In our last blog, we began our exploration of the eight Data Protection Principles (DPPs) established under the Data Protection Act 1998 (DPA). We looked at the first DPP in terms of its requirement for fair and lawful processing and the Conditions for Processing that must be met. Today we’ll look at the second and third DPPs that require that Personal Information be used only for ‘specified purposes’ and that it is ‘adequate’, ‘relevant’ and ‘not excessive’ for those purposes.
No2: Fit for purpose?
In the data protection world the specified purpose is the lynchpin upon which all the other requirements hang and compliance determined so it’s of paramount importance that you identify a legitimate purpose (NB: ‘just in case’ is neither a legitimate purpose nor a Condition for processing!) A legitimate purpose would include the provision of a service or compliance with a legal obligation and if you are required to be registered with the ICO as a data controller, you will have to list your specific purposes on your Register entry. Having identified your purposes you must not use the personal information in any way that might be considered to be ‘incompatible’ with those purposes. This actually provides you with some flexibility because implicit within this direction is a sanction to use the personal information for other purposes as long as they are compatible with the original purpose.
If you think about this in terms of expectation you can begin to see how this ties in with your fair processing. Nothing should happen with my personal information that I’ve not been made aware of beforehand: I should never be surprised. If this is ever the case, then it’s likely the use is incompatible and therefore unexpected and your fair processing is not fit for purpose!
No3: The Goldilocks Principle!
for every piece of personal information you use, there is a risk attached
The third DPP requires that the personal information used is adequate, relevant and not excessive ‘in relation to the purpose(s) for processing’. Here we see the lynchpin in action as a means by which we determine the adequacy, relevance and excess. Essentially, for every piece of personal information you use, there is a risk attached so you need to make sure you use only that which you need for the function of your organisation and it should be relevant to that function. If you find that you are collecting personal information that you don’t need specifically for that function then it is likely to be excessive and, as a result, breach the third DPP.
A very common example of excessiveness is where a form of ID is photocopied and kept as verification of identity for a subject access request. This is neither necessary nor relevant personal information for the function of the organisation so is likely to be excessive. A simple tick box and note of which form of ID was presented would suffice. So, the next time you ask for some personal information think of Goldilocks and make sure it’s not too much, not too little, but just right ‘for the purposes‘!
Maureen H Falconer is Regional Manager – Scotland for the Information Commissioner’s Office