Judgment Approved by the court for handing down.
R (Bridges) -v- CC South Wales & ors
(e) section 39(1) sets out the fifth data protection principle
(requirement that personal data be kept for no longer than is
necessary);
(f) section 40 sets out the sixth data protection principle
(requirement that personal data be processed in a secure
manner).
(2) In addition—
(a) each of sections 35, 36, 38 and 39 makes provision to
supplement the principle to which it relates, and
(b) sections 41 and 42 make provision about the safeguards
that apply in relation to certain types of processing.
(3) The controller in relation to personal data is responsible for,
and must be able to demonstrate, compliance with this Chapter.”
21.
Section 35 of the DPA regulates "sensitive processing" and specifies the conditions that
must be satisfied before it may take place. Section 35 provides as follows:
“35 The first data protection principle
(1) The first data protection principle is that the processing of
personal data for any of the law enforcement purposes must be
lawful and fair.
(2) The processing of personal data for any of the law
enforcement purposes is lawful only if and to the extent that it is
based on law and either—
(a) the data subject has given consent to the processing for
that purpose, or
(b) the processing is necessary for the performance of a task
carried out for that purpose by a competent authority.
(3) In addition, where the processing for any of the law
enforcement purposes is sensitive processing, the processing is
permitted only in the two cases set out in subsections (4) and (5).
(4) The first case is where—
(a) the data subject has given consent to the processing for
the law enforcement purpose as mentioned in subsection
(2)(a), and
(b) at the time when the processing is carried out, the
controller has an appropriate policy document in place (see
section 42).