Data Protection Principles
What are the principles?
Data Protection law sets out seven key principles governing the processing of personal data. These are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Why are they important?
The principles inform all provisions of Data Protection law and are a fundamental part of data protection compliance. It is important when undertaking any data processing activity at the University to comply with the data protection principles.
There are no hard and fast rules when it comes to complying with the principles, especially as processing activities may differ project to project, but there are some commonly accepted practices that the University can take to ensure compliance.
Example: to comply with the integrity and confidentiality principle, appropriate technical and organisational measures must be in place to protect personal data. This could include password protection, encryption, pseudonymisation, electronic and physical access controls, backup and recovery mechanisms, or regular monitoring and auditing of systems and information to identify and address any issues.
The principles
Personal data shall be:
(a) processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in any manner incompatible with those purposes. Further processing for archiving, scientific or historical research or statistical purposes is permissible (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed (‘data minimisation’);
(d) accurate and where necessary kept up to date (‘accuracy’);
(e) not be kept for longer than is necessary for that purpose (‘storage limitation’);
(f) processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
In addition, the accountability principle as set out in Article 5(2) requires that:
“the controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 ('accountability').”