At a glance
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
☐ We only collect personal data we actually need for our specified purposes.
☐ We have sufficient personal data to properly fulfil those purposes.
☐ We periodically review the data we hold, and delete anything we don’t need.
- What’s new under the GDPR?
- What is the data minimisation principle?
- How do we decide what is adequate, relevant and limited?
- When could we be processing too much personal data?
- When could we be processing inadequate personal data?
- What about the adequacy and relevance of opinions?
Very little. The data minimisation principle is almost identical to the third principle (adequacy) of the 1998 Act.
The main difference in practice is that you must be prepared to demonstrate you have appropriate data minimisation practices in line with new accountability obligations, and there are links to the new rights of erasure and rectification.
Article 5(1)(c) says:
“1. Personal data shall be:
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”
So you should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that much information, but no more.
This is the first of three principles about data standards, along with accuracy and storage limitation.
The accountability principle means that you need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal data you need.
Also bear in mind that the GDPR says individuals have the right to complete any incomplete data which is inadequate for your purpose, under the right to rectification. They also have right to get you to delete any data that is not necessary for your purpose, under the right to erasure (right to be forgotten).
The GDPR does not define these terms. Clearly, though, this will depend on your specified purpose for collecting and using the personal data. It may also differ from one individual to another.
So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
For special category data or criminal offence data, it is particularly important to make sure you collect and retain only the minimum amount of information.
You may need to consider this separately for each individual, or for each group of individuals sharing relevant characteristics. You should in particular consider any specific factors that an individual brings to your attention – for example, as part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.
You should periodically review your processing to check that the personal data you hold is still relevant and adequate for your purposes, and delete anything you no longer need. This is closely linked with the storage limitation principle.
You should not have more personal data than you need to achieve your purpose. Nor should the data include irrelevant details.
A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are discounted. The agency should delete most of their personal data, keeping only the minimum data needed to form a basic record of a person they have removed from their search. It is appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
If you need to process particular information about certain individuals only, you should collect it just for those individuals – the information is likely to be excessive and irrelevant in relation to other people.
A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.
You must not collect personal data on the off-chance that it might be useful in the future. However, you may be able to hold information for a foreseeable event that may never occur if you can justify it.
An employer holds details of the blood groups of some of its employees. These employees do hazardous work and the information is needed in case of accident. The employer has in place safety procedures to help prevent accidents so it may be that this data is never needed, but it still needs to hold this information in case of emergency.
If the employer holds the blood groups of the rest of the workforce, though, such information is likely to be irrelevant and excessive as they do not engage in the same hazardous work.
If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the data minimisation principle. Individuals will also have the right to erasure.
If the processing you carry out is not helping you to achieve your purpose then the personal data you have is probably inadequate. You should not process personal data if it is insufficient for its intended purpose.
In some circumstances you may need to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question.
A group of individuals set up a club. At the outset the club has only a handful of members, who all know each other, and the club’s activities are administered using only basic information about the members’ names and email addresses. The club proves to be very popular and its membership grows rapidly. It becomes necessary to collect additional information about members so that the club can identify them properly, and so that it can keep track of their membership status, subscription payments etc.
Data may also be inadequate if you are making decisions about someone based on an incomplete understanding of the facts. In particular, if an individual asks you to supplement incomplete data under their right to rectification, this could indicate that the data might be inadequate for your purpose.
Obviously it makes no business sense to have inadequate personal data – but you must be careful not to go too far the other way and collect more than you need.
A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.
However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.
If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, you should make this clear.
A GP's record may hold only a letter from a consultant and it will be the hospital file that contains greater detail. In this case, the record of the consultant’s opinion should contain enough information to enable detailed records to be traced.
For more information about the accuracy of opinions, see our guidance on the accuracy principle.