Guide to Data Protection Act for Data Controllers
- Change log
- Introduction
- How to use this guidance
- Key definitions
- Who does the DPA apply to?
- What is processing of personal data?
- What is a data controller?
- What is a data processor?
- What information does the DPA apply to?
- Data Protection Principles
- First Data Protection Principle - Fair and lawful processing
- Second Data Protection Principle - Purpose limitation
- Third Data Protection Principle - Data minimization
- Fourth Data Protection Principle – Data accuracy
- Fifth Data Protection Principle - Storage limitation
- Sixth Data Protection Principle – Respect for the individual’s rights
- Seventh Data Protection Principle - Security – integrity and confidentiality
- Eighth Data Protection Principle - International transfers
- Legal basis for processing
- Sensitive personal data
- Individual rights
- Personal data breaches
- Exemptions
- National Security
- Crime, government fees and duties
- Health
- Education
- Social Work
- Monitoring, inspection or regulatory function
- Journalism, literature or art
- Research, history or statistics
- Information available to public by or under enactments
- Disclosures required by law or made in connection with legal proceedings
- Personal, family or household affairs
- Honours
- Corporate finance
- Negotiations
- Legal professional privilege and trusts
- Contracts between data controllers and data processors
- Questions or comments?
What is processing of personal data?
The DPA defines processing very broadly, covering any conceivable use of data. In fact, any activity which affects personal data in any way constitutes processing; mere storage or retention will constitute processing as well.
In relation to personal data, “processing” is:
obtaining, recording or holding data, or carrying out any operation or set of operations on personal data, including -
(a) organising, adapting or altering the personal data;
(b) retrieving, consulting or using the personal data;
(c) disclosing the personal data by transmission, dissemination or otherwise making it available; or
(d) aligning, combining, blocking, erasing or destroying the personal data;
Previous Next