Anyone processing personal data must comply with the eight enforceable principles of good practice.

The data must be:

  • fairly and lawfully processed;
  • processed for limited purposes;
  • adequate, relevant and not excessive;
  • accurate;
  • not kept longer than necessary;
  • processed in accordance with the data subject’s rights;
  • secure;
  • not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply.

With processing, the definition is far wider than before. For example, it, incorporates the concepts of ‘obtaining’, holding’ and ‘disclosing’.