Search site

Data Protection

The Data Protection Act 1998 provides the overall framework within which users of personal data can operate. It requires that anybody who processes personal information (i.e. obtains, holds, amends, discloses or destroys data) must keep to eight data protection principles.

These principles are that personal data will be:

  • Be obtained and processed fairly and lawfully
  • Be obtained for a specified and lawful purpose
  • Be adequate, relevant and not excessive for these purposes
  • Be accurate and kept up-to-date
  • Not kept for longer than is necessary
  • Be processed in accordance with the data subject's rights
  • Be kept safe from unauthorised access, accidental loss or destruction
  • Not be transferred to a country outside the EEA (the EU plus Norway, Iceland and Liechtenstein), unless that country has adequate levels of protection for personal data.  

More information is available on the website of the UK Information Commssioner.

The Act also gives individuals the right to access personal information held about them.  This is called a subject access request.