× Limited Time Offer ! FLAT 30-40% off - Grab Deal Before It’s Gone. Order Now
Connect With Us
Order Now

Principles of Data Protection Act: A Detailed Analysis Assignment Sample


Task-Write a detailed description of the data protection act's guiding principles.


This study focuses on the Data Protection Act of 1988 to communicate the key steps taken to preserve sensitive and important data. The provisions of the Data Protection Act of 1988 apply to everyone or any corporate entity handling any kind of information or data pertaining to the general public. The principles of the Data Protection Act have an impact starting with the gathering of the necessary data and ending with the deletion of the gathered data. The scope and gravity of data processing are particularly large in the information technology-related sectors. The rules of this law apply to the acts of such companies, such as data alteration, implications, retrieval, transmission, and deletion.


The United Kingdom's parliament approved the Data Protection Act bill in 1998 in order to address the inconsistencies in the Data Protection Act of 1984. The guiding principles of this statute became effective in 1999. Information about the public is handled in accordance with the requirements of the Data Protection Act (Iversen et al., 2006). Individuals' privacy rights would be violated if the underlying principles were broken. Therefore, the affiliated bodies are required to abide by the relevant legislation. The law guarantees that each individual has ownership and control over their unique personal data (Jay & Hamilton, 1999).

The Principles of Data Preservation Act primarily addresses the protection of privacy rights and promotes openness regarding how a secondary entity handles personal information. The communication media businesses would develop their marketing plans by adhering to the framework outlined in the Principles of Data Protection Act. The domestic level of information management, such as keeping a personal address book, is not covered by the law. However, the provisions of the Data Protection Act must be adhered to in the context if the same data is used for a business or other purpose. Under this statute, the data regulating authority and the related computer bureau are held accountable for any breaches of personal data.


In order to establish greater protection for the public's data, the UK's legislative assembly established its first data protection act in the year 1984. The European Parliament adopted its guiding principles after careful consideration and study. By basing it on the topic of data transfer, the European Parliament gave the legislation a new meaning. The provisions of this act prevented emerging information technology businesses and large corporations from manipulating data. Only one defined purpose may be served by the parties involved in the data transmission, and any violation of this restriction would result in legal repercussions. Before disclosing the pertinent information to a third party, the individual's permission should be obtained. The length of time that businesses might retain specified, private information on the public was set down in the law. The jurisdiction of this law extends implacably to both manual and electronic information transfer (Carey, 2018). The definitions of Personal Data and Processing are set forth in the Principles of Data Protection Act.

The government established a special entity known as the Data Protection Registrar, which served as a regular body to oversee the application of the provisions of the Data Protection Act. The same regulation was later changed to include references to particular European Union Directives 95/46/EC in the Data Protection Act of 1998. (Peto, 2004). The Data Protection Commissioner is now known as the Data Protection Registrar, per the regulations outlined in the amended statute. The amended law put a strong emphasis on educating the populace about practical ways to stop the invasion of private rights. Richard Thomas is the current Data Protection Commissioner, who directly answers to the parliament. The New Principles of Data Protection Act of 1998 introduced the latest norms and best practices in the modern IT business. When requested, the general public may also get the services of a commissioner. The commissioner offers the option of legal service to the data controllers as needed. This report on the principles of the Data Protection Act includes a section below that lists some of the pertinent sets of documents pertaining to this service (Romanosky & Acquisti, 2009).

Code of Practice for Directory Information and Fair Processing in Telecommunications.

Code of Conduct for Users of CCTV

Code of Practices on Employment Practices

Principles of Data Protection Act

• Under no circumstances should a citizen's personal information be sent outside of the European Economic Area. Only when the data is given the necessary level of security and protection may the transfer take place. An individual's right to freedom should never be violated. While processing private information, the correct legal guidelines must be scrupulously observed.

• Data processing should only start if all legal requirements have been met.

