Responsibilities of data controllers

All data controllers must keep to the eight principles of data protection.

When you read about these, you may find them called "The Data Protection Principles".

curriculum-key-fact
Remember: a data controller is the nominated person in a company who applies to the data commissioner for permission to store and use personal data.

The eight principles of data protection

For the personal data that controllers store and process:

  1. It must be collected and used fairly and inside the law.
  2. It must only be held and used for the reasons given to the Information Commissioner.
  3. It can only be used for those registered purposes and only be disclosed to those people mentioned in the register entry. You cannot give it away or sell it unless you said you would to begin with.
  4. The information held must be adequate, relevant and not excessive when compared with the purpose stated in the register. So you must have enough detail but not too much for the job that you are doing with the data.
  5. It must be accurate and be kept up to date. There is a duty to keep it up to date, for example to change an address when people move.
  6. It must not be kept longer than is necessary for the registered purpose. It is alright to keep information for certain lengths of time but not indefinitely. This rule means that it would be wrong to keep information about past customers longer than a few years at most.
  7. The information must be kept safe and secure. This includes keeping the information backed up and away from any unauthorised access. It would be wrong to leave personal data open to be viewed by just anyone.
  8. The files may not be transferred outside of the European Economic Area (that's the EU plus some small European countries) unless the country that the data is being sent to has a suitable data protection law. This part of the DPA has led to some countries passing similar laws to allow computer data centres to be located in their area.