Principles of data protection legislation
To ensure your compliance with the data protection legislation, it is important to follow the data protection principles. These principles lie at the heart of the data protection legislation and should form part of the building blocks of your business’s compliance. These principles also form the basis of the proposed No.2. Bill. There are seven principles, which are:
- Lawfulness, fairness and transparency – this means that you must have a good reason for processing the data and identify a lawful basis or bases for the processing of the personal data. You must also be fair; don’t mishandle or misuse the data you collect and don’t withhold what you are doing with the data. You should also be clear, open and honest with data subjects, your customers and patients, about who you are, and why and how you’re processing their personal data
- Purpose limitation – personal data should only be collected for specified, explicit and legitimate purposes. If at any point, you want to use the data you’ve collected for a new purpose that is incompatible with your original purpose, you must ask specifically for consent again to do it, unless you have a clear obligation or function set out in law
- Data minimisation – only collect the smallest amount of data you’ll need to complete your purposes. Avoid gathering personal data that isn’t directly related to your purpose
- Accuracy – you should ensure the ongoing accuracy of the data you collect and store
- Storage limitation – you should keep personal data only for as long as you need to; you must be able to justify the length of time you’re keeping each piece of data you store
- Integrity and confidentiality (security) – means that you should maintain the integrity and confidentiality of the data you collect, essentially keeping it secure from internal or external threats. This takes planning and proactive diligence. You must protect data from unauthorized or unlawful processing and accidental loss, destruction, or damage
- Accountability – you must have appropriate measures and records in place as proof of your compliance with the data processing principles. The ICO can ask for evidence of this at any time.
You must demonstrate that you comply with the principles, and this is your responsibility.
The second module in this series will consider the responsibilities of pharmacies as controllers and processors of patient data, as well as the rights of patients and important data security advice.
More information is available at www.brabners.com/ services/commercial/data-protection
Eleanore Beard is a commercial lawyer and data protection practitioner (PC.dp) with Brabners LLP. She specialises in data protection