Search Legislation

Data Protection Act 2018

 Help about what version

What Version

 Help about advanced features

Advanced Features

Changes over time for: CHAPTER 2

 Help about opening options

Changes to legislation:

Data Protection Act 2018, CHAPTER 2 is up to date with all changes known to be in force on or before 27 March 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

View outstanding changes

Changes and effects yet to be applied to the whole Act associated Parts and Chapters:

Whole provisions yet to be inserted into this Act (including any effects on those provisions):

CHAPTER 2U.K.Principles

OverviewU.K.

85OverviewU.K.

(1)This Chapter sets out the six data protection principles as follows—

(a)section 86 sets out the first data protection principle (requirement that processing be lawful, fair and transparent);

(b)section 87 sets out the second data protection principle (requirement that the purposes of processing be specified, explicit and legitimate);

(c)section 88 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);

(d)section 89 sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);

(e)section 90 sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);

(f)section 91 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).

(2)Each of sections 86, 87 and 91 makes provision to supplement the principle to which it relates.

The data protection principlesU.K.

86The first data protection principleU.K.

(1)The first data protection principle is that the processing of personal data must be—

(a)lawful, and

(b)fair and transparent.

(2)The processing of personal data is lawful only if and to the extent that—

(a)at least one of the conditions in Schedule 9 is met, and

(b)in the case of sensitive processing, at least one of the conditions in Schedule 10 is also met.

(3)The Secretary of State may by regulations amend Schedule 10—

(a)by adding conditions;

(b)by omitting conditions added by regulations under paragraph (a).

(4)Regulations under subsection (3) are subject to the affirmative resolution procedure.

(5)In determining whether the processing of personal data is fair and transparent, regard is to be had to the method by which it is obtained.

(6)For the purposes of subsection (5), data is to be treated as obtained fairly and transparently if it consists of information obtained from a person who—

(a)is authorised by an enactment to supply it, or

(b)is required to supply it by an enactment or by an international obligation of the United Kingdom.

(7)In this section, “sensitive processing” means—

(a)the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b)the processing of genetic data for the purpose of uniquely identifying an individual;

(c)the processing of biometric data for the purpose of uniquely identifying an individual;

(d)the processing of data concerning health;

(e)the processing of data concerning an individual's sex life or sexual orientation;

(f)the processing of personal data as to—

(i)the commission or alleged commission of an offence by an individual, or

(ii)proceedings for an offence committed or alleged to have been committed by an individual, the disposal of such proceedings or the sentence of a court in such proceedings.

Commencement Information

I1S. 86 in force at Royal Assent for specified purposes, see s. 212(2)(f)

87The second data protection principleU.K.

(1)The second data protection principle is that—

(a)the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and

(b)personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.

(2)Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).

(3)Personal data collected by a controller for one purpose may be processed for any other purpose of the controller that collected the data or any purpose of another controller provided that—

(a)the controller is authorised by law to process the data for that purpose, and

(b)the processing is necessary and proportionate to that other purpose.

(4)Processing of personal data is to be regarded as compatible with the purpose for which it is collected if the processing—

(a)consists of—

(i)processing for archiving purposes in the public interest,

(ii)processing for the purposes of scientific or historical research, or

(iii)processing for statistical purposes, and

(b)is subject to appropriate safeguards for the rights and freedoms of the data subject.

88The third data protection principleU.K.

The third data protection principle is that personal data must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

89The fourth data protection principleU.K.

The fourth data protection principle is that personal data undergoing processing must be accurate and, where necessary, kept up to date.

90The fifth data protection principleU.K.

The fifth data protection principle is that personal data must be kept for no longer than is necessary for the purpose for which it is processed.

91The sixth data protection principleU.K.

(1)The sixth data protection principle is that personal data must be processed in a manner that includes taking appropriate security measures as regards risks that arise from processing personal data.

(2)The risks referred to in subsection (1) include (but are not limited to) accidental or unauthorised access to, or destruction, loss, use, modification or disclosure of, personal data.

Back to top

Options/Help

Print Options

You have chosen to open The Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act as a PDF

The Whole Act you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open The Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open The Whole Act without Schedules as a PDF

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.

Would you like to continue?

You have chosen to open the Whole Act

The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open the Whole Act without Schedules

The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

You have chosen to open Schedules only

The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.

Would you like to continue?

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

Explanatory Notes

Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as enacted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources