Some of these cookies are necessary to make the site work. We’d also like to use optional cookies to help improve your experience on the site. You can manage your optional cookie preferences below. Using this tool will set a cookie on your device to remember your preferences. Your preferences can be changed at any time.
For further details, see our Cookie Policy and our Privacy Policy
Essential cookies enable core functionality such as page navigation and access to secure areas. The website cannot function properly without these cookies; they can only be disabled by changing your browser preferences. Third party functions such as Google Search and Analytics will not be enabled.
Performance settings enable you to use the Google Search engine on our website and help us to improve our website by collecting and reporting information on its usage (for example, which of our pages are most frequently visited).
These principles are contained in the 1998 Act and apply to the processing of all personal data.
1. Personal data shall be processed fairly & lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met;
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purposes or purposes for which they are processed.
4. Personal data shall be accurate and where necessary kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
When processing any personal data you must ensure that at least one of the following criteria applies (Schedule 2):
The individual has given consent;
The processing needs to be done for the individual to enter into a contract, or to have a contract set up, or is necessary to comply with any legal obligation other than that imposed by contract;
The processing is necessary in order to protect the vital interests of the data subject;
Processing is necessary for the administration of justice, exercise of functions conferred under an Act of Parliament, exercise of functions of the Crown, or the exercise of other functions of a public nature in the public interest.
Processing is necessary for the legitimate interests of the data controller, except where this may prejudice the rights and freedoms and legitimate interests of the data subject - this purpose may be regulated by specific orders of the Secretary of State.
In addition, certain types of data are considered to be "sensitive", and to process them one or more of these criteria must also be met (Schedule 3):
the data subject has given explicit consent
processing is necessary to comply with the law in connection with employment
processing is necessary to protect the vital interests of the data subject or another person where consent cannot be given by the data subject
processing is carried out for legitimate activities by any body which is not conducted for profit or exists for political, religious or trade union purposes, and carries out appropriate safeguards, relates only to members or regular contacts, and does not involve disclosure without the consent of the data subject
the information has been made public as a result of steps deliberately taken by the data subject
processing is necessary in connection with legal proceedings, obtaining legal advice or defending legal rights
processing is necessary for the administration of justice, exercise of functions conferred by an enactment, exercise of any functions of the Crown
processing is necessary for medical purposes and is undertaken by a health professional, or one with an equivalent duty of confidentiality
processing information as to racial or ethnic origin is necessary for equal opportunity purposes, subject to appropriate safeguards for the rights and freedoms of the data subject
any other purpose specified in an order made by the Secretary of State .
Sensitive Personal Data is defined as one or more of the following pieces of data about the data subject:
Racial or ethnic origin;
Political opinions;
Religious beliefs or beliefs of a similar nature;
Membership of a Trade Union
Physical or mental health or condition;
Sexual life;
Commission or alleged commission of any offence. Proceedings, disposal or court sentence.
Back to Top
How to get here
