The data protection principles

It is important that you are aware of the data protection principles as they set out optimal standards for information handling. If you can ensure that you handle data in a way which accords with the principles, it is very unlikely that you will be liable under the DPA, or indeed any other source of law, for data misuse.

Although technically the data protection principles set out the obligations of data controllers, it is still essential that researcher are aware of these principles as adhereing to them will ensure that you are handline data responsibly. Indeed, in order for a data controller to release their data to researchers to use in their research projects they will require the researcher to undertake not to use the data in such a way that would breach any of the data protection principles.

The eight data protection principles are set out in schedule 1 of the DPA and guidance on how to interpret the data protection principles can be found in part II of schedule 1.

The first principle

The first principle provides that personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless (a) at least one of the conditions in schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in schedule 3 is met.

Essentially there are three cumulative requirements in the first principle:

  1. The requirement to collect personal data fairly;
  2. The requirement to process personal data lawfully; and
  3. The requirement to satisfy a condition in Schedules 2 and 3.

The requirement to collect personal data fairly

The requirement of ‘fairness’ essentially means that you must be transparent, clear and open about how you are processing personal information. In particular,r the data controller must give certain information to data subjects when collecting their information, and regard should be had to the methods by which the data were obtained.

In the context of providing data to use for research purposes, this means that certain information must be provided to the data subject unless a disproportionate effort can be demonstrated. If there are high numbers of individuals involved in the research or if the individuals involved cannot be easily traced, then it is likely that a disproportionate effort will have been demonstrated, however, the requirement to provide information is something that you as a researcher should bear in mind when considering what information to seek to use in your research project. 

The requirement to process personal data lawfully

The requirement that personal data must be processed ‘lawfully’ means that both statutory and common law obligations must be satisfied, such as those under the  DPA itself, as well as under the Human Rights Act 1998, the Freedom of Information Acts and the common law of confidentiality. The DPA cannot render lawful any processing which would otherwise be unlawful.

The requirement to satisfy a condition in Schedules 2 and 3

Please see the next guidance page on ‘Conditions for processing personal data’ which can be accessed here.

The first principle in practice

According to the ICO, to comply with the first data protection principle in practice you must:

  • Comply with the conditions for processing in schedules 2 and 3;
  • Have legitimate grounds for collecting and using personal data;
  • Not use the data in ways that have unjustified adverse effect on the individuals concerned;
  • Be transparent about how you intend to use the data, and give individuals appropriate privacy notices when collecting their personal data; and
  • Make sure you do not do anything unlawful with the data.

For additional guidance from the ICO on the first principles please click here.

Return to top of page

The second principle

The second data protection principle provides that personal data should only be provided for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with these purposes. Essentially this means that you must be clear about your reasons for obtaining the data, and what you are going to do with the data once you have it.

The research exemption

The DPA does provide for some exceptions to the second principles Most importantly for you as a researcher is the ‘research exemption’ in s33 of the Act. Essentially the exemption means that for the purposes of the second data protection principle, the further processing of personal data for research purposes in compliance with the relevant conditions is not to be regarded as incompatible with the purposes for which the data was obtained.

The exemption applies where data is processed for research purposes (which includes statistical and historical purposes) and where the following conditions are met:

  • The data are not processed to support measures or decisions relating to particular individuals; and
  • The data are not processed in such a way that substantial damage or substantial distress is, or is likely to be, caused to any data subject.

More information on the research exemption can be found here.

The second principle in practice

According to the ICO, to comply with the second data protection principle in practice you must:

  • Be clear from the outset about why you are collecting personal data;
  • Be clear about what you intend to do with the personal data;
  • Comply with the requirements of the first data protection principles;
  • Comply with what the DPA says in part III about notifying the Information Commissioner; and
  • Ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.

For additional guidance from the ICO on the second principle please click here.

