Please enable JavaScript.
Coggle requires JavaScript to display documents.
The Data Protection Act of 1998 (2.Personal data must be protected for…
The Data Protection Act of 1998
1.Personal data must be fairly and lawfully protected.
This means that personal data must not be collected by misleading the person into providing it and that the personal data collected can only be used lawfully.
2.Personal data must be protected for limited purposes.
This means that personal data must only be used for the purpose for which it was obtained.
For instance, a person's email address collected so that a business can reply to enquiries must not be used, without the person's permission, for any other purpose, such as email marketing.
3. Personal data must be adequate, relevant and not excessive.
This means that personal data that is stored should be just enough for the task to be carried out, only relevant to the task, and not include other data.
For example, a bank would need to hold a customer's name and address, but not any details of their qualifications.
4. Personal data must be accurate and up to date.
This means the person storing the data has a duty to ensure that any data they hold is accurate and free from errors. This is the principle that most people worry about, because inaccurate data stored, for example by their bank, can cause many difficulties. Most people who ask to see the data held about them are concerned that a business holds data that is not accurate and want to get it corrected.
5. Personal data must not be kept for longer than is necessary.
Data should be destroyed or deleted when it is no longer needed. This should be carried out to ensure that others cannot read or access it.
6. Personal data must be processed in line with the individual's rights.
This principle ensures that the person's data is protected so that their rights are respected.
7. Personal data must be kept secure.
Any stored data must be kept secure. The DPA ensures that businesses that hold data must take precautions against its loss, unauthorised access and damage. The Act does not define the measures that must be taken, but this principle means a business must take proper security measures to protect the data.
For example, a business could set passwords, levels of access and use physical methods of protecting the data.
8. Personal data must not be transferred to other countries outside the European Economic Area that do not have adequate data protection.
Other countries around the world may not have the same level of data protection as the UK, so the Act states that personal data must not be sent to countries with lower levels of data protection than those in the UK.