(1)This Chapter sets out the six data protection principles as follows—
(a)section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
(b)section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
(c)section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
(d)section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
(e)section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
(f)section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
(2)In addition—
(a)each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
(b)sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.
(3)The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.