of accuracy is ensured in the collected dataset so that a good conclusion is derived from it.

If there sustains a suspicion that the information collected by the data collector is inaccurate, the respective individual should confirm the same again to remove the discrepancies. It is under section 7 (12) of the principles of data protection act that the access request could be filed by the data subject. As per this provision, the individual is entitled to get a copy of the data set retained by the data controller. The court could order the data controller to delete, block, and verify the collected information as per the plea submitted by the data subject. The provision also demands the payment of the compensation if any cause of damage is caused to the data subject by the pursued process.

Fifth principles of data protection act
The time period for processing the collected set of data should not exceed the mentioned extent of the period. It should be kept in check by the data controller on how long the collected information is retained by them. It is to sustain the clarity and transparency over the intend behind collecting the information which is listed behind the provisions of the fifth principles of data protection act. The official appointed as the data controller is bound to dispense the information if he or she is unable to present an adequate reason to retain it.

The information would obsolete after retaining it for a longer period. It would cause an error in the study and highly mislead the society towards the wrong conclusion. The authorities would lose certainty over the data, whether it is accurate or not after a certain period. The security over the collected data should be ensured by the data controller, even if the purpose of the data is complete. It is the best practice to get rid of the data, which is no longer needed for the study or process. If the data is required for future references, it is highly recommended that they are recorded offline.

It is only by reviewing the future scope of the data set that the personal information is further retained by the data controller. The data controller has to face many challenges in retaining personal information, which is majorly the risks, cost, and other legal liabilities.

The sixth principle of the Data protection act
The provision that the human rights of the data subject should never be breached by the data controller under any circumstances is mentioned under the sixth principle of the data protection act. The authority of the data controller is kept under check, and a particular guarantee to the rights of the data subject is practised under this provision of principles of data protection act. Several specific rights for the data subject are listed down under this provision.

  • Right to compensation
  • Control over the personal information
  • Right to amend the information if there exists any irregularity
  • Secure themselves from any malicious or distressing use of personal information.
  • Opting for the automated way of the decision-making process.
  • Abstain from the exposure for direct marketing

As per section 7 of the Data Protection Act, the data subject has total access to the personal information (Schwartz, 1994). It enables the data subjects to gather the facsimile of the collected information from the data collector on demand. However, it should be noted by our readers that the person would have access to only his or her personal information. The data subject could seek legal clarification on whether any related data is collected or processed. It could be done just by submitting a simple application to the court. The authority is liable to give the justification on why the particular data was collected for the process, and it should be made transparent whether the data is handed over to a third party.

The provisions also enable the data subject to ask for the termination of processing the data if it is affecting and damaging the personal life. The citizen is allowed to submit an application before the court to clear the objection regarding the collection and processing of personal data. The particular application could be stated as an Objection to processing in legal terms. The impact created by the data processing should be clearly stated under the application of objection to processing.

Let us take an instance where a particular candidate is rejected to be employed for a post in an organization since it was being revealed by another agency or third party that the person is a trade union activist and is quite unsuitable for the post. The third party is one of the agencies which holds the list of candidates who are backlisted to be employed in any of the industry or agency. The particular person has the right to ask the data controller to remove his name from the data of the blacklist. It would be on the ground of ongoing damage and distress that the data subject would demand the deletion of the name. It should be within the period of 21 days that the data controller should respond to the demand of the data subject.

The data subject has all the right to prevent their personal information from being disclosed to the intention of Direct Marketing. If the information is being processed for the intention of direct marketing, the individual could immediately file an objection to processing against the authority. The issuance of junk mails which is being forwarded on a mass basis, is considered to be the major tool of Direct Marketing. The scope of directing doesn't limit itself to just the sales of a particular product but also the campaigns and promotion of particular ideology and personalities. The respective individuals have all the rights to demand the deletion of personal data from the data set. It would be highly recommended to the common public to suppress their personal information wherever possible. The institutions should only acquire the required information which would provide extreme security to the customers and the respective set of sensitive data.

The authority of restricting the data controller from making any sort of automated decision is vested with the data subject. The data subject could ask the authority to reconsider the conclusion they have arrived at by reviewing the personal information. It is the duty of the data controller to inform the existence of any misappropriation of the information. Such decisions are mostly made in an automated manner, and hence there is no sort of human intervention engaged in them. Let us take an example when the request to transfer money from one account to another account is declined by the authority. It is the inconsistency of the information entered by the data subject with the pre-existing data set in the automated system. In such cases, the individuals are forced to select the manual way of proceeding with the process.

It is the parameter of accuracy, which is highlighted in the fourth principle of the data protection act. The data subject is empowered to approach the court if there is any sort of discrepancy in the collected information, and the jury could take appropriate action from erasing, revising, and even deleting the data set. The data subject would be entitled to the right to demand compensation if the data processing has caused any sort of damage or distress.

