Guide to Data Protection Act for Data Controllers

At a glance

• You must identify valid grounds under the DPA (known as a ‘legal basis’) for handling personal data.
• You must ensure that you do not do anything with the data in breach of any other acts.
• You must handle personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
• You must be clear, open and honest with people from the start about why and how you handle their personal data.

In brief

• Fair processing
• Legal processing

Fair processing and the right to be informed 

Processing must always be fair. In general, this means that you should always handle personal data in ways that people would reasonably expect. You should also not handle personal data in any way that would have an unjustifiable adverse effect on them.

Whether processing is fair will depend on the method by which the personal data was obtained, and especially whether the individual was deceived or misled in regard to the purposes for which the data is being processed.

Individuals should be able to make an informed decision. Fairness depends on whether you have made the data subject aware of:

• The identity of the data controller, and;
• The purpose of the data processing.

This information must be communicated to the individual as soon as reasonably practicable. Usually this is done in the form of a privacy notice.

When telling individuals about your processing, always use clear and plain language.

Even if you do not obtain the data directly from the individual, this should not amount to “invisible processing”, and they should be made aware, as would be reasonable under the specific circumstances. In some cases, it will be expected that the individual is directly informed about the processing; in others, a notice on your website may be sufficient.

Fairness will also depend on whether the individual himself has deliberately made the personal data public, and for which purpose. Simply because personal data has been made public does not mean that any processing of that personal data would be fair. The combination of and use of personal data from different sources may produce unexpected effects for the data subject that may be deemed unfair.

Processing is generally considered fair if it is required to be supplied under an enactment, or where a convention or other international instrument imposes a processing obligation.

Legal Processing

Some rights identified in the DPA will not apply depending on the legal basis for processing. You need to identify specific legal grounds for processing personal data. Processing is only legal if you meet one of the conditions for processing listed in schedules 2 of the DPA (and additionally, one of the conditions in schedule 3 of the DPA if it is sensitive personal data). If you do not meet these conditions, no lawful basis applies to your processing and your processing will be unlawful and in breach of the first principle of fair and lawful processing.

See more on the legal basis for processing here.

See more on the rights of individuals here.

Relevant provisions

Data Protection Act (2021 Revision)

Schedule 1, part 1, paragraph 1: First data protection principle – Fair and lawful processing

Schedule 1, part 2, paragraphs 1-2: Interpretation of the first data protection principle

Schedule 2: Legal bases (conditions) for processing personal data

Schedule 3: Legal bases (conditions) for processing sensitive personal data