Crest
Isle of Man Government
Reiltys Ellan Vannin
Isle of Man Government Crest

O.D.P.S.

Office of the Data Protection SupervisorOffice of the Data Protection SupervisorOik Oaseir Coadey Fysseree Ellan Vannin
You are here: www.gov.im - ODPS - Business Advice - Protection Principles - First Principle
Protection Principles
Introduction
First Principle
Second Principle
Third Principle
Fourth Principle
Fifth Principle
Sixth Principle
Seventh Principle
Eighth Principle
Use of Personal Data
Sensitive Data

The First Principle

"Personal data shall be processed fairly and lawfully"

Fair Processing

Where personal data are obtained directly from the individual then a fair processing notice must be given or made available to the individual either before the data are obtained, or at the time of collection. When data are obtained from a third party then a notice must generally be given to the individual when the data are first processed or as soon as reasonably practicable thereafter.

The fair processing notice must state the identity of the data controller, for example name and address of the organisation, and what it intends to use the information for, and anything else necessary in the circumstances to make the processing fair.

Lawful Processing

The Act prohibits any processing of personal data by a data controller unless there is lawful justification. To be lawful the processing must meet one of the conditions set out in Schedule 2 of the Act.

These conditions are:

  1. where the data subject is consenting to the processing
  2. where it is necessary for the organisation to process data so as to enter into or perform a contract with the data subject
  3. where the processing is necessary to allow the organisation to comply with a legal obligation, such as a statutory duty;
  4. where the processing is necessary in order to protect the vital interests of the data subject;
  5. where the processing is necessary in the legitimate interests of the organisation so long as the rights and freedoms of the data subjects are not prejudiced;
  6. where the processing is necessary for the administration of justice;
    • for the exercise of any functions of Tynwald, the Council or the Keys;
    • for the exercise of functions conferred by or under a statutory provision;
    • for the exercise of any functions of the Crown, a Department or Statutory Board
    • for the exercise of any other functions of a public nature exercised in the public interest.

Therefore it would be a breach of the first principle to collect and process someone’s personal data without meeting at least one of the conditions.

In the case of sensitive personal data at least one of the conditions in Schedule 3 of the Act must also be met.

Sensitive personal data relate to:

  1. racial or ethnic origin
  2. political opinions;
  3. religious or other beliefs;
  4. trade union membership;
  5. physical or mental health;
  6. sexual life;
  7. offences or alleged offences;
  8. convictions or criminal proceedings

The following is a summary of the conditions for processing sensitive personal data. However, it is only intended as a basic guide and any data controller who processes sensitive personal data should refer directly to Schedule 3 of the Act for a full description of the conditions.

Conditions For Processing Sensitive Personal Data

Sensitive personal data should only be processed if one or more of the following conditions have been met:

• explicit consent

• to perform any right or obligation under employment law

• to protect vital interests of the data subject or another person

• where the data have been made public by the individual

• in connection with legal proceedings

• for the administration of justice / statutory functions including Tynwald, Council or the Keys

• any other purposes specified by Council of Ministers

Consent

One of the most frequently used conditions for both personal data and sensitive personal data is consent.

Consent can be achieved if it has been freely given for a specific purpose and to which the individual, having been informed of the purpose, signifies agreement. In relation to sensitive personal data, consent must also be explicit and absolutely clear.

Some form of active communication is required. Consent cannot be inferred from a non-response.

Consent can be obtained by the use of a fair processing notice coupled with an appropriate response.

 
banner
 

Material on the Data Protection Supervisor's site is independent of that hosted by the Isle of Man Government and is protected by copyright. The copyright owner is the Isle of Man Data Protection Supervisor. You may not make alterations or additions to the material on this site, or sell it or misappropriate it. Material may be downloaded or copied for personal use. However, appropriate acknowledgement of the copyright owner is required if material is re-published in any format.