Summary of Data Protection
The Eight Principles
There are eight data protection principles in the Data Protection Act which we are required to comply with. They are sometimes referred to as the “principles of good information handling”. The principles apply to all personal data processed by us.
Personal data covers both facts and opinions about an individual. It also includes information regarding our intentions towards an individual, although in some limited circumstances exemptions will apply. The Data Protection Act controls all processing, which means anything we do with personal information, including but not limited to collecting, storing, sharing and destroying it.

The information below on the principles is only a brief summary. If you are not sure whether processing would be allowed under the Act, you can ask ISIS for advice.
First principle: data shall be fairly and lawfully processed
Data is only fairly and lawfully processed if we process it with the consent of the data subject or if the processing is necessary. It could be considered necessary to protect the life of the subject or because we are obliged to undertake the processing in order to meet our statutory or legal obligations. Processing is also considered necessary if it is for the prevention or detection of crime. If the data is sensitive within the definitions of the Act, consent must be explicit consent.
For processing to be considered to be fair, the data subjects should be provided with the identity of the data controller (Essex County Council), the purpose(s) for which the data is being processed and any further relevant information, such as our intention to share it with another organisation or how long it will be retained.

Second principle : data shall be processed for limited purposes;
If we collect information for a specific purpose, our use of that information must be limited to that purpose or one very closely linked to the original purpose. An example of this is if we collect information in order to pay school uniform grants in September 2000, we would not be allowed to use that information as a mailing list for a library service. However, we would be allowed to use it to ask whether the applicants would like to apply for the same grant the following year.
Third principle : data shall be adequate, relevant and not excessive;
We must identify the minimum amount of information that is required in order properly to fulfil our purpose. If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases. It is not acceptable to hold information on the basis that it might possibly be useful in the future without a view of how it will be used.
Changes in circumstances or failure to keep the information up to date may mean that information that was originally adequate becomes inadequate. If information is kept for longer than necessary then it may be both irrelevant and excessive.

Fourth principle : data shall be accurate
Information is inaccurate if it is incorrect or misleading. We do not contravene this principle if we hold inaccurate information that has been provided to us by the data subject or third party if we have taken reasonable steps to ensure the accuracy of the data.

Fifth principle : data shall not be kept longer than necessary
We should review personal data regularly and delete information which is no longer required, although we must take account of statutory and recommended minimum retention periods. Subject to certain conditions, the Act allows us to keep indefinitely personal data processed only for historical, statistical or research purposes. ECC has a retention and destruction schedule that gives guidance in this area.

Sixth principle : data shall be processed in accordance with the data subject's rights
The data subject has certain rights which must be respected, although there are specified limited