Seventh principles of data protection act
It is the security of the sensitive data that is highlighted in the seventh principle of the data protection act. It is mandated by this legal provision that the proper technical measures should be taken by the data controller so that any illegality in the process should be avoided. It helps in avoiding instances of damage or loss of sensitive information. Because of this ideology, the fifth principle of the data protection act is hence stated as the security principle. There should be no compromise to the security of sensitive data when the data controller is handling them. The security measures should be considered by the data controller to avoid the below-listed challenges.

  • Unintentional loss or deletion of the sensitive data
  • The illegal treatment of personal information
  • The misuse of the data by a third party.

It is the appropriate use of strong passwords other advanced measures of encryptions and implementation of antivirus software to detect the malware which is intended by the term security. For sustaining the parameter of security, the data controller should imply the most modern technology in the data processing. It could only be implied by the authority of human resources with physical and technical ability. The characteristics of the security system implied by the data controller should be reported to the Information Commissioner.

Eighth principles of data protection act
As per the conventions stated under the eighth principles of data protection act, the data controller is restricted from transferring the personal information of data subjects outside the EEA territory. This provision secures the fundamental rights of the data subjects and hence provides a guarantee against the related disaster or distress. The government should check whether the required output could achieve by the authority even if the process of data collection is not done. The transfer of sensitive information to the third party should not be done without asking the consent of legal offices and the data subject itself. However, this condition would not be applicable if the identity of the person is not revealed from the dataset (Bygrave, 2010).

It is on the occasion when the personal information is placed in another country when the transfer is termed to have happened. A similar instance will happen if the data controller decides to post personal information on a public website. The information could be easily downloaded by a third party situated in a foreign country. The present legal provision does not restrict the flow of information among the countries which come under the jurisdiction of EEA territory (Lynskey, 2015). Though the transfer is allowed on certain grounds, the blow listed parameters should be considered while commencing the transfer.

  • The respective legalities and security measures are followed by the local legislations.
  • The characteristics of sensitive personal data
  • The origin of the personal data and the location to which it is transferred
  • The period after which the targeted information is transferred to a third party

The principles of data protection act of 1998 are vividly mentioned in the above-described report. We have made a special effort to touch every aspect which is related to the topic of principles of data protection act. The parameter of legality and impartiality should be strictly ensured by the data controllers while treating personal information. There would be no justification for the careless treatment of sensitive information by the concerned bodies. With the advancement of information technologies, a higher level of threat is being posed to personal data. Hence, there need to be further amendments to the principles of data protection act to sustain its relevance in the modern cyber world. It is recommended for all the organizations to strictly follow the conventions under the principles of data protection act.

Iversen, A., Liddell, K., Fear, N., Hotopf, M., & Wessely, S. (2006). Consent, confidentiality, and data protection act. principles of data protection act, Bmj, 332(7534), 165-169.

Jay, R., & Hamilton, A. (1999). Data protection. principles of data protection act, Law and Practice, 2.

Carey, P. (2018). Data protection: a practical guide to UK and EU law. principles of data protection act, Oxford University Press, Inc..

Peto, J., Fletcher, O., & Gilham, C. (2004). Data protection, informed consent, and research. principles of data protection act.

Romanosky, S., & Acquisti, A. (2009). Privacy costs and personal data protection: Economic and legal perspectives. principles of data protection act, Berkeley Tech. LJ, 24, 1061.

Koops, B. J. (2014). The trouble with European data protection law. principles of data protection act, International data privacy law, 4(4), 250-261.

Rumbold, J. M. M., & Pierscionek, B. (2017). The effect of the general data protection regulation on medical research. principles of data protection act, Journal of medical Internet research, 19(2), e47.

Hornung, G., & Schnabel, C. (2009). Data protection in USA I: The population census decision and the right to informational self-determination. principles of data protection act, Computer Law & Security Review, 25(1), 84-88.

Gutwirth, S., Poullet, Y., De Hert, P., De Terwangne, C., & Nouwt, S. (Eds.). (2009). Reinventing data protection?. principles of data protection act, Springer Science & Business Media.

Cate, F. H. (1994). The EU data protection directive, information privacy, and the public interest. Iowa L. principles of data protection act, Rev., 80, 431.

Schwartz, P. M. (1994). European data protection law and restrictions on international data flows. Iowa L. principles of data protection act, Rev., 80, 471.

Bennett, C. J. (1992). Regulating privacy: Data protection and public policy in Europe and the United States. principles of data protection act, Cornell University Press.

Bygrave, L. A. (2010). Privacy and data protection in an international perspective. principles of data protection act, Scandinavian studies in law, 56(8), 165-200.

Lynskey, O. (2015). The foundations of EU data protection law. principles of data protection act, Oxford University Press.


Related Samples

Question Bank

Looking for Your Assignment?

Search Assignment
Plagiarism free Assignment









9/1 Pacific Highway, North Sydney, NSW, 2060
1 Vista Montana, San Jose, CA, 95134