What principles are employers obliged to follow in order to ensure that personal data is handled correctly?

Employers are obliged under the Data Protection Act 1998 to adhere to eight data protection principles. These state that employers must:

  • process personal data fairly and lawfully (which means that personal information must not be obtained or used unless either the employee has consented or one of a limited range of conditions is met);
  • obtain and process data only for specified and lawful purposes (ie use personal information only for specified agreed purposes);
  • ensure that data is adequate, relevant and not excessive in relation to its stated purpose (ie not store more information than is necessary about a person);
  • ensure that data is accurate and kept up to date;
  • not keep data for longer than is necessary in relation to its purpose;
  • process data in accordance with the rights of individuals;
  • take appropriate measures against unauthorised or unlawful processing and against accidental loss, damage or destruction of the data; and
  • not transfer data to a country outside the European Economic Area, unless that country ensures an adequate level of protection in relation to processing personal data.