S.1 of the Data Protection Act 1998 defines data as information which
- is being processed by means of equipment operating automatically in response to instructions,
- is recorded with the intention that it should be processed,
- is recorded as part of a relevant filing system (structured data referring individuals).
Persons handling personal information must comply with s4(4) of the Data Protection Act 1998 which sets out the data protection principles.
S.4(1) states – ‘references in this Act to the data protection principles are to the principles set out in Part I of Schedule 1’.
Part I of Schedule 1 states
The eight principles of good practice:
- Personal data shall be processed fairly should not be unlawfully processed.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data shall not be kept for longer than is necessary.
- Personal data shall be processed in accordance with individual rights under this Act.
- Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection.
The six conditions for fair processing and the obligation to register.
These six conditions are listed in schedule 2 of the Data Protection Act 1998. At least one of these conditions must be met for personal information to be considered to have been processed fairly.
- The individual has given his consent to the processing.
- The processing is necessary for the performance of a contract or for the taking of steps at the request of the data subject with a view to entering into a contract.
- The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
- The processing is necessary in order to protect the vital interests of the data subject.
- The processing is necessary for the administration of justice, for the exercise of any functions of either of the Houses of Parliament or the Crown, a Minister of the Crown or a government department or the exercise of any other functions of a public nature exercised in the public interest by any person.
- The processing is necessary to pursue the legitimate interests of the data controller or third parties unless it prejudices the interests of the individual.
In Johnson V Medical Defence Union 2007 it was suggested that the 1998 act is aimed at highly automated processing and retrieval schemes.