• The most up-to-date and appropriate technology should be used to prevent the improper processing of personal information. After the intended usage, the personal data should be erased, and any unintentional loss or theft should be punished legally.

• The collecting body must have a legitimate justification for collecting the personal information, and it must not have any particular authorization to use the information for any other purpose than that for which it was originally collected (Koops, 2014).

The Primary Section of The Principles of Data Protection Act

The fundamental tenet of the data protection act states that the population's personal information should only be handled in accordance with the legal framework. Only the following situations should be regarded as an exception: - • When the data acquired falls under Schedule 3's Schedule 3's division of sensitive data.

• If any of the characteristics of the data collected match those of the points listed in Schedule 2.

In the main body of this section, it is stated that the personal data obtained shall only be handled and processed in accordance with the requirements of the relevant law. Fair processing prohibits the government from mishandling the information in any way. When handling personal information about people, there should be no fraud of any kind. The first section of this regulation makes special reference to the gathering and organisation of personal data (Rumbold & Pierscionek, 2017). Before the government authorities, the data collector must defend the legitimate justification for the data collection. The way such data is handled shouldn't have a negative impact on people.

The idea of legitimate processing requires that when relevant personal data is acquired, the owner of the data be informed. The person should be extremely transparent about the purpose behind data collection and the processing procedure. The Fair Processing Notice would include all pertinent details pertaining to this issue. The following portion of this report on the fundamentals of the Data Protection Act contains the majority of the information given in the Fair Processing Notice (Hornung & Schnabel, 2009).

• The agencies that are part of government departments should receive priority when receiving the acquired personal data.

• The specific information about the data controller assigned to handle the gathered personal data.

• The primary purpose for gathering and processing personal information;

• The right procedures used when processing personal information to give the public as much clarity as possible.

The major parameters which satisfy the existence of fair processing.

To guarantee the existence of fair processing, a number of requirements must be followed. The conventions relating to fair processing are outlined in Schedule 2 of the Data Protection Act. There are six requirements to be met in accordance with the norms listed in schedule 2 for the presence of fair processing (Gutwirth et al., 2009). In the event that any of the conditions listed below are not satisfied, the collecting agency is not authorised to process the data.

Parameters mentioned under schedule 2

• The data controller must adhere to the guidelines outlined by the legislation.

• The intended contract should be the only purpose for which the data is used.

• The desired action should fall under the heading of carrying out official government business, adhering to legal obligations, administering justice, acting in the public interest, etc.

• The act is done to protect the individual's critical interests.

• In addition to the constraints outlined in the contract, the data controller may also abide by legal requirements.

• If the data acquired is sensitive personal data, the standards outlined in schedules 2 and 3 must be followed.
Parameters listed under Schedule 3

• The information is gathered to determine if the equality of opportunity parameter is met.

• The unit has received the explicit consent of the data subject.

• Gathered for medical needs.

• The information is gathered to meet a specific person's essential needs.

• Acquired in order to give a specific person a job.

A non-profit organisation for social welfare activities completes the work by carrying out the responsibilities of judicial bodies and carrying out the government's proposed policies.

• Information is gathered for legal purposes, such as defending citizens' fundamental legal rights.
Secondary principle of data protection act

The second principle of the data protection legislation mentions the important idea that the collecting of personal information should only be started to fulfil one or more legally specified purposes and that further synthesis on unrelated grounds should be absolutely forbidden. The section would highlight the aspect of the purpose for gathering a certain set of data (Cate, 1994). The specific report and the reason for why particular pieces of personal data were acquired should be provided to the ICO. Every step taken to process the information should be disclosed to the office of the information commissioner.

The data processor could notify the owner in a timely and suitable manner to provide further clarification regarding the treatment of the information. The appropriate individuals should be informed about the data collection at that time. Before gathering sensitive information, the authorities must have the consent of the relevant parties.

