Eight principles of Data Protection

Please tell us what you think about our website, we welcome your feedback.

Customer notice

Due to essential maintenance some of our web services will be unavailable between these times 7pm Friday 25 May and 5pm Sunday 27 May 2012.

Personal data must be:

1. fairly and lawfully processed
2. processed for limited purposes
3. adequate, relevant and not excessive
4. accurate
5. not kept for longer than is necessary
6. processed in line with the data subject’s (individual) rights
7. secure
8. not transferred to countries outside of the EU without adequate protection

Principle 1 - Data must be processed fairly and lawfully

• Fair - you must be informed about the reasons why your information is used
• Lawfully - use of your data must not break a law or be used outside our powers e.g. we can only use council tax data for the collection and administration of council tax.

There are certain conditions that need to be met for us to use personal data.

For normal personal data one condition in schedule 2 (see below) of the act needs to be met:

• You have given your consent. (This does not have to be in writing)
• Contracts - the use is necessary:
  • a) to carry  out a contract to which you have signed up
  • b) at your request with a view to entering into a contract
• Legal obligation - the use is necessary to comply with any legal obligation to which we are subject, other than an obligation imposed by contract.
• Vital interests -the use is necessary to protect your vital interests.
• Public functions/legal requirement - the use is necessary
  • a) for the administration of justice
  • b) to carry out functions conferred on any person by or under any enactment
  • c) to carry out any functions of the Crown, a Minister of the Crown or a government department, or
  • d) to carry out any other functions of a public nature carried out in the public interest by any person
• Legitimate interests - the use is necessary for legitimate interests pursued by us or by a third party or parties to whom the data is disclosed, except where the use is unwarranted because of prejudice to your rights and freedoms or legitimate interests. (The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken as being satisfied.)

Many of the services we undertake are required by law therefore it is not always necessary for us to get your consent for the use of your personal data. However, you should always be informed about the reasons your information is being collected and used. If you are not told please do not hesitate to ask. If you have any problems please contact one of the data protection officers.

Some types of information have even more protection, our Terms page lists the information described as sensitive personal information. In order for us to use your sensitive personal data, one condition in schedule 3 of the act (see below) needs to be met as well as one of the above conditions:

Explicit consent - you have given written consent.

Employment law obligations - the use is necessary to perform any right or obligation conferred or imposed by law on us in connection with employment.

• Your vital interests
• a) to protect your vital interests or those of another person, where
  • (i) consent cannot be given by you or on your behalf, or,
  • (ii) we cannot reasonably be expected to obtain your consent
• b) in order to protect the vital interests of another person, where consent by or on behalf of you has been unreasonably withheld.
  
• Not-for-profit organisations existing for political, philosophical, religious or trade union purposes - the use:
• a) is carried out in the course of its legitimate activities by any organisation which
  • (i) is not established or conducted for profit, and
  • (ii) exists for political, philosophical, religious or trade union purposes
• b) is carried out with appropriate safeguards for the rights and freedoms of individuals,
• c) relates only to individuals who either are members of the organisation or have regular contact with it in connection with its purposes, and
• d) does not involve disclosure of the personal data to a third party without the consent of the individual.
  
• Information made public by you - the information contained in the personal data has been made public as a result of steps deliberately taken by you.
  
• Legal rights - the use:
• a) is necessary for any legal proceedings (including prospective legal proceedings),
• b) is necessary to obtain legal advice, or
• c) is necessary for establishing, exercising or defending legal rights.
  
• Public functions/ legal requirement - the use is necessary:
• a) for the administration of justice,
• b) for the exercise of any functions conferred on any person by or under an enactment, or
• c) for the exercise of any functions of the Crown, a Minister of the Crown, or a government department.
  
• Medical purposes - the use is necessary for medical purposes and is undertaken by:
• a) a health professional,
• b) a person who owes a duty of confidentiality equivalent to that of a health professional
  “Medical purposes” includes preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.
  
• Records on racial equality - the use:
• a) is of sensitive personal data consisting of information about racial or ethnic origin,
• b) is necessary for the purpose of racial and ethnic equality, with a view to enabling such equality to be promoted or maintained.
• c) is carried out with the appropriate safeguards for the rights and freedoms of individuals.
  
• Unlawful activity detection - the use must be:
• a) in the substantial public interest
• b) necessary for the prevention or detection of any unlawful act or failure to act and
• c) necessarily carried out without your explicit consent being sought so as not to prejudice those purposes.
  
• Protection of the public - the use:
• (a) is in the substantial public interest;
• (b) is necessary for the discharge of any function which is designed for protecting members of the public against-
  • (i) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or
  • (ii) mismanagement in the administration of, or failures in services provided by, any body or association; and
• (c) necessarily carried out without your explicit consent being sought so as not to prejudice the discharge of that function.
  
• Public interest disclosure - the disclosure of personal data:
• a) is in the substantial public interest;
• (b) is in connection with -
  • (i) the commission by any person of any unlawful act (whether alleged or established),
  • (ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or
  • (iii) mismanagement in the administration of, or failures in services provided by, any body or association (whether alleged or established);
• (c) is for the special purposes as defined in section 3 of the Act; and
• (d) is made with a view to the publication of those data by any person and we reasonably believe that such publication would be in the public interest.
  
