third principle of the data protection act, 1998 (uk)
TRANSCRIPT
THIRD PRINCIPLE
OF
THE DATA PROTECTION ACT, 1998
Vishnu Kesarwani
IMS2007011
Bipin Kumar Ray
IMS2007043
2nd Semester
MS (Cyber Law & Information Security)
IIIT-Allahabad
History
„ The Report of the Committee on Privacy (The Younger Report, 1972) :
“(c) There should be minimum holding of Data for specified Purposes”.
„ The Report of the Committee on Data Protection (The Lindop Report, 1978):In the interest of data subjects:“Personal data handled should be accurate and complete, and relevant and timely for the purpose for which they are used”
Contd…„ OECD Guidelines on the Protection of Privacy and Transborder Flows
of Personal Data, 1980 :Part Two ( Basic Principles of National Application), Collection Limitation Principle,Paragraph 8 :“8. Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.”
„ The Council of Europe Convention, 1981:
“Personal data should be adequate relevant and not excessive in relation to the purposes to which the data are stored”
Contd…„ The Data Protection Act, 1984:
“Personal data should be adequate, relevant and not excessive in relation to those purposes.”
„ Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data:CHAPTER II, SECTION I - PRINCIPLES RELATING TO DATA QUALITY Article 6(1)(c) stats :
“Member States shall provide that personal data must be… adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.”
Third Principle
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes
for which they are processed.
Key Words
„ Personal Data
„ Adequate
„ Relevant
„ Processing
Personal DataAccording to Section 1(1) of the Data Protection Act, 1998 :
“Personal data” means data which relate to a living individual who can be identified†(a) from those data, or(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
Contd…„ What determines whether data relate to an individual?
A question of fact Data related to two or more people Information in a business capacity legal entities
„ Does the Act only relate to living individuals?
Yes „ The individual must be capable of being identified. How does the
Commissioner approach this issue? An individual may be “identified” without necessarily knowing the name and address of that particular individual.
Contd…
It is sufficient if the data are capable of being processed by the data controller to enable the data controller to distinguish the data subject from any other individual.
an individual to be identified from data together with information “likely to come into the possession” of the data controller.
„ What is meant by the expression “possession” in this context?
possession does not necessarily mean that the identifying data are in the physical control of the data controller, or likely to come under his physical control
Contd…This includes„ Names, „ Birthday „ Anniversary dates, „ Addresses, „ Telephone numbers,„ Fax numbers, „ e-mail addresses etc.
It only applies to that data which is held, or intended to be held, on computers or held in a relevant felling
Adequate
Meaning :„ Sufficient
„ equal to what is required
„ suitable to the case or occasion
Relevant
Meaning :
„ One fact is said to be relevant to another when the one is connected with the other in any of the ways
„ Having a bearing on or connection with the matter at hand
ProcessingAccording to Section 1(1) of the Data Protection Act, 1998 :“Processing”, in relation to information or data, means obtaining, recording or
holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a) organization, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
Interpretation„ The amount and nature of personal information held by the data
controller is actually necessary in relation to the carrying out of the stated purpose of the data processing
„ The information gathered and held ‟ must not be excessive and ‟ must be relevant to the Stated purpose.
„ The processing of personal data must not exceed what may be objectively necessary.
Contd…• Must hold the minimum amount of information which enables the
task to be performed
• Must regularly seek to review the information as that which was
adequate, may no longer be adequate and in fact be excessive
• Not acceptable to hold information on the basis it will be useful in
the future
• This principle imposes an obligation on the data controller that the
information collected must be adequate and relevant to fulfill the
purpose for which it was collected
Contd…
„ It must not be excessive in relation to the proposed used in question irrespective of whether the information is useful in the future. Example : Collecting the email addresses of students in order to contact them regarding a lecture series will be considered as relevant and adequate. But collecting their dates of birth for this purpose will be considered excessive.
Some Facts
According to the Data Protection Act 1998: Legal Guidance
„ Changes in circumstances or failure to keep the information up to date may mean that information that was originally adequate becomes inadequate.
„ If the data are kept for longer than necessary then they may well be both irrelevant and excessive.
„ In most cases, data controllers should be able to remedy possible breaches of the Principle by the erasure or addition of particular items of personal data so that the information is no longer excessive, inadequate, or irrelevant.
Contd…
„ Data controllers should seek to identify the minimum amount of information that is required in order properly to fulfill their purpose and this will be a question of fact in each case.
„ If it is necessary to hold additional information about certain individuals, such information should only be collected and recorded in those cases.
CasesCommunity Charge Registration Officer of Runnymede Borough Council
v.Data Protection Registrar
( Case DA/90, 24/49/3 October 27, 1990)The Tribunal was asked to consider whether the holding by community charge
registration officers of information about property types ( i.e. whether the property was a flat, bungalow, caravan, etc.) as part of the community charge register. The Tribunal found it was. They found this be the case even though there was unlikely to be any prejudice to the data subjects. They took the view public bodies which had the power to oblige people to provide personal information were under a particular onus to ensure that the information demanded was always adequate relevant and not excessive.
Cases
Community Charge Registration Officer of Runnymede Borough Council
v.
Data Protection Registrar
( Case DA/90, 25/49/3 October 11, 1990)The Tribunal upheld a similar approach taken with respect to the holding of dates of
birth. It was accepted, however, that the holding of dates of birth could be relevant in respect of those persons who would shortly become eligible to vote the age of 18.
The data controller should consider for all data :
The number of individuals on whom information is held The number of individuals for whom it is used The nature of the personal data The length of time it is held The way it was obtained The possible consequences for individuals of the holding or
erasure of the data The way in which it is used The purpose for which it is held
References
„ THE DATA PROTECTION ACT, 1998„ Data Protection Act 1998: Legal Guidance; available from
http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/data_protection_act_legal_guidance.pdf
„ Hamilton, Angus and Jay, Rosemary, Data Protection Act 1998 (UK: Sweet & Maxwell, 1999)
THANKS