Principle (c): Data minimisation
What is the data minimisation principle?
Article 5(1)(c) says:
“1. Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”
So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.
This is the first of three principles about data standards, along with accuracy and storage limitation.
The accountability principle means that you need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal data you need.
Also bear in mind that the UK GDPR says individuals have the right to complete any incomplete data which is inadequate for your purpose, under the right to rectification. They also have right to get you to delete any data that is not necessary for your purpose, under the right to erasure (right to be forgotten).
How do we decide what is adequate, relevant and limited?
The UK GDPR does not define these terms. Clearly, though, this will depend on your specified purpose for collecting and using the personal data. It may also differ from one individual to another.
So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
For special category data or criminal offence data, it is particularly important to make sure you collect and retain only the minimum amount of information.
You may need to consider this separately for each individual, or for each group of individuals sharing relevant characteristics. You should in particular consider any specific factors that an individual brings to your attention – for example, as part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.
You should periodically review your processing to check that the personal data you hold is still relevant and adequate for your purposes, and delete anything you no longer need. This is closely linked with the storage limitation principle.
When could we be processing too much personal data?
You should not have more personal data than you need to achieve your purpose. Nor should the data include irrelevant details.
If you need to process particular information about certain individuals only, you should collect it just for those individuals – the information is likely to be excessive and irrelevant in relation to other people.
You must not collect personal data on the off-chance that it might be useful in the future. However, you may be able to hold information for a foreseeable event that may never occur if you can justify it.
If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimisation principle. Individuals will also have the right to erasure.
When could we be processing inadequate personal data?
If the processing you carry out is not helping you to achieve your purpose then the personal data you have is probably inadequate. You should not process personal data if it is insufficient for its intended purpose.
In some circumstances you may need to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question.
Data may also be inadequate if you are making decisions about someone based on an incomplete understanding of the facts. In particular, if an individual asks you to supplement incomplete data under their right to rectification, this could indicate that the data might be inadequate for your purpose.
Obviously it makes no business sense to have inadequate personal data – but you must be careful not to go too far the other way and collect more than you need.
What about the adequacy and relevance of opinions?
A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.
However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.
If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, you should make this clear.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As GDPR effect is growing day by day and a lot of companies are affected, we would like to present
ICO published the next chapter of the Anonymisation guidance draft : Anonymisation, pseudonymisation and privacy enhancing technologies guidance
How to ensure anonymisation is effective? The ICO is calling for views on its updated draft gui
A lot of companies are receiving SAR's almost every day. Not all of the SAR's are relevant and a lo