The Third Principle of The Data Protection Act

The Data Protection Act's provisions grant the data controller three specific liabilities. The particular extent to which the data controller may disclose the information further is specified, and the limit shall never be crossed. While handling the material, the criteria of relevance, sufficiency, and accuracy should be maintained. When combining the data, prejudice and interest are completely irrelevant.

To process the intended information, just the necessary information should be extracted and identified from the accessible dataset. The information might only be processed further under certain extraordinary circumstances specified by the legal laws. The circumstance could be comparable to one where a surgeon is faced with a difficult medical condition and the gathering of personal data is crucial for the diagnosis and treatment. The surgeon would need to know the patient's family history, medical past, and other details in order to treat the patient effectively.

Similar to this, the practices used by the human resource management departments of many firms are significantly tailored, and hiring workers is only done after carefully examining a number of personal traits. Most of the time, the authority immediately requests the information for the IT Thesis. When compared to the first principle of the data protection act, it can be shown that the third principle has a far stronger relationship. While the first principle of the data protection legislation demands perfect impartiality and justice, the third principle of the act places a strong emphasis on the criteria of sufficiency, relevance, and exceeding the limit.

The Fourth Principle of The Data Protection Act

The fourth principle of the Data Protection Act states that the data retrieved must have correct characteristics and must always be kept current. After reviewing the fundamental and secondary principles of the data protection act, the quality of the data handled by the data handler should be guaranteed. The fourth principle of the Data Protection Act primarily consists of two provisions.

In this part, accuracy is the main factor taken into account. To maintain the accuracy of the data, the units must adhere to the necessary procedures set forth by the data controller. Any ambiguity or error could affect the conclusion of the entire process and could lead society to believe incorrect conceptions. Even a minor error in calculation could lead to false conclusions being drawn from precise and accurate data sets. Therefore, the dataset for the study should be chosen by the data collector since it is detailed and has a wider application. If the authorities imply a misleading method of computation, the fundamental tenet of the Data Protection Act will be broken. For the sake of dependability, the controlling body should make sure that the data protection activities are conducted with objectivity and precision (Bennett, 1992).

Only the most recent dataset of personal information should be chosen by the authority to carry out the activities. When the frequently used dataset for a time period is taken into consideration for the study, the criterion should be taken into account. When taking into account this kind of data set, the data controller should use a more thorough approach. In order to draw useful conclusions from the dataset that has been collected, it is important to guarantee that it is highly accurate.

If there is any reason to believe that the data obtained by the data collector is erroneous, the relevant person should confirm it once more to eliminate any differences. The data subject may submit an access request under section 7(12) of the Principles of Data Protection Act. According to this clause, the person has the right to obtain a copy of the data set that the data controller has kept. According to the argument put up by the data subject, the court may require the data controller to delete, block, and verify the information they have acquired. The clause also mandates the payment of damages in the event that the pursued procedure harms the data subject in any way.

Fifth Principles of Data Protection Act

The length of time used to process the collected set of data should not be longer than that specified. The data controller should keep track of how long they plan to keep the information they acquire. As stated behind the provisions of the fifth principle of the data protection legislation, it is to maintain the clarity and transparency regarding the purpose behind the information collection. If the person designated as the data controller is unable to provide a compelling cause to keep the information, he or she is required to release it.

After keeping the knowledge for a longer time, it would become outdated. The study would be flawed, and it would seriously mislead society in drawing the incorrect conclusion. After a given amount of time, the authorities would no longer be certain of the data's accuracy. Even if the purpose of the data is fulfilled, the data controller is still responsible for ensuring the security of the information acquired. Eliminating data that is no longer required for a study or procedure is the best practise. It is strongly advised to record the data offline if it may be needed for future references.

The data controller only keeps the personal information after considering the data set's potential future scope. In order to preserve personal information, the data controller must overcome various obstacles, chief among them being dangers, expenses, and other legal obligations.

The Sixth Principle of The Data Protection Act

The sixth principle of the data protection legislation includes the rule that the data controller must never, under any circumstances, violate the human rights of the data subject. In accordance with this section of the Data Protection Act's guiding principles, the power of the data controller is restrained and the rights of the data subject are specifically guaranteed. Under this Article, the data subject is given a number of special rights.

