Data Protection Act

1998
Freedom of Information
Act 2000

Computer Misuse Act

1990
1. Lawfulness, fairness, and transparency
2. Purpose limitation
3. Data minimization
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability
 1. Lawfulness, fairness, and transparency
• Lawfulness means that any processing of personal data carried out by a controller
must have a legal basis, be otherwise compliant with the requirements), and not
involve any otherwise unlawful processing or use of personal data.
• Fairness is also a relatively broad principle, which requires that any processing of
personal data must be fair towards the individual whose personal data are
concerned, and avoid being unduly detrimental, unexpected, misleading, or
deceptive.
• Transparency is a particularly important principle of data protection, with various
related rights and obligations seeking to ensure that processing of personal data is
clear and transparent to individuals and regulators. Controllers must provide
individuals with information regarding the processing of their personal data in a
format that is concise, easily accessible, easy to understand, and in clear and plain
language. This should be done before personal data are collected and subsequently
whenever changes to the processing operation are made.
 2. Purpose limitation
• Personal data must be collected for specified, explicit and legitimate
purposes, which are determined at the time of the collection of the
personal data, and not be further processed in a manner that is
incompatible with those purposes. However, data controllers may
undertake further processing for archiving purposes in the public interest,
scientific or historical research purposes, or statistical purposes, as they
are not considered to be incompatible with the initial purposes, where
there are sufficient safeguards in place. The 2018 Act also contains
further rules detailing where controllers make undertake further
processing for purposes in the public interest.
• Further processing is only appropriate where the new purpose for
processing is not incompatible with the original purpose. Whether any
subsequent processing could be Version Last Updated: October 2019 3
compatible with the original purpose will depend on any link with the
original purpose, the context in which the personal data has been
collected, the nature of the personal data, the possible consequences of
the intended further processing for individuals, and the existence of
appropriate safeguards. The purpose of this principle is to ensure
controllers are clear and open from the outset about proposed processing
of personal data and to ensure that the purposes are in line with
individuals’ reasonable expectations. Careful consideration of and robust
compliance with this principle also assists data controllers with the
principles of data minimisation and accountability.
 3. Data Minimization
• This principle requires that controllers only collect and process
personal data that are adequate, relevant, and limited to what is
necessary for the purposes for which they are processed. This
essentially means that data controllers should collect the minimum
amount of data they require for their intended processing operation;
they should never collect unnecessary personal data. This principle
complements, in particular, the principle of purpose limitation, but
also supports compliance with the range of data protection principles.
• Implementing data minimization supports data protection by design
and by default, limits the amount of personal data which could be lost
or stolen in the event of a personal data breach, assisting with
ensuring the integrity and confidentiality of personal data, and it
makes it easier for organizations to ensure that the personal data they
hold are accurate and up to date, supporting compliance with the
principles of accuracy. The GDPR does not define what amount of
personal data is ‘adequate, relevant and limited’. This will have to be
assessed by controllers depending on the circumstances of their
intended processing operations. Controllers should also periodically
review the amount and nature of personal data which they process,
ensuring it remains adequate, relevant, and necessary, including by
deleting data which no longer fulfil these criteria.
 4. Accuracy
• This principle requires that controllers ensure personal data are accurate and,
where necessary, kept up-to-date. Controllers should take every reasonable
step to ensure that personal data which are inaccurate are erased or rectified
without delay, having regard to the purposes for which they are processed.
This is a straightforward requirement that all personal data collected, stored,
or otherwise processed by a controller must be accurate and up to date. All
reasonable steps must be taken to correct any inaccuracies promptly,
including considering Version Last Updated: October 2019 4 whether it is
necessary to periodically update any personal data a controller holds. As
such, controllers that collect personal data should have clear procedures for
correcting or erasing any inaccurate personal data as part of their data
management activities.
• In general, the reasonable steps controllers are required to take to
ensure the accuracy of personal data will depend on the
circumstances and in particular on the nature of the personal data
and of the processing. Controllers need to also keep in mind their
obligations in relation to data subjects’ right to rectification – to have
inaccurate personal data rectified, or completed if it is incomplete.
 5. Storage Limitation
• Controllers must hold personal data, in a form which permits the
identification of individuals, for no longer than is necessary for the
purposes for which the personal data are processed. Personal data
may be stored for longer periods where the personal data will be
processed solely for archiving purposes in the public interest,
scientific or historical research purposes, or statistical purposes in
accordance with the GDPR, and as long as there are appropriate
technical and organisational measures to safeguard the rights and
freedoms of the individual.
• Controllers should therefore, in general, delete personal data as soon as it ceases
to be necessary for the purposes for which it was originally collected. To this end,
the GDPR recommends that time limits should be established by the controller for
