Principle 3
Only get data you need
What the Act says
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed
What this means
Principle 3 is one of the simpler principles. Each time you do something with personal data (i.e. whenever you are processing the data) you need to make sure you just process the minimum amount of data required and no more.
A common misconception is that this principle is just about when you initially collect data. Although it is important to only collect the data you need it’s also important that each time you do something with the personal data you hold, you work out whether all the data you’re about to process is needed.
A really good example of a breach of principle 3 was the now-infamous incident when the Inland Revenue ‘lost’ those two CDs that it sent to the National Audit Office (NAO). The NAO had actually just asked for a sub-set of the data for each person, but it was easier for the Inland Revenue to send it all to them, so although the CDs they sent included the data that were adequate and relevant, they also sent data that was irrelevant and certainly excessive.
How to test
Remember, to comply with the Act you should test every bit of processing of each bit of data against all eight principles.
The third data protection principle gives these two tests:
- Do you need any of this person’s data for the processing you are doing?
- Do you need this particular item of personal data?
Database people might like to think about the test this way:
- Do I need this Record / Row in the data?
- Do I need to include this Field / Column in the data?
Disclaimer: This is general information only and I’ve tried to simplify the major parts of the Act to make it easy (I hope) to understand. This isn’t legal advice and it isn’t specific advice for you. If you’re looking for help with DPA and Information Security compliance then please contact me.