• Confidential counselling - the use must be in the substantial public interest and
• (a) is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and
• (b) is carried out without your explicit consent because the use -
  • (i) is necessary in a case where you cannot give consent
  • (ii) is necessary in a case where we cannot reasonably be expected to obtain your explicit consent, or
  • (iii) must necessarily be carried out without your explicit consent being sought so as not to prejudice the provision of that counselling, advice, support or other service
    
• Insurance and pensions - the use:
• (a) is necessary for the purpose of -
  • (i) carrying on insurance business, or
  • (ii) making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme
• (b) is of sensitive personal data consisting of information falling within section 2(e) of the Act relating to an individual who is the parent, grandparent, great grandparent or sibling of -
  • (i) in the case of paragraph (a)(i), the insured person, or
  • (ii) in the case of paragraph (a)(ii), the member of the scheme;
• (c) is necessary in a case where we cannot reasonably be expected to obtain the explicit consent of that individual and we are not aware of the individual withholding their consent; and
• (d) does not support measures or decisions with respect to that individual.
  
• Insurance and pensions - old processing - the use must be
• (a) of sensitive personal data in relation to any particular individual that is subject to use which was already under way immediately before the coming into force of this Order;
• (b) necessary for the purpose of -
  • (i) carrying on insurance business, as defined in section 95 of the Insurance Companies Act 1982, falling within Classes I, III or IV of Schedule 1 to that Act; or
  • (ii) establishing or administering an occupational pension scheme as defined in section 1 of the Pension Schemes Act 1993; and
• (c) either -
  • (i) is necessary in a case where we cannot reasonably be expected to obtain the explicit consent of the individual and that individual has not informed us that they do not consent, or
  • (ii) must necessarily be carried out even without the explicit consent of the individual so as not to prejudice those purposes.
    
• Religion and health - equality or opportunity - the use of sensitive personal data consisting of information as to your religious beliefs or physical or mental health is permissible so long as it is:
• (a) necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons -
  • (i) holding different beliefs as described in section 2(c) of the Act, or
  • (ii) of different states of physical or mental health or different physical or mental conditions as described in section 2(e) of the Act, with a view to enabling such equality to be promoted or maintained;
• (c) does not support measures or decisions with respect to any particular individual otherwise than with the explicit consent of that individual; and
• (d) does not cause, nor is likely to cause, substantial damage or substantial distress to you or any other person.
  
• Political opinions - use of information consisting of the political opinions of the subject is permissible if:
• (a) is carried out by any person or organisation included in the register maintained pursuant to section 1 of the Registration of Political Parties Act 1998[4] in the course of their or its legitimate political activities; and
• (b) of a type which does not cause, nor is likely to cause, substantial damage or substantial distress to the individual or any other person.
  
• Research - the use;
• (a) is in the substantial public interest;
• (b) is necessary for research purposes (which expression shall have the same meaning as in section 33 of the Act);
• (c) does not support measures or decisions with respect to any particular individual otherwise than with their explicit consent; and
• (d) does not cause, nor is likely to cause, substantial damage or substantial distress to the individual or any other person.
  
• Police processing - the use is necessary for the exercise of any functions conferred on a constable by any rule of law.
  
• Elected members - the use;
• (a) is carried out by an elected representative or a person acting with his authority;
• (b) is in connection with the discharge of his functions as such a representative;
• (c) is carried out pursuant to a request made by you to the elected representative to take action on your behalf or on behalf of any other individual; and
• (d) is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative pursuant to that request.
• (e) is carried out without your explicit consent because the processing -
  • (i) is necessary in a case where your explicit consent cannot be given,
  • (ii) is necessary in a case where the elected representative cannot reasonably be expected to obtain your explicit consent,
  • (iii) must necessarily be carried out without your explicit consent being sought so as not to prejudice the action taken by the elected representative, or
  • (iv) is necessary in the interests of another individual in a case where your explicit consent has been unreasonably withheld.

Principle 2 - Obtained for specific purpose(s)

• Information must not be used in any way incompatible with the purposes it was originally collected for, e.g. information collected for rights of way issues cannot be used for assessing social care needs without gaining your consent.

Principle 3 - Data must be adequate, relevant and not excessive

• We must collect enough information to do the task or provide the service but must ensure that what we collect is needed and that we are not collecting information just in case we might need it in future.

Principle 4 - Information is accurate and up to date

• We must take care of the information we hold and make sure that it is kept accurate.
• We may contact you to make sure your information is correct and that your wishes haven’t changed, last year you may have opted to be included in a database but this year you may not wish to be
• If we hold information on you that is incorrect please contact the team(s) you work with and let them know. On some occasions we may not be able to change the information held but will usually place your comments alongside the original. This is often the case when an opinion of a professional has been recorded that you do not agree with.

Principle 5 - Information is not kept for longer than is necessary

• The length of time that information should be kept is not set out under the Data Protection Act. Legislation and regulations relating to each area of work will provide the majority of minimum periods that information must be kept for.
• When there is no such guidance, the length of time to keep information is set out by us. We look at common practice, other retention periods and appeal and complaints time limits to help us do this.

Principle 6 - Used in line with your rights

You have the right:

• to request information
• to prevent processing that would cause damage and distress
• to prevent automated decision taking
• to prevent processing for direct marketing
• to compensation
• to request an assessment

Please see our page on 'your rights' for further information.

Principle 7 - Security

We have to make sure that there are sufficient organisational and technical measures to protect your personal data. These must prevent:

• Unauthorised and unlawful use
• Accidental loss
• Accidental destruction
• Accidental damage

Principle 8 - Not transferred to countries without adequate data protection

We must not transfer personal information to countries outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects.

By placing data on the Internet it is being transferred to every country in the world. Your personal information will not be placed on the Internet by us without your written consent.

There are circumstances when we are able to transfer your information to such countries, some of which are:

• You have given your consent to the transfer
• Reasons which apply with regard to contracts, public interest and legal proceedings

Last updated: 4 February 2011