Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
ANNEX “A”
LEGAL FRAMEWORK
Legislation
Data Protection Act 1998 (“DPA 1998”)
1.
Section 1(1) of the DPA 1998 defined “personal data” as:
“… data which relate to a living individual who can be identified (a)
from those data, or (b) from those data and other information which is
in the possession of, or is likely to come into the possession of, the data
controller”.
2.
Section 1(1) of the DPA 1998 defined “data processing” as:
“… obtaining, recording or holding the information or data or carrying
out any operation or set of operations on the information or data” [with
a range of non-exhaustive examples given].
3.
Section 4(4) provided that it was:
“… the duty of a data controller to comply with the data protection
principles in relation to all personal data with respect to which he is the
data controller” [subject to section 27(1) concerning the exemptions].
4.
The data protection principles were set out in Schedule 1 to the DPA 199821:
(1) Principle 1 is that personal data shall be processed fairly and lawfully
and, in particular, shall not be “processed” at all unless it is necessary
for a relevant purpose (referred to in Schedule 2 below). In the case of
the police, the relevant purposes are the administration of justice and
the exercise of any other function of a public nature exercised in the
public interest.
(2) Principle 2 is that personal data may be obtained only for lawful
purposes and may not be further “processed” in a manner incompatible
with those purposes.
(3) Principle 3 is that the data must be “adequate, relevant and not
excessive” for the relevant purpose.
(4) Principle 4 is that data shall be accurate and, where necessary, kept up
to date.
21
Similar principles are now to be found in Part 3 of the DPA 2018 (see below).