Judgment Approved by the court for handing down
R (Bridges) v CCSWP and SSHD
(2) Any reference in this Part to the processing of personal data is to
processing to which this Part applies. …
22.
Section 34 of the DPA 2018 provides an overview of the six data protection
principles and the duties of the data protection controller:
“34 Overview and general duty of controller
(1) This Chapter sets out the six data protection principles as follows—
(a) section 35(1) sets out the first data protection principle (requirement that
processing be lawful and fair);
(b) section 36(1) sets out the second data protection principle (requirement
that purposes of processing be specified, explicit and legitimate);
(c) section 37 sets out the third data protection principle (requirement that
personal data be adequate, relevant and not excessive);
(d) section 38(1) sets out the fourth data protection principle (requirement that
personal data be accurate and kept up to date);
(e) section 39(1) sets out the fifth data protection principle (requirement that
personal data be kept for no longer than is necessary);
(f) section 40 sets out the sixth data protection principle (requirement that
personal data be processed in a secure manner).
(2) In addition—
(a) each of sections 35, 36, 38 and 39 makes provision to supplement the
principle to which it relates, and
(b) sections 41 and 42 make provision about the safeguards that apply in
relation to certain types of processing.
(3) The controller in relation to personal data is responsible for, and must be
able to demonstrate, compliance with this Chapter.”
23.
Section 35 of the DPA regulates “sensitive processing” and specifies the
conditions that must be satisfied before it may take place. Section 35 provides
as follows.
“35 The first data protection principle
(1) The first data protection principle is that the processing of personal data
for any of the law enforcement purposes must be lawful and fair.
(2) The processing of personal data for any of the law enforcement purposes
is lawful only if and to the extent that it is based on law and either—
(a) the data subject has given consent to the processing for that purpose, or
(b) the processing is necessary for the performance of a task carried out for
that purpose by a competent authority.
(3) In addition, where the processing for any of the law enforcement purposes
is sensitive processing, the processing is permitted only in the two cases set
out in subsections (4) and (5).
(4) The first case is where—
(a) the data subject has given consent to the processing for the law
enforcement purpose as mentioned in subsection (2)(a), and