Skip to main content
Hafan

How do the data protection principles help us avoid accidental breaches?

Download options

Contents

You are responsible for complying with your obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) and, where relevant, other information rights legislation, including the Freedom of Information Act 2000 (FOIA). Whilst we make every effort to make sure this guidance is accurate at the time of publication (31 July 2025), we make no guarantees or representations that it will remain up-to-date or ensure compliance. Where appropriate, seek further guidance or advice before disclosing information in the specific circumstances. If you would like to suggest improvements to this guidance, please leave us feedback

In detail

What is the principle to minimise personal information?

Minimising personal information is one of the seven key data protection principles in the UK GDPR. It says you must make sure the personal information you use is: 

  • adequate for your purpose;
  • relevant for that purpose; and
  • limited to what is necessary to achieve that purpose. 

What is the principle to limit how long you keep personal information?

Limiting how long you keep personal information is a data protection principle. It says you must keep personal information only for as long as you need it. You should periodically review it, as appropriate, and delete or anonymise it when you no longer need it.

What is the security principle?

The integrity and confidentiality principle, more commonly known as the security principle, is one of the data protection principles. It says you must have appropriate measures in place to keep personal information secure. This includes protecting it against unauthorised or unlawful use, and accidental loss, destruction or damage. You should assess the risks of what you do with personal information and the availability and cost of security solutions. 

What is the accountability principle?

Accountability is also one of the data protection principles. It says you must make sure (and be able to demonstrate) that your use of personal information complies with each of the data protection principles. 

How does complying with the principles help us avoid accidental breaches?

There will always be some risk of accidental breaches when working with people. However, taking a proactive and systematic approach to information governance, accountability and security reduces the risk considerably. 

You reduce the risk of disclosing personal information accidentally by making sure you do not use too much information for your purpose. For example, if you are responding to a request for information, there is less chance of an accidental breach if you extract only the information you need from a larger dataset. You also reduce the risk of accidental breaches when you delete or anonymise personal information once you no longer need it. 

To comply with the security and accountability principles, you must implement appropriate data protection measures, which will strengthen your overall compliance and reduce the risk of disclosing personal information accidentally. For example, you must implement data protection policies and procedures, where appropriate and proportionate. 

You should provide induction and regular refresher training about data protection for all staff and specialised training, where needed (eg for staff responding to information requests). If legally required, you must also employ a Data Protection Officer.

To comply with the security principle, you must implement organisational and technical measures aligned to the risk of what you are doing with personal information. This covers physical and cybersecurity measures, such as restricting access to offices and networks. Organisational measures include security policies, procedures and training. For example, you could implement policies and procedures to help you manage information risk and investigate security breaches appropriately, including helping staff understand how to report breaches internally and to us, when required (see What do we do if there is a breach?).

Further reading