The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Guide to data protection

Guide to data protection

The principles of the Data Protection Act in detail

This Guide explains the purpose and effect of each principle, and gives practical examples to illustrate how the principles apply in practice. We hope that, by answering many frequently asked questions about data protection, the Guide will prove a useful source of practical advice to those who have day-to-day responsibility for data protection.

Alternatively, you can download a pdf version of the Guide.


Key definitions of the Data Protection Act

Who has rights and obligations under the Data Protection Act? When do you 'process personal data'?

Data protection principles

The eight principles to the Data Protection Act.

Processing personal data fairly and lawfully (Principle 1)

What is fair processing? Is it fair to disclose personal data to others? What is a privacy notice?

Processing personal data for specified purposes (Principle 2)

How should you specify your purpose for obtaining personal data? What if your original purpose changes?

Information standards (Principles 3, 4 and 5)

What do information standards mean?

The rights of individuals (Principle 6)

What rights do individuals have in relation to the personal data you hold about them?

Information security (Principle 7)

Find out how to decide what approach to take to the security of the personal data you hold. What kind of security measures might be appropriate?

Sending personal data outside the European Economic Area (Principle 8)

Find out if you can send personal data outside the European Economic Area (EEA). What conditions apply to transfers of personal data overseas?

The conditions for processing

What conditions do you need to satisfy before you can process personal data? What purposes can you process personal data for? How important is it to obtain consent?


What are the exemptions from notification? When can you withhold information from individuals? When can you disclose personal data to third parties?

Related items