• Control over the personal information; • Right to compensation; • Right to change the information if there are any errors

• Take precautions to prevent the nefarious or upsetting use of personal information.

• Choosing an automated method of decision-making. • Refraining from being exposed to direct marketing.

The subject of the data has full access to the personal information, per Section 7 of the Data Protection Act (Schwartz, 1994). It permits the data subjects to obtain a copy of the information acquired from the data collector at any time. Our readers should be aware that the individual would only have access to their personal data. If there is any doubt about whether any pertinent data is gathered or processed, the data subject may request legal clarification. Simply submitting a straightforward application to the court could accomplish this. The authority is required to explain why a certain piece of data was gathered for the procedure, and it should be clear if the data was given to a third party.

The laws also give the data subject the option to request a stop to data processing if it is negatively impacting their personal life. The citizen has the right to ask the court to overrule any objections they may have to the acquisition and use of their personal information. Legally speaking, the specific application could be described as an objection to processing. Under the application of objection to processing, the effect produced by the data processing should be explicitly mentioned.

Let's use the example of a candidate who was turned down for a position in an organisation because it was discovered by another organisation or third party that the individual is a trade union activist and is totally unqualified for the position. One of the agencies that retains the list of applicants who have been placed on the back-burner for employment in any sector or organisation is the third party. A person has the right to request that their name be removed from the blacklist by the data controller. The data subject would ask for the name to be removed on the basis of continuous harm and anguish. The data controller is required to respond to the request of the data subject within 21 days.

The data subject has the absolute right to limit the use of their personal information for direct marketing. The person may immediately raise an objection to processing against the authority if the information is being processed with the goal of direct marketing. The most important tool for direct marketing is regarded to be the widespread distribution of junk mail. The realm of directing includes campaigns and the promotion of specific ideologies and individuals as well as the sale of a specific product. Each individual has the right to request that their personal data be removed from the data set. It is strongly advised that the general population keep their personal information private wherever feasible. The institutions should only gather the data necessary to offer the customers and the relevant collection of sensitive data the highest level of security.

The data subject has the power to prevent the data controller from using any kind of automated decision-making. The data subject has the right to request that the authority reevaluate the decision made after looking at the personal data. The data controller has a responsibility to notify anyone who may have had their information misused. Such choices typically involve no human intervention because they are done in an automated fashion. Let's use the situation where the authority rejects a request to transfer money from one account to another as an example. It is the discrepancy between the information provided by the data subject and the system's pre-existing data set. In such circumstances, the people are compelled to choose the manual method of carrying out the operation.

The fourth data protection act premise emphasises the need of accuracy as a parameter. Any difference in the information gathered may be brought to the court's attention by the data subject, and the jury may decide to correct, amend, or even delete the data set as necessary. If the data processing resulted in any harm or suffering, the data subject would have the right to request compensation.

Seventh Principles of Data Protection Act

The eighth principle of the Data Protection Act emphasises the safeguarding of sensitive data. This regulatory requirement requires the data controller to implement the appropriate technical safeguards in order to prevent any process irregularities. It aids in preventing instances of loss or harm to confidential information. This attitude leads to the designation of the security principle as the fifth data protection act principle. When the data controller handles sensitive data, there shouldn't be any risk to their security. To avoid the issues described below, the data controller should take security precautions into account.

• Accidental deletion or loss of sensitive data
• The improper handling of personal data
• A third party misusing the data.

The phrase "security" refers to the proper use of strong passwords, other cutting-edge encryption techniques, and the deployment of antivirus software to find malware. The data controller should use the most advanced technology when processing the data in order to maintain the security parameter. Only the authority of human resources with technical and physical aptitude may imply it. The Information Commissioner needs to be informed of the security measures the data controller seems to have in place.

