Controllers and processors
- A data controller is the person or organisation that decides why and how personal data is used.
- A data processor is the person or organisation that uses personal data on behalf of a controller.
Both controllers and processors are responsible for complying with the Freedom of Information and Data Protection Act 2026.
Lawful use of personal data
Personal data must only be used when there is a lawful reason to do so under the Freedom of Information and Data Protection Act 2026.
Personal data may be used when:
- The individual has given consent
- Use of the data is required by law
- Use of the data is necessary to carry out a statutory or public function
- Use of the data is necessary to protect vital interests
- Use of the data is necessary for legitimate interests and does not override fundamental rights
Public authorities must mainly rely on statutory or public interest reasons.
Data protection principles
When using personal data you must ensure that it is:
- Used lawfully fairly and transparently
- Collected for specific and legitimate purposes
- Limited to what is necessary
- Accurate and kept up to date
- Kept only as long as needed
- Protected against unauthorised access or loss
Accountability and records
You must be able to show that you comply with the Freedom of Information and Data Protection Act 2026.
You should keep appropriate records of how personal data is used and protected.