Log in


What Is The Data Protection Act?



What Is The DPA?

The Data Protection Act (External Link) controls how Personal Identifiable Information (PII) is used by organisations, businesses or the government.

Everybody who is responsible for using and creating data, has to follow strict rules that are called Data Protection 'Principles’, of which there are Eight (8).

Therefore, organisations must make sure that the information is:

  • Principle 1 - Used Fairly and Lawfully

    "Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

    (a) at least one of the conditions in Schedule 2 is met, and

    (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met".

  • Principle 2 - Used for Limited, Specifically Stated Purposes

    "Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes".

  • Principle 3 - Used in a way that is Adequate, Relevant and Not Excessive

    "Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed".

  • Principle 4 - Accuracy

    "Personal data shall be accurate and, where necessary, kept up to date".

  • Principle 5 - Kept for No Longer than is Absolutely Necessary

    "Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes".

  • Principle 6 - Handled According to People’s Data Protection Rights

    "Personal data shall be processed in accordance with the rights of data subjects under this Act".

  • Principle 7 - Kept Safe and Secure

    "Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data".

  • Principle 8 - Shall Not be Transferred Outside the European Economic Area Without Adequate Protection

    "Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data".

Other Key Information is contained within the left hand side navigation menu of links in the Guide to Data Protection Act (External Link) and other key areas of interest for you should be;

There are others, so please do take the time to digest the information that the ICO provide in their other sub sections of the Guide to Data Protection Act.

Please also make use of the IS Know How Additional Helpful ICO Guidance & Information page and read through the various ICO provided information and guidance that we're reiterating for your benefit.

Are You Registered?

There is still a large enough amount of third sector organisations that we come into contact with, who don't seem to be fully aware of the ICO's 'Data Controller Register' and exactly what their legal obligations are; where the collection, storage and transfering of personally identifiable information is concerned, during the course of their organisations business activities.

"Under the Data Protection Act individuals and organisations that process personal information need to register with the Information Commissioner's Office (ICO), unless they are exempt.
By going through the following questions, you will be able to decide if you – as an individual or on behalf of your business or organisation – need to register with the ICO.
If you use CCTV on your business premises, you will need to register."

Source: Information Commissioners Office (2016) (External Link)

Are We Exempt?

In short, IS Know How cannot possibly advise on this, as it's very much on a case by case basis - business, company or organisation wise. The best thing is for you to head over to the ICO's Exemptions (External Link) page.

A great resource that you should also consider doing, is to take 5 minutes out of your schedule and complete the ICO's very straight forward Do I Need To Register Self-Assessment (External Link)

If in doubt, do contact the ICO directly via Telephone, Live Chat and Email (External Link), and seek their input and advice on your queries about this aspect.

Do You Comply?

As with many things, it's easy to Register for something and no doubt with the correct intentions but then business can get in the way and most can be complicit in becoming sidetracked. Therefore, after registering if required in-line with the above information, is your Organisation actually compliant with the Data Protection Act currently and it's Eight (8) Principles?

Please also make use of the IS Know How Additional Helpful ICO Guidance & Information page, which has taken the many various ICO provided Information and Guidance elements, that we're trying to make as straight forward for your third sector organisations benefit.

What Next?

Are you already increasing your knowledge surrounding GDPR and are you actually beginning to develop your Third Sectors Organisations adoption and implementation of GDPR - ready for it being live regulation, as from May 25th 2018?

If not, we highly suggest, that you now go to the following IS Know How What is the General Data Protection Regulation? (GDPR) page and read through the ICO's information, that we're reiterating for this and your benefit.

Charitable & Voluntary Data Security Incident Trends

You may also be interested to read the statistics that IS Know How have extrapolated from the ICO's Data Security Incident Trends and specifically for 'Charities' that they provide for breaches of the Data Protection Act in regard to Principle 7.

Ready to Access GDPR Solutions Now?

Additionally, why not head over to our GDPR Solutions zone below and see 'How we can assist Charities and Social Enterprises Comply with the EU GDPR.'


ISKH is in no way affiliated with, or working on behalf of the Information Commissioners Office. ISKH is quite simply putting forward the importance of compliance to our target audience(s). Also to support the ICO's drive to show that Data Protection Act compliance, has a positive impact on a business or organisations Cyber / Data Security Positioning. Any externally linked ICO content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.

To Begin Reducing Your Risks and Securing Your Reputation!


24x7x365 Managed Security Monitoring and Mitigation For Your Organisations Endpoint & Server Devices.

Increase Your Third Sector Cyber Security Resilience & Mitigation


24x7x365 Managed DDoS Multi-Layer Threat Monitoring Service For Your Third Sector Organisations Website(s).

Increase Your Third Sector Cyber Security Resilience & Mitigation


24x7x365 Combined Best-of-Breed Managed Cyber Resilience Service (MCRS) For Your Organisations Devices.

Increase Your Third Sector Cyber Security Resilience & Mitigation

Subscribe to the IS Know How 'NewsWire' Newsletter.

ISKHIcon100x100Instantly begin your Third Sector Data & Cyber Security Mitigation Journey Today!ISKHIcon100x100

Please select the Region that your Organisation is situated at?

Receive Format?

Third Sector Organisation Personnel?


All emails include an unsubscribe / modify subscription link, where you may opt-out or amend your details at any time. Also available via our Unsubscribe from our Newsletter(s) page. See our Newsletter Terms & Conditions.