Eighth Principles of Data Protection Act

The data controller is prohibited from transferring the personal information of data subjects outside the EEA according to the rules outlined in the ninth principle of the Data Protection Act. This clause protects the data subjects' fundamental rights and so offers protection from any calamity or misery that might be caused by them. The government should determine if the authority can still produce the desired results even if the data collection process is not completed. Sensitive information should never be sent to a third party without first getting approval from legal counsel and the data subject themselves. However, if the person's identity is not exposed from the dataset, this condition would not be relevant (Bygrave, 2010).

The transfer is considered to have occurred when the personal information is stored in a foreign nation. If the data controller chooses to publish personal data on a public website, the situation will be identical. A third party residing in another nation might easily download the material. The current legal framework does not impose any restrictions on the exchange of information between the nations that are subject to EEA territory's jurisdiction (Lynskey, 2015). Even though the transfer is permitted under certain circumstances, the factors indicated below should be taken into account before starting the transfer.

• Local laws adhere to the appropriate legal requirements and security precautions.
• The traits of sensitive personal information
• The point at which the targeted information is transferred to a third party and the location to which it is transferred, as well as the source of the personal data.


The aforementioned paper makes frequent reference to the 1998 Data Protection Act's guiding principles. We have worked very hard to cover every facet of the principles of the Data Protection Act. When handling personal information, data controllers must rigorously adhere to the criteria of legality and fairness. There would be no justification for the affected bodies' negligent handling of sensitive information. The threat to personal data has increased with the development of information technologies. Therefore, additional changes to the principles of the Data Protection Act are required to maintain its applicability in the contemporary online environment. It is advised that all companies strictly abide by the guidelines set forth in the Data Protection Act.


Fear, N., Hotopf, M., Iversen, A., Liddell, K., & Wessely (2006). Principles of the Data Protection Act: Consent, Confidentiality, and the Act, BMJ, 332(7534), 165-169 .

Hamilton, A., Jay, R., and (1999). Data protection: Law and Practice, 2. Principles of the Data Protection Act.
P. Carey (2018). Principles of the Data Protection Act: A Practical Guide to UK and EU Law, Oxford University Press, Inc.

J. Peto, O. Fletcher, and C. Gilham (2004). The three pillars of the data protection act are data protection, informed consent, and research.

S. Romanosky and A. Acquisti (2009). Principles of the Data Protection Act, Berkeley Tech. LJ, 24, 1061. Privacy costs and personal data protection: Economic and legal perspectives.

B. J. Koops (2014). Principles of the Data Protection Act, International Data Privacy Law, 4(4), 250–261 (The Problem with European Data Protection Law).

J. M. M. Rumbold and B. Pierscionek (2017). Principles of data protection act, Journal of medical Internet research, 19(2), e47. The impact of the general data protection law on medical research.

G. Hornung and C. Schnabel (2009). Principles of the Data Protection Act: Data protection in the USA I: The population census decision and the right to informational self-determination, Computer Law & Security Review, 25(1), 84–88.

Y. Poullet, S. Gutwirth, P. De Hert, C. De Terwangne, & S. Nouwt (Eds.). (2009). Principles of the Data Protection Act, Springer Science & Business Media, Reinventing data protection?

F. H. Cate (1994). The public interest, information privacy, and the EU data protection directive. Iowa L., Rev., 80, 431, Principles of Data Protection Act.

P. M. Schwartz (1994). European data protection legislation and constraints on global data flows. Iowa L., Rev., 80, 471, Principles of Data Protection Act.

A. Bennett, J. (1992). Data protection and public policy in Europe and the US: Regulating privacy. data protection act guiding principles, Cornell University Press.

L. A. Bygrave (2010). Data protection and privacy from a global perspective. Scandinavian Studies in Law, 56(8), 165-200, fundamentals of data protection act.

O. Lynskey (2015). the legal framework for EU data protection. data protection act guiding principles, Oxford University Press.

Fill the form to continue reading

Download Samples PDF