Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
How to use this guidance
This guidance is addressed to data controllers, i.e. the organisation, business or public authority that controls how the personal data is used. Separate guidance specifically for individuals (data subjects) may be found here.
This guidance aims to explain how the Office of the Ombudsman will likely interpret certain provisions of the DPA, and is not binding.
Typically, each section of the guide includes the following parts:
- At a glance: provides a summary of the contents of the section;
- Checklist: provides a handhold to help you check your high-level compliance with requirements and best practices under the DPA;
- In brief: provides an overview of the individual topics the section addresses;
- Further guidance: refers to guidance from other jurisdictions that may be helpful, although it is important that differences between applicable laws are considered; and
- Relevant provisions: states the relevant sections of the Data Protection Act.
Please contact us at