So to be compliant with the law, personal data should be:
- managed fairly and lawfully
- obtained for specific purposes
- adequate and relevant
- deleted accordingly
- handled in line with the rights of the individuals
- transferred to countries with safeguards
To understand the law, one has to understand some key terms
The Act mentions processing. This includes obtaining, holding, disclosing, adapting, erasing of personal data. So literally anything one does with personal data. As the ICO says ‘it is difficult to think of anything an organisation might do with data that will not be processing’.
The Act mentions personal data. This is data that relates to living persons who can be identified from the data. This includes addresses, national insurance numbers, dates of birth and email addresses. Opinions about individuals is also personal data.
The data controller is the ‘person’ recognized in law –and could be an organization or an individual.The data controller determines the purposes for which the personal data is processed. It’s the responsibility of the data controller to ensure that the personal data is processed in compliance with the Data Protection Act.