First Principle - fair and lawful processing

"Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met."

Compliance with the first principle requires the processing to meet three obligations and be:

  • Fair; and
  • Lawful; and
  • Meet a condition for processing.

Fair Processing

Ensuring fairness in everything you do with people's personal details is central to complying with a data controller's duties under the Act.

This includes circumstances where you are considering sharing personal data with another organisation - you should carefully consider what the recipient will do with the information and what effect it will have on the individual concerned.

In practice it means that you must:

  • have legitimate reasons for collecting and using, including sharing, personal data
  • not use the data in ways that have unjustified adverse effects on the individuals concerned
  • be open and honest about how you intend to use the information
  • give appropriate 'privacy policies' or 'fair processing notices' when collecting information
  • ensure that people are not misled or deceived about the use of their information
  • handle people's information only in ways they would reasonably expect
  • make sure you do not do anything unlawful with the information

Find out more about 'fair processing"


Lawful Processing

The Act prohibits any processing of personal data by a data controller unless there is lawful justification.

To be lawful the processing must be generally lawful, i.e. in accordance with the law, referring to statute and common law, whether that is civil or criminal. This applies to public and private sector organisations.

If processing personal information involves committing a criminal offence, the processing will obviously be unlawful.

However processing may also be unlawful if it results in, for example

  • an organisation exceeding its legal powers or exercising those powers improperly
  • a breach of the Human Rights Act 2001
  • a breach of a duty of confidentiality
  • an infringement of copyright
  • a breach of an enforceable contractual agreement
  • a breach of industry-specific legislation or regulations

Meeting a condition for processing

To ensure lawfulness, the processing must also meet one of the conditions set out in Schedule 2 of the Act.

Many of these conditions relate to the purpose or purposes for which you intend to use the information, and take into account the nature of the information in question.

Find out more about the conditions for processing