Overview
Everyone who is responsible for using data has to follow strict rules called ‘data protection principles’. The Data Protection Act 1998 covers both electronic and paper based information and data.
Personal data must be
- processed fairly and lawfully
- obtained for specified and lawful purposes
- adequate, relevant and not excessive
- used only for the purpose it was obtained for
- accurate and up to date
- not kept any longer than necessary
- processed in accordance with the data subject’s rights
- kept secure at all times
It must not be
- transferred outside the UK without adequate protection
- kept if it would embarrass or damage the department if disclosed, for example through subject access request
- held if it is sensitive personal data
Sensitive data is data that relates to racial or ethnic origin, religious beliefs, trade union membership, physical or mental health or sexual life, political opinions and criminal offences. This data may only be held in strictly defined situations or where explicit consent has been obtained.
Do not
- write anything (including emails) that is libellous or cannot be substantiated by fact
Every time you write something about someone, consider whether you would be happy for that to be read aloud to that person or in a court of law.