Return to top of page

The third principle

The third data protection principle provides that ‘personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.’ Essentially this means that you must identify and only obtain the minimum amount of personal data you need to properly fulfil the purpose for which you need the data. You cannot collect data on a ‘just in case’ basis. In the context of research using patient data, this means that in your research plan you must clearly identify exactly what data you need in order to be able to complete your research project. If you request too much data, this could lead to the data custodian refusing to give you access to the data.

The third principle in practice

According to the ICO, to comply with the third data protection principle in practice you must:

  • Ensure that you hold personal data about an individual that it sufficient for the purpose you are holding it for; and
  • Ensure that you do not hold more information than you need for that purpose.

For additional guidance from the ICO on the third principle please click here.

Return to top of page

The fourth principle

The fourth data protection principle provides that ‘personal data shall be accurate and, where necessary, kept up to date.’ The implication is that if data is inaccurate or out of data, it should be rectified or brought up to date.

The fourth principle in practice

According to the ICO, to comply with the fourth data protection principle in practice you must:

  • Take practical steps to check the continuing accuracy of the data you hold;
  • Ensure that the source of any personal data is clear;
  • Carefully consider any challenges to the accuracy of information; and
  • Consider whether it is necessary to update the information.

For additional guidance from the ICO on the fourth principle please click here.

Return to top of page

The fifth principle

The fifth principle stipulates that personal data shall not be kept for any longer than is necessary for the purposes for which the data was obtained. It therefore requires the data controller to have regard to what a reasonable period of retention is in the specific circumstances. This period should be one which is objectively justifiable, rather than one which is subjectively desired.

Personal data which is obtained for research purposes may however be able to be retained indefinitely under the researcher exemption in s33. For more information on the research exemption please click here.

Once the specified purposes have been fulfilled, you must ensure that you securely destroy the personal data. As destroying data is ‘processing’ under the DPA, the process of destruction must also comply with the data protection principles.

The fifth principle in practice

According to the ICO, to comply with the fifth data protection principle in practice you must:

  • Review the length of time for which you keep personal data;
  • Consider the purpose for which you hold the data in deciding whether and for how long to retain the data;
  • Securely delete information which is no longer needed; and
  • Update, archive or securely delete information if it goes out of date.

For additional guidance from the ICO on the fifth principle please click here.

Return to top of page

The sixth principle

The sixth principle provides that personal data is to be processed in accordance with the rights of the data subject under the Act.

The rights of the data subject under the DPA are:

  1. The right to subject access (sections 7 to 9),
  2. The right to prevent processing likely to cause damage or distress (section 10),
  3. The right to prevent processing for the purposes of direct marketing (section 11),
  4. Rights in relation to automated decision taking (section 12)
  5. The right to take action to rectify, block, erase or destroy inaccurate data (sections 12A, 14 and 62),
  6. The right to compensation (section 13).

Please see the guidance page on the rights of the data subject for more information. And for additional guidance from the ICO on the sixth principle please click here.

Return to top of page

The seventh principle

The seventh principle provides that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Essentially this means that you must have appropriate security measures in place to prevent the personal data you hold being accidentally or deliberately compromised. Please see the guidance page on data security for more information.

If you are using a SHIP Safe Haven then the Safe Haven will be responsible for data security, however if personal data is transferred directly to you, then the responsibility will be yours.

The seventh principle in practice

According to the ICO, to comply with the seventh data protection principle in practice you must:

  • Design and organise your security to fit the nature of the personal data  you hold and the harm that may result from a security breach;
  • Be clear about who is responsible for ensuring data security;
  • Make sure you have the right physical and technical security, backed by robust policies and procedures and reliable well-trained staff; and
  • Be ready to respond to any breach of security swiftly and effectively.

For additional guidance from the ICO on the seventh principle please click here.

Return to top of page

The eighth principle

The eighth data protection principle provides that personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. It should be noted that each of the other principles will also be relevant to the sending of personal data overseas.

It is unlikely that you will be transferring any personal data outside the European Economic Area, and therefore you should not have to worry about the eighth data protection principle. However, if you are concerned please contact your Research Co-ordinator or SHIP for more information ad guidance.

For additional guidance from the ICO on the eighth principle, please click here.

Return to top of page