Principle 1

'Personal information shall be processed fairly and lawfully and, in particular, shall not be processed unless conditions are met'.

Principle 2

'Personal information be obtained only for specified and lawful purposes and shall not be further processed in a manner incompatible with those purposes.'

Principle 3

'Personal information shall be adequate, relevant and not excessive for the purpose'

Principle 4

'Personal information shall be accurate and, where necessary, kept up to date'

Principle 5

'Personal information shall not be kept for longer than is necessary for the purpose'

Principle 6

'Personal information should be processed in accordance with the rights of data subjects'

These rights are:

• access to personal information


• prevent processing likely to cause damage or distress


• prevent processing for direct marketing


• automated decision making


• compensation


• rectification, blocking, erasure & destruction


• jurisdiction & procedure

Principle 7

'Appropriate measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to the data.'

Principle 8

'The final principle refers to passing information to countries outside the EU who may not have the same levels of security.'