First Principle - fair and lawful processing
"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
Compliance with the first principle requires the processing to meet three obligations and be:
- Fair; and
- Lawful; and
- Meet a condition for processing.
Ensuring fairness in everything you do with people's personal details is central to complying with a data controller's duties under the Act.
This includes circumstances where you are considering sharing personal data with another organisation - you should carefully consider what the recipient will do with the information and what effect it will have on the individual concerned.
In practice it means that you must:
- have legitimate reasons for collecting and using, including sharing, personal data
- not use the data in ways that have unjustified adverse effects on the individuals concerned
- be open and honest about how you intend to use the information
- give appropriate 'privacy policies' or 'fair processing notices' when collecting information
- ensure that people are not misled or deceived about the use of their information
- handle people's information only in ways they would reasonably expect
- make sure you do not do anything unlawful with the information
The Act prohibits any processing of personal data by a data controller unless there is lawful justification.
To be lawful the processing must be generally lawful, i.e. in accordance with the law, referring to statute and common law, whether that is civil or criminal. This applies to public and private sector organisations.
If processing personal information involves committing a criminal offence, the processing will obviously be unlawful.
However processing may also be unlawful if it results in, for example
- an organisation exceeding its legal powers or exercising those powers improperly
- a breach of the Human Rights Act 2001
- a breach of a duty of confidentiality
- an infringement of copyright
- a breach of an enforceable contractual agreement
- a breach of industry-specific legislation or regulations
Meeting a condition for processing
To ensure lawfulness, the processing must also meet one of the conditions set out in Schedule 2 of the Act.
Many of these conditions relate to the purpose or purposes for which you intend to use the information, and take into account the nature of the information in question.