Third Principle Of The Data Protection Act, 1998 (Uk)
1. THIRD PRINCIPLE
OF
THE DATA PROTECTION ACT, 1998
Vishnu Kesarwani
IMS2007011
Bipin Kumar Ray
IMS2007043
2nd Semester
MS (Cyber Law & Information Security)
IIIT-Allahabad
2. History
„ The Report of the Committee on Privacy (The Younger Report, 1972) :
“(c) There should be minimum holding of Data for specified Purposes”.
„ The Report of the Committee on Data Protection (The Lindop Report,
1978):
In the interest of data subjects:
“Personal data handled should be accurate and complete, and relevant and timely
for the purpose for which they are used”
3. Contd…
„ OECD Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data, 1980 :
Part Two ( Basic Principles of National Application),
Collection Limitation Principle,
Paragraph 8 :
“8. Personal data should be relevant to the purposes for which they are to be
used, and, to the extent necessary for those purposes, should be accurate,
complete and kept up-to-date.”
„ The Council of Europe Convention, 1981:
“Personal data should be adequate relevant and not excessive in relation to
the purposes to which the data are stored”
4. Contd…
„ The Data Protection Act, 1984:
“Personal data should be adequate, relevant and not excessive in relation to
those purposes.”
„ Directive 95/46/EC of the European Parliament and of the Council of
24 October 1995 on the protection of individuals with regard to the
processing of personal data and on the free movement of such data:
CHAPTER II, SECTION I - PRINCIPLES RELATING TO DATA
QUALITY
Article 6(1)(c) stats :
“Member States shall provide that personal data must be… adequate,
relevant and not excessive in relation to the purposes for which they are
collected and/or further processed.”
5. Third Principle
Personal data shall be adequate, relevant and not
excessive in relation to the purpose or purposes
for which they are processed.
7. Personal Data
According to Section 1(1) of the Data Protection Act, 1998 :
“Personal data” means data which relate to a living individual who can
be identified†
(a) from those data, or
(b) from those data and other information which is in the possession of,
or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any
indication of the intentions of the data controller or any other person in
respect of the individual;
8. Contd…
„ What determines whether data relate to an individual?
A question of fact
Data related to two or more people
Information in a business capacity
legal entities
„ Does the Act only relate to living individuals?
Yes
„ The individual must be capable of being identified. How does the
Commissioner approach this issue?
An individual may be “identified” without necessarily knowing the
name and address of that particular individual.
9. Contd…
It is sufficient if the data are capable of being processed by the data controller to
enable the data controller to distinguish the data subject from any other
individual.
an individual to be identified from data together with information “likely to
come into the possession” of the data controller.
„ What is meant by the expression “possession” in this context?
possession does not necessarily mean that the identifying data are in the physical
control of the data controller, or likely to come under his physical control
10. Contd…
This includes
„ Names,
„ Birthday
„ Anniversary dates,
„ Addresses,
„ Telephone numbers,
„ Fax numbers,
„ e-mail addresses etc.
It only applies to that data which is held, or intended to be held, on
computers or held in a relevant felling
12. Relevant
Meaning :
„ One fact is said to be relevant to another when the one is
connected with the other in any of the ways
„ Having a bearing on or connection with the matter at
hand
13. Processing
According to Section 1(1) of the Data Protection Act, 1998 :
“Processing”, in relation to information or data, means obtaining, recording or
holding the information or data or carrying out any operation or set of
operations on the information or data, including—
(a) organization, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or
otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the
information or data;
14. Interpretation
„ The amount and nature of personal information held by the data
controller is actually necessary in relation to the carrying out of the
stated purpose of the data processing
„ The information gathered and held
‟ must not be excessive and
‟ must be relevant to the Stated purpose.
„ The processing of personal data must not exceed what may be
objectively necessary.
15. Contd…
• Must hold the minimum amount of information which enables the
task to be performed
• Must regularly seek to review the information as that which was
adequate, may no longer be adequate and in fact be excessive
• Not acceptable to hold information on the basis it will be useful in
the future
• This principle imposes an obligation on the data controller that the
information collected must be adequate and relevant to fulfill the
purpose for which it was collected
16. Contd…
„ It must not be excessive in relation to the proposed used in
question irrespective of whether the information is useful in the
future.
Example :
Collecting the email addresses of students in order to contact
them regarding a lecture series will be considered as relevant
and adequate. But collecting their dates of birth for this purpose
will be considered excessive.
17. Some Facts
According to the Data Protection Act 1998: Legal Guidance
„ Changes in circumstances or failure to keep the information up to date may
mean that information that was originally adequate becomes inadequate.
„ If the data are kept for longer than necessary then they may well be both
irrelevant and excessive.
„ In most cases, data controllers should be able to remedy possible breaches of
the Principle by the erasure or addition of particular items of personal data so
that the information is no longer excessive, inadequate, or irrelevant.
18. Contd…
„ Data controllers should seek to identify the minimum
amount of information that is required in order properly to
fulfill their purpose and this will be a question of fact in
each case.
„ If it is necessary to hold additional information about
certain individuals, such information should only be
collected and recorded in those cases.
19. Cases
Community Charge Registration Officer of Runnymede Borough Council
v.
Data Protection Registrar
( Case DA/90, 24/49/3 October 27, 1990)
The Tribunal was asked to consider whether the holding by community charge
registration officers of information about property types ( i.e. whether the
property was a flat, bungalow, caravan, etc.) as part of the community charge
register. The Tribunal found it was. They found this be the case even though
there was unlikely to be any prejudice to the data subjects. They took the view
public bodies which had the power to oblige people to provide personal
information were under a particular onus to ensure that the information
demanded was always adequate relevant and not excessive.
20. Cases
Community Charge Registration Officer of Runnymede Borough Council
v.
Data Protection Registrar
( Case DA/90, 25/49/3 October 11, 1990)
The Tribunal upheld a similar approach taken with respect to the holding of dates of
birth. It was accepted, however, that the holding of dates of birth could be
relevant in respect of those persons who would shortly become eligible to vote
the age of 18.
21. The data controller should consider for all data :
The number of individuals on whom information is held
The number of individuals for whom it is used
The nature of the personal data
The length of time it is held
The way it was obtained
The possible consequences for individuals of the holding or
erasure of the data
The way in which it is used
The purpose for which it is held
22. References
„ THE DATA PROTECTION ACT, 1998
„ Data Protection Act 1998: Legal Guidance; available from
http://www.ico.gov.uk/upload/documents/library/data_protecti
on/detailed_specialist_guides/data_protection_act_legal_guida
nce.pdf
„ Hamilton, Angus and Jay, Rosemary, Data Protection Act 1998
(UK: Sweet & Maxwell, 1999)