All organisations that hold or process personal data must obey certain rules to ensure information is collected lawfully, is relevant, accurate and kept secure.
What the law says
All organisations that hold or process personal data must obey the Data Protection Act 1998, and follow the General Data Protection Regulation (GDPR).
The Act has eight principles, which state that data must be:
- Obtained fairly and lawfully;
- Held only for specific and lawful purposes;
- Relevant, adequate and not excessive;
- Accurate and, where necessary, kept up to date;
- Not kept for longer than necessary;
- Processed in accordance with the individual’s rights (as defined);
- Kept secure; and
- Transferred only to countries that offer adequate data protection.
The Information Commissioner administers and enforces the Act and keeps a public register of data controllers. The Act requires every data controller who is processing personal data to notify the Commissioner.
Individuals may seek compensation through the courts if they have suffered damage because the Act has been broken.