Explore UCD

UCD Home >

Data Protection Principles & Applications

Data Protection Principles

GDPR, in Article 5, sets out key principles which lie at the heart of the general data protection regime. They both directly and indirectly influence the other rules and obligations found throughout the legislation. On this page below you can find practical instructions on what the University/you need to do to put the principles into practice.

The principles are:

  • Lawful, fair & transparent processing
  • Purpose limitation
  • Minimisation of processing
  • Data accuracy/quality
  • Storage limitation
  • Integrity, security & confidentiality
  • Accountability

Principles Infographic

Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.

What are examples of measures that UCD/you need to take to deliver on the principle of lawfulness, fairness, and transparency?

  • Provide individuals with Privacy Notices in advance of any data collection
  • Update privacy notices regularly
  • Identify one or more Legal Basis for the processing
  • Put appropriate (opens in a new window)agreements and contracts in placewhen transferring personal data outside the EU
  • As appropriate, put one of the following in place, when you share personal data with other organisations: (opens in a new window)controller-processor contract; joint controller agreements; data sharing agreements; so that each party is clear about their roles and responsibilities

Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.

What are examples of measures that UCD/you need to take to deliver on the principle of purpose limitation?

  • Stick to what you have said in your privacy notice!
  • It is important to decide on the legal basis for processing from the outset and state this in your privacy notice. Don’t change purposes later If your processing is based on consent and you want to use the data for a new purposeANDif you have existing permission to re-approach data subjects again, you need to do so and get their permission for the new purpose. If you don’t have existing permission to re-approach them, then this is not a way forward.
  • Don’t use lists of attendees to an event for marketing to them or for any other purpose without their consent; or don’t use data purely collected for medical treatments for research in a way that individuals concerned would not reasonably expect based on the information they were provided in the privacy notice or have not consented to in cases where consent is needed.

Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).

What are examples of measures that UCD/you need to take to deliver on the principle ofdata minimisation?

Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and also record the source of that information.

What are examples of measures that UCD/you need to take to deliver on the principle ofaccuracy?

  • It is important that individuals (data subjects) have an easy way to exercise their rights, like to have access to their data, to have incorrect data corrected; or to have data that are no longer needed erased. This will allow prompt updates or corrections of personal data held on UCD systems.
  • Don’t make local copies of personal data! Local copies not only put the security of data at risk, but also are the cause of old data being used instead of current data.
  • Have a clear protocol about who is authorised to make changes to data and log any changes made.
  • In your ‘Record of Processing Activities’ ((opens in a new window)ROPA) document capture the source of any data set you receive so that you can check back if clarifications is
  • In your ‘Record of Processing Activities’ ((opens in a new window)ROPA) document capture any recipients you share data with. Should you/UCD as controller, receive requests for data corrections or any other related data subject rights request, you/UCD needs to communicate this request to the recipients you sent the data toon. This will allow the recipients to update their records too.

Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

What are examples of measures that UCD/you need to take to deliver on the principle of storage limitation / data retention?

  • You need to think about how long you will keep personal data from the outset, even before you collect them, as this needs to be included in a (opens in a new window)privacy notice. If a specific date cannot be given, then you need to provide information about the criteria that will inform the retention period.
  • Any (opens in a new window)retention periodneeds to be based on a stringent and robust rational and needs to be as short as possible in line with the original purpose.
  • For key areas it is quite likely that there are organisational or sectorial guidelines for retention periods.
  • Data retention is not an ‘all or nothing’ consideration. You might have collected several items of personal data at the same time, but that does not mean that you need everything for the same length of time. You might be required to keep some data for longer for legal or auditing purposes and other ones can be deleted much sooner. Regularly review what needs to be kept and what needs to be securely deleted or shredded.
  • Individuals (data subjects) can request that you delete their personal data once they are no longer needed.
  • Don’t make local copies of personal data, this makes it more likely that data are kept for longer than permitted and also poses a security and confidentiality risk.

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

What are examples of measures that UCD/you need to take to deliver on the principle of integrity and confidentiality?

Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.

What are examples of measures that UCD/you need to take to deliver on the principle of integrity and accountability?