0
THIRD PRINCIPLE
             OF
THE DATA PROTECTION ACT, 1998
                           Vishnu Kesarwani
                ...
History

„ The Report of the Committee on Privacy (The Younger Report, 1972) :

   “(c) There should be minimum holding of...
Contd…
„ OECD Guidelines on the Protection of Privacy and Transborder Flows
  of Personal Data, 1980 :
  Part Two ( Basic ...
Contd…
„ The Data Protection Act, 1984:
  “Personal data should be adequate, relevant and not excessive in relation to
  t...
Third Principle


Personal data shall be adequate, relevant and not
 excessive in relation to the purpose or purposes
    ...
Key Words
„ Personal Data

„ Adequate

„ Relevant

„ Processing
Personal Data
According to Section 1(1) of the Data Protection Act, 1998 :

“Personal data” means data which relate to a l...
Contd…
„ What determines whether data relate to an individual?
   A question of fact
   Data related to two or more peop...
Contd…
   It is sufficient if the data are capable of being processed by the data controller to
   enable the data control...
Contd…
This includes
„ Names,
„ Birthday
„ Anniversary dates,
„ Addresses,
„ Telephone numbers,
„ Fax numbers,
„ e-mail ad...
Adequate
Meaning :
„ Sufficient
„ equal to what is required

„ suitable to the case or occasion
Relevant
Meaning :

„ One fact is said to be relevant to another when the one is
  connected with the other in any of the ...
Processing
According to Section 1(1) of the Data Protection Act, 1998 :
“Processing”, in relation to information or data, ...
Interpretation
„ The amount and nature of personal information held by the data
  controller is actually necessary in rela...
Contd…
• Must hold the minimum amount of information which enables the
  task to be performed
• Must regularly seek to rev...
Contd…
„ It must not be excessive in relation to the proposed used in
  question irrespective of whether the information i...
Some Facts
According to the Data Protection Act 1998: Legal Guidance
    „ Changes in circumstances or failure to keep the...
Contd…
 „ Data controllers should seek to identify the minimum
   amount of information that is required in order properly...
Cases
   Community Charge Registration Officer of Runnymede Borough Council
                                          v.
 ...
Cases
   Community Charge Registration Officer of Runnymede Borough Council
                                   v.
        ...
The data controller should consider for all data :
   The number of individuals on whom information is held
    The numb...
References
„ THE DATA PROTECTION ACT, 1998
„ Data Protection Act 1998: Legal Guidance; available from
  http://www.ico.gov...
THANKS
Upcoming SlideShare
Loading in...5
×

Third Principle Of The Data Protection Act, 1998 (Uk)

1,094

Published on

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,094
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Third Principle Of The Data Protection Act, 1998 (Uk)"