erasure or for a periodic review. In line with the principle of transparency,
controllers should also ensure that individuals are aware of retention periods or
the criteria used to calculate them. Controllers storing personal data offline or in
manual form in a filing system, even where digital versions or copies have been
deleted, must still have justifications for retaining this personal data in offline form
and respond to data subject requests.
• Depending on the circumstances, it may also be appropriate for controllers to
anonymise data once it is no longer necessary that the individual be identified or
identifiable. Data are truly anonymous, and therefore no longer ‘personal’ data,
only if the individual is no longer identifiable; however, if data could still be
attributed to an individual by the use of additional information it would be only
‘pseudonymised’ and thus still considered personal data. If the process applied to
supposedly anonymise personal data is not permanent and can be reversed, then
the data has not been anonymised.
 6. Integrity and confidentiality
• Personal data must be processed by controllers only in a manner that
ensures the appropriate level of security and confidentiality for the
personal data, including protection against unauthorized or unlawful
processing and against accidental loss, destruction, or damage. To achieve
this end, controllers must utilize appropriate technical or organizational
measures.
• In other words, controllers must ensure that their security measures
adequately protect against accidental or deliberate harm, loss, or
dissemination of the personal data they process. These security measures
should cover not only cybersecurity but also physical and organisational
security measures. Organisations must also routinely check that their
security measures are up-to-date and effective.
 7. Accountability
• The principle of accountability is a new principle of data protection
law, which specifically sets out that controllers are responsible for,
and must be able to demonstrate compliance with, the other
principles of data protection. This means that controllers need to
ensure they comply with the principles, but also have appropriate
processes and records in place to demonstrate compliance.
• Compliance with the other principles of data protection will itself
assist in accountability, such as by taking a data protection by design
and by default approach, implementing appropriate technical and
organizational measures, having concise accessible transparency
information, and having clear data retention policies. Other measures
to demonstrate compliance with the principles of data protection
include adopting internal policies, following codes of conduct or
certification schemes, recording and, where necessary, reporting
personal data breaches, and implementing appropriate privacy
policies and notices.
Freedom of Information Act 2000
• The main features of the Act are:
• A general right of access to recorded information held by public
authorities, regardless of the age of the record/document
• A duty on every public authority to adopt and maintain a scheme,
which relates to the publication of information by the authority and is
approved by the Information Commissioner.
• General right of access
• The Act confers two rights on the general public:
• the right to be informed whether a public body holds certain
information
• the right to have that information communicated to it
• However, the Act recognises that there can be valid grounds for
withholding information and provides a number of exemptions from
the right to know, some of which are absolute exemptions and some
of which are subject to a public interest test.
• As regards exemptions subject to the public interest test,
organisations must weigh up whether the public interest in
maintaining the exemption in question outweighs the public interest
in disclosure.
• The request for information must:
• be in writing
• state the name of the applicant and an address for correspondence
• describe the information requested
• The applicant can request that information be communicated by:
• a copy in permanent form (or other form acceptable to them, for example
on CD-ROM or audio tape)
• examination of records
• a summary or digest of the information held
• Organisations may charge a fee for reasonably incurred costs to:
• inform the applicant whether it holds the information
• communicate the information to the applicant
• However, they are not obliged to charge a fee, and the Ministry of Justice suggests
that where the costs incurred are minimal, the fee should be waived.
• If a fee is required, this should be notified to the applicant and paid within three
months of receipt of the notice, otherwise the public authority need not comply
with the request.
• A fee may be charged to cover:
• the cost of putting the information into the applicant’s requested format, for
example CD, or audio tape
• photocopying and printing costs (set at no more than 10 pence per page)
• postage or other transmission costs
• In calculating the cost of the above, organisations are not permitted to take
account of employee time required to carry out the work.
• Additionally, organisations may not charge for putting the information into
another format if they are already under a duty to make information accessible
under other legislation, for example the Disability Discrimination Act 1995.
Computer Misuse Act 1990
• The offences are:
• unauthorized access to computer material
• unauthorized access with intent to commit or facilitate commission of
further offences
• unauthorized acts with intent to impair, or with recklessness as to
impairing, operation of computer, etcetera
• The Act also makes it an offence to make, adapt, supply or obtain
articles for use in unlawfully gaining access to computer material or
impairing the operation of a computer.
• Access is defined in the Act as:
• altering or erasing the computer programme or data
• copying or moving the programme or data
• using the programme or data
• outputting the programme or data from the computer in which it is
held (whether by having it displayed or in any other manner)
• Unlawful access is committed if the individual intentionally gains
access; knowing he is not entitled to do so; and aware he does not
have consent to gain access.