TopicFullPage Secretariat:
home>Skip Navigation LinksSecretariat > Privacy Notices > Data Protection Principles

The Eight Data Protection Principles

The Data Protection Act (DPA) sets out 8 principles governing the use of personal information with which everyone handling data in the University must comply unless an exemption applies.

These principles are a code of good practice for processing personal data.


1st principle

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the following conditions from Schedule 2 of the DPA is met:

·     The data subject has given his consent to the processing;

·     The processing is necessary for the performance of a contract to which the data subject is a party;

·     The processing is necessary for compliance with any legal obligation to which the University is subject, other than an obligation imposed by contract.

·     The processing is necessary in order to protect the vital interests of the data subject.

·     The processing is necessary for the purposes of legitimate interests pursued by the University, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject

In the case of sensitive personal data, one of the processing conditions from Schedule 3 of the DPA must also be met. Further information on these conditions for processing can be found on the ICO's website here.

2nd principle

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.


3rd principle

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.


4th principle

Personal data shall be accurate and, where necessary, kept up to date.


5th principle

Personal data processed for any purpose shall not be kept for longer than is necessary for that purpose.


6th principle

Personal data shall be processed in accordance with the rights of data subjects under this Act.


7th principle

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.


8th principle

Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

This page was last edited on: 10/5/2011 10:47 AM