(1) This Chapter sets out the six data protection principles as follows -
(a) section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
(b) section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
(c) section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
(d) section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
(e) section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
(f) section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
(2) In addition -
(a) each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
…