Data Protection Principles

Eight data protection principles have enshrined in the Data Protection Act 1998 make sure that personal information is handled properly.

By law data controllers have to comply with these principles. They state that personal data must be:

  1. Personal data must be processed fairly and lawfully and, in particular, shall not be processed unless at least one of the relevant conditions of processing are met for normal personal data or specified conditions for sensitive personal data.
  2. Personal data must be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. During the annual Data Protection Notification process, the University must inform the Information Commissioner of the purposes for which we use our personal data. Once we have specified the intended uses for particular data, we must not then use this data for anything else.
  3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The University must only collect only the information necessary to properly fulfil its purpose.
  4. Personal data must be accurate and up to date.
    Though this is the responsibility of both the University and the data subject
  5. Personal data is not kept for longer than is necessary.
    When the data is no longer needed for its purposes, it must be disposed of securely. To learn more about secure disposal and other aspects of Records Management, please see our Records Management section.
  6. Personal data shall be processed in accordance with the rights of the data subjects under this Act. See our Data Protection Rights section on our website for more information.
  7. Personal data must be secure.
    Security of personal data held by the University is crucial. Appropriate measures should be taken by the University to keep the information secure to prevent unlawful and or unauthorised processing. It should also take adequate steps to ensure that the data is protected against accidental loss and destruction or damage.
  8. Personal data must not be transferred to countries without adequate protection.
    Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data. The European Economic Area is the 25 states in the EU and Iceland, Liechtenstein and Norway.