Data Protection Basics: The 7 data protection principles
Understanding the key principles of data protection
Let’s get back to basics. There are seven core principles which form the foundation of data protection law. Understanding and applying these principles is the cornerstone for good practice and key to complying with UK / EU GDPR.
Here’s our quick guide to the data protection principles.
1. Lawfulness, fairness and transparency
This principle covers 3 key areas.
a) Lawfulness – We must identify an appropriate ‘lawful basis’ for collecting and using personal data. In fact, we need to decide on a lawful basis for each task we use personal data for, and make sure we fulfil the specific conditions for that lawful basis. There are 6 lawful bases to choose from.
We need to take special care and look to meet additional requirements when using what’s termed ‘special category’ data or data which relates to minors or vulnerable people.
We should also be sure not do anything which is likely to contravene any other laws.
b) Fairness – We must only use people’s data only in ways that are fair. Don’t process data in a way which might be unexpected, discriminatory or misleading. This means evaluating any adverse affects on individuals.
c) Transparency – We must be clear, open and honest with people about how we use their personal information. Tell people what we’re going to do with their personal information. Routinely this is achieved by providing relevant privacy information at the point data is collected, and by publishing a complete and up to date privacy notice and making this easy to find. Transparency requirements apply right from the start, when we collect or receive people’s data.
2. Purpose limitation
This is all about only using personal details in the ways we told people they’d be used for. We must be clear about what our purposes for processing are and specify them in the privacy information we provide to individuals.
Sometimes we might want to use personal data for a new purpose. We may have a clear legal obligation to do it, but if not we should check the new purpose is compatible with the original purpose(s) we had for that data. If not, then we may need to secure the individual’s consent before going ahead.
Remember, if we surprise people, they ‘ll be more likely to complain.
3. Data minimisation
We must make sure the personal data we collect and use is:
- Adequate – necessary for our stated purposes. Only collect the data we really need. Don’t collect and keep certain personal information ‘just in case’ it might be useful in future.
- Relevant – relevant to that purpose; and
- Limited to what is necessary – don’t use more data than we need for each specific purpose.
We should take ‘all reasonable steps’ to make sure the personal data we gather and hold is accurate, up-to-date and not misleading.
It’s good practice to use data validation tools when data is captured or re-used. For example, validate email addresses are in the right format, or verify postal addresses when these are captured online.
If we identify any of the personal information we hold is incorrect or misleading, we should take steps to correct or delete it promptly.
Data accuracy can decline over time. For example, people change their email address, move house, get married or divorced, their needs and interests change. And of course some people on your database may pass away. So we need to consider ways to keep our data updated and cleansed.
Perhaps find ways to give people the opportunity to check and update their personal details?
5. Storage limitation
Don’t be a hoarder! We must not keep personal data longer than necessary for the purposes we have specified.
Certain records need to be kept for a statutory length of time, such as employment data. But not all data processing has a statutory period. Where the retention period is not set by law, the organisation must set an appropriate data retention period for each purpose, which it can justify.
The ICO would expect us to have a data retention policy in place, with a schedule which states the standard retention period for each processing task. This is key step to making sure you can comply with this principle.
When the data is no longer necessary, we must destroy or anonymise it, unless there’s a compelling reason for us to keep it for longer. For example, when legal hold applies. For more information see our Data Retention Guidance.
This is the ‘integrity and confidentiality’ principle of the GDPR – often known as the security principle. This requires organisations to make sure we have appropriate security measures in place to protect the personal data we hold.
UK / EU GDPR talks about ‘appropriate technical and organisational measures’ (known as TOMs). These includes things like physical and technical security measures, conducting information security risk analyses, having information security policies & standards in place to guide our staff.
Our approach to security should be proportionate to the risks involves. The ICO advises us to consider available technology and the costs of implementation when deciding what measures to take.
Some of the basics include transferring data securely, storing it securely, restricting access to only those who need it and authenticating approved data users.
Cyber Essentials or Cyber Plus can be helpful as an assurance framework to carry out a review of your data security arrangements.
Controllers should consider information security standards when appointing and managing relationships with processors, i.e. service providers handling personal data on your behalf to provide their services. Are your processors securely handling their processing of the data you control? Carry out appropriate due diligence to make sure.
The accountability principle makes organisations responsible for complying with the UK / EU GDPR and says they must be able to evidence how they comply with the above principles.
This requires data governance across the organisation. Think of accountability as a collective responsibility, flowing from the Executive team and down through to the teams that process personal data.
To demonstrate how we comply, we need to have records in place. For many organisations this will include a Record of Processing Activities (RoPA).
The ICO provides a useful ‘Accountability Framework’ we can use to benchmark performance against their expectations.
In summary, identify the lawful bases you’re relying on and be fair and be open about what you do. Minimise the data you collect and make sure it remains accurate over time. Always keep it secure and don’t keep it for longer than you need it. Take care if you want to use personal data for a new purpose. Keep records and be ready to justify your approach. The ICO has published more detailed guidance on the seven principles.