The eight principles

The Data Protection Act 1998 sets out eight rules that data controllers must follow for protecting personal information - these are known as the eight principles.

Personal data must be:

1.processed fairly and lawfully

2.processed only for one or more specified and lawful purpose

3.adequate, relevant and not excessive for those purposes

4.accurate and kept up to date - data subjects have the right to have inaccurate personal data corrected or destroyed if the personal information is inaccurate to any matter of fact

5.kept for no longer than is necessary for the purposes it is being processed

6.processed in line with the rights of individuals - this includes the right to be informed of all the information held about them, to prevent processing of their personal information for marketing purposes, and to compensation if they can prove they have been damaged by a data controller's non-compliance with the Act

7.secured against accidental loss, destruction or damage and against unauthorised or unlawful processing - this applies to you even if your business uses a third party to process personal information on your behalf

8.not transferred to countries outside the European Economic Area - the EU plus Norway, Iceland and Liechtenstein - that do not have adequate protection for individual's personal information, unless a condition from Schedule four of the Act can be met

If a data controller's processing of personal information does not comply with the principles, the Information Commissioner can take enforcement action against that data controller.