What Are the Eight Principles of the Data Protection Act?


By Skills for Health | 12 December 2022

The UK Data Protection Act was originally designed to protect personal data stored on computers and paper filing systems. Since then, technology has evolved substantially and so have many of the permissions surrounding it, however, the core principles stay the same – 8 principles of the data protection act still apply today and ensure that personal information is processed and stored lawfully.


Over 89,000 cases of data breach were reported from national authorities in the first year of GDPR. The Act is not designed to catch anyone out, simply provide a robust framework for you or your employee to understand their obligations towards customers and their personal details.

Recently, the UK Department of Education failed its own government’s standards. It seems it’s back to school for the rest of 2020 for the DoE.

The European Union GDPR came into effect in 2018, through the 2018 Data Protection Act – a modification of the original 1998 act. It seems millions of businesses are still not GDPR compliant; some say they find it confusing.

Like most laws, regulations and other complex things, it’s far easier to break it all down into small, digestible chunks. No need to tie yourself up in virtual red tape trying to understand The Data Protection Act. Take these 8 principles one at a time and you’ll get the hang of the Act in no time.


Fair and Lawful Use, Transparency

The principle of this first clause is simple. You or your business may only collect, process, and hold personal information in a fair and transparent way. For this reason, you are required to ask for consent and explain why you need those details.

You can collect email addresses to send the invoice and dispatch confirmation. Under the new regulations though you cannot pre-check the marketing data or third-party business box. The customer must make the effort to check it themselves. Make it prominent and they will see it!

These 8 key data protection principles under GDPR can be upheld through the proper GDPR compliance training here.


Specific for Intended Purpose

You must also collect personal data for the specific use for which the data owner or owners grant permission. You may not transfer, sell, or duplicate it for other purposes.

Let’s say your customer bought a new battery for the mobility scooter. Information the customer enters is only usable for that website or service. You may not hawk that personal data to another bit of your company, like one that sells customer mobility scooter insurance.


Minimum Data Requirement

The 2nd of the 8 principles of the Data Protection Act is that you cannot ask for otherwise irrelevant details. Everything you do hold must be “adequate and relevant” according to legislation.

Don’t be like the German division of apparel company H&M, who received a dressing down in 2020. They recorded personal details about employee whereabouts following absence – not just sickness, but holidays too. They stored it without permission and now have to head back to the fitting room to rethink the policy.


Need for Accuracy

The Data Protection Act requires that you check in periodically to ensure whatever information you hold is still accurate. Customers change address, email address, phone number and other contact details. Contact regularly by email and/or post to ask them to check their details. It’s good policy to ask if they’re still happy to keep the records on file.

Nobody wants to keep getting marketing material for people who moved out five years ago as some of us here at the Skills Platform occasionally discuss. It isn’t just a waste of time, but money too. Likewise, the legal requirement covers your customers against unauthorised people viewing sensitive details.


Data Retention Time Limit

The fifth of the 8 principles of the Data Protection Act states how long you can keep their details. Technically you could keep such details in perpetuity if the customer never withdraws their consent. However, it is good business practice to remove customer personal data after a dormant period and have a strong company policy.

GDPR does not state how long you may keep it before deletion. Most businesses send out emails or letters every year listing previously held information. They then invite the customer to update the data or even request deletion.


The right to be forgotten

Your customers have the right to know precisely what you know about them, and thus the right to stop you from using it. This applies even where consent was obtained lawfully and in good faith.

User rights also include the right to request that you delete all information pertaining to them, or just specific details. This is the much-heralded “right to be forgotten”, processed through something called the Subject Access Request.


Ensuring Data Security

This GDPR principle stipulates your duty to protect personal details and engage in good data governance practices. No matter your business’ size, you need a system and a secure network to protect processed personal data. The system must be robust against attack; you must also ensure that the level of security is appropriate to the business.

Businesses handling sensitive information like health records or credit cards require much higher standards than a mailing list for example. GDPR applies to health records too even though other regulations apply. One does not negate or supersede the other.



The last of the 8 principles of the Data Protection Act is ensuring you follow all these measures. Accountability in this case simply means demonstrating that the Data Controller is implementing their legal duties. This person must show that they have appropriate procedures in place for what might happen in a data breach, privacy policies, and keep records about how you process personal data.

Bigger businesses (those with over 250 employees processing over 5000 records per year) must appoint a dedicated Data Protection Officer.


In Conclusion: 8 Principles of the Data Protection Act 2018

Everything you do as a business regarding customer data should safeguard it. Not only is it a legal requirement, but your customers feel much happier knowing you will protect their data. The UK’s Data Protection Act has been well-received as a whole, with 62% of British stating they feel more confident in a poll conducted a year after its implementation.

The GDPR 8 key data protection principles have been carefully developed to help you understand your requirements and responsibilities. It enables data protection and security for individuals primarily but, perhaps more than anything, it is also a system to help you comply. Yet, so many companies still find themselves in a pickle.

For this reason, in order to protect themselves as well as their staff, many employers opt to inculcate such principles in their team through robust GDPR compliance training.

eLearning for healthcare

Unlock your potential – our healthcare eLearning courses make it simple to access high-quality content, that delivers on your statutory and mandatory training and compliance needs.

Discover eLearning


How our learning management system can support compliance and efficiency 

New Medical Gas course launched for nurses  

Why is safeguarding so important in health care? 


Get the latest updates by email

Sign up to our monthly newsletter to receive the latest updates straight to your inbox. We’ll keep you up to date with sector news, insights, intelligence reports, service updates and special offers on our services and solutions.

Sign up to our newsletter