The Data Protection Act requires you to ensure you only collect the personal data you need for the purposes you have specified. You are also required to ensure that the personal data you collect is sufficient for the purpose for which it was collected.
These requirements of data adequacy and data minimisation are covered by principle 3 of the Data Protection Act. It is the first of three principles, along with principles 4 and 5, covering information standards.
In brief – what does the Data Protection Act say about the amount of personal data you may hold?
The Act says that:
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
This is the third data protection principle. In practice, it means you should ensure that:
- you hold personal data about an individual that is sufficient for the purpose you are holding it for in relation to that individual; and
- you do not hold more information than you need for that purpose.
So you should identify the minimum amount of personal data you need to properly fulfil your purpose. You should hold that much information, but no more. This is part of the practice known as “data minimisation”.
In more detail…
What is meant by “adequate, relevant and not excessive”?
The Data Protection Act does not define these words. Clearly, though, they need to be considered:
- in the context of the purpose for which you are holding the personal data; and
- separately for each individual you hold information about (or for each group of individuals where the individuals in the group share relevant characteristics).
So, to assess whether you are holding the right amount of personal data, you must first be clear about why you are holding and using it. You should take into account that this may differ from one individual to another.
When is an organisation holding too much personal data?
You should not hold more personal data than you need. Nor should the data you hold include irrelevant details.
A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are discounted. The agency should delete most of their personal data, keeping only the minimum data needed to form a basic record of a person they have removed from their search. It is appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
Where sensitive personal data is concerned, it is particularly important to make sure you collect or retain only the minimum amount of information you need.
If you need to hold particular information about certain individuals only, you should collect it just for those individuals – the information is likely to be excessive and irrelevant in relation to other people.
A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.
An employer holds details of the blood groups of all its employees. Some of them do hazardous work and the information is needed in case of accident. For the rest of the workforce, though, such information is likely to be irrelevant and excessive.
You should not hold personal data on the off-chance that it might be useful in the future. However, it is permissible to hold information for a foreseeable event that may never occur, as in the above example about blood groups.
When is an organisation holding insufficient personal data?
Personal data should not be processed if it is insufficient for its intended purpose.
A CCTV system is installed to identify individuals entering and leaving a building. However, the quality of the CCTV images is so poor that identification is difficult. This undermines the purpose for which the CCTV system was installed.
In some circumstances you may need to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question.
A group of individuals set up a club. At the outset the club has only a handful of members, who all know each other, and the club’s activities are administered using only basic information about the members’ names and email addresses. The club proves to be very popular and its membership grows rapidly. It becomes necessary to collect additional information about members so that the club can identify them properly, and so that it can keep track of their membership status, subscription payments etc.
What about the adequacy and relevance of opinions?
The Data Protection Act does not give individuals the right to demand that you delete an opinion about them from your records because they believe it is based on irrelevant information, or has not taken account of information they think is important. However, the record of an opinion (or of the context it is held in) should contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position. If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarises more detailed records held elsewhere, this should be made clear.
A GP's record may hold only a letter from a consultant and it will be the hospital file that contains greater detail. In this case, the record of the consultant’s opinion should contain enough information to enable the more detailed records to be traced.
For information about the accuracy of opinions, see Keeping personal data accurate and up to date.