  1. 1. THIRD PRINCIPLE OF THE DATA PROTECTION ACT, 1998 Vishnu Kesarwani IMS2007011 Bipin Kumar Ray IMS2007043 2nd Semester MS (Cyber Law & Information Security) IIIT-Allahabad
  2. 2. History „ The Report of the Committee on Privacy (The Younger Report, 1972) : “(c) There should be minimum holding of Data for specified Purposes”. „ The Report of the Committee on Data Protection (The Lindop Report, 1978): In the interest of data subjects: “Personal data handled should be accurate and complete, and relevant and timely for the purpose for which they are used”
  3. 3. Contd… „ OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980 : Part Two ( Basic Principles of National Application), Collection Limitation Principle, Paragraph 8 : “8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.” „ The Council of Europe Convention, 1981: “Personal data should be adequate relevant and not excessive in relation to the purposes to which the data are stored”
  4. 4. Contd… „ The Data Protection Act, 1984: “Personal data should be adequate, relevant and not excessive in relation to those purposes.” „ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data: CHAPTER II, SECTION I - PRINCIPLES RELATING TO DATA QUALITY Article 6(1)(c) stats : “Member States shall provide that personal data must be… adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
  5. 5. Third Principle Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
  6. 6. Key Words „ Personal Data „ Adequate „ Relevant „ Processing
  7. 7. Personal Data According to Section 1(1) of the Data Protection Act, 1998 : “Personal data” means data which relate to a living individual who can be identified† (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
  8. 8. Contd… „ What determines whether data relate to an individual? A question of fact Data related to two or more people Information in a business capacity legal entities „ Does the Act only relate to living individuals? Yes „ The individual must be capable of being identified. How does the Commissioner approach this issue? An individual may be “identified” without necessarily knowing the name and address of that particular individual.
  9. 9. Contd… It is sufficient if the data are capable of being processed by the data controller to enable the data controller to distinguish the data subject from any other individual. an individual to be identified from data together with information “likely to come into the possession” of the data controller. „ What is meant by the expression “possession” in this context? possession does not necessarily mean that the identifying data are in the physical control of the data controller, or likely to come under his physical control
  10. 10. Contd… This includes „ Names, „ Birthday „ Anniversary dates, „ Addresses, „ Telephone numbers, „ Fax numbers, „ e-mail addresses etc. It only applies to that data which is held, or intended to be held, on computers or held in a relevant felling
  11. 11. Adequate Meaning : „ Sufficient „ equal to what is required „ suitable to the case or occasion
  12. 12. Relevant Meaning : „ One fact is said to be relevant to another when the one is connected with the other in any of the ways „ Having a bearing on or connection with the matter at hand
  13. 13. Processing According to Section 1(1) of the Data Protection Act, 1998 : “Processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including— (a) organization, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data;
  14. 14. Interpretation „ The amount and nature of personal information held by the data controller is actually necessary in relation to the carrying out of the stated purpose of the data processing „ The information gathered and held ‟ must not be excessive and ‟ must be relevant to the Stated purpose. „ The processing of personal data must not exceed what may be objectively necessary.
  15. 15. Contd… • Must hold the minimum amount of information which enables the task to be performed • Must regularly seek to review the information as that which was adequate, may no longer be adequate and in fact be excessive • Not acceptable to hold information on the basis it will be useful in the future • This principle imposes an obligation on the data controller that the information collected must be adequate and relevant to fulfill the purpose for which it was collected
  16. 16. Contd… „ It must not be excessive in relation to the proposed used in question irrespective of whether the information is useful in the future. Example : Collecting the email addresses of students in order to contact them regarding a lecture series will be considered as relevant and adequate. But collecting their dates of birth for this purpose will be considered excessive.
  17. 17. Some Facts According to the Data Protection Act 1998: Legal Guidance „ Changes in circumstances or failure to keep the information up to date may mean that information that was originally adequate becomes inadequate. „ If the data are kept for longer than necessary then they may well be both irrelevant and excessive. „ In most cases, data controllers should be able to remedy possible breaches of the Principle by the erasure or addition of particular items of personal data so that the information is no longer excessive, inadequate, or irrelevant.
  18. 18. Contd… „ Data controllers should seek to identify the minimum amount of information that is required in order properly to fulfill their purpose and this will be a question of fact in each case. „ If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases.
  19. 19. Cases Community Charge Registration Officer of Runnymede Borough Council v. Data Protection Registrar ( Case DA/90, 24/49/3 October 27, 1990) The Tribunal was asked to consider whether the holding by community charge registration officers of information about property types ( i.e. whether the property was a flat, bungalow, caravan, etc.) as part of the community charge register. The Tribunal found it was. They found this be the case even though there was unlikely to be any prejudice to the data subjects. They took the view public bodies which had the power to oblige people to provide personal information were under a particular onus to ensure that the information demanded was always adequate relevant and not excessive.
  20. 20. Cases Community Charge Registration Officer of Runnymede Borough Council v. Data Protection Registrar ( Case DA/90, 25/49/3 October 11, 1990) The Tribunal upheld a similar approach taken with respect to the holding of dates of birth. It was accepted, however, that the holding of dates of birth could be relevant in respect of those persons who would shortly become eligible to vote the age of 18.
  21. 21. The data controller should consider for all data : The number of individuals on whom information is held  The number of individuals for whom it is used  The nature of the personal data  The length of time it is held  The way it was obtained  The possible consequences for individuals of the holding or erasure of the data  The way in which it is used  The purpose for which it is held
  22. 22. References „ THE DATA PROTECTION ACT, 1998 „ Data Protection Act 1998: Legal Guidance; available from http://www.ico.gov.uk/upload/documents/library/data_protecti on/detailed_specialist_guides/data_protection_act_legal_guida nce.pdf „ Hamilton, Angus and Jay, Rosemary, Data Protection Act 1998 (UK: Sweet & Maxwell, 1999)
  23. 23. THANKS
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×