Data Protection Principles
Third Data Protection Principle - Data minimization
At a glance
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
Checklist
|
In brief
- What is the data minimization principle?
- How do you decide what is adequate, relevant and not excessive?
- When could you be processing too much personal data?
- When could you be processing inadequate personal data?
- What about the adequacy and relevance of opinions?
What is the data minimization principle?
The third data protection principle says:
You should identify the minimum amount of personal data you need to fulfil your purpose. You should process that much information, but no more.
This is the first of three principles about data standards, along with data accuracy and storage limitation.
When asked by the Ombudsman, you should be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal data you need.
Also bear in mind that if your processing is excessive, you are less likely to benefit from the legal exemptions to the rights individuals have under Section 10 of the DPA, which allows individuals to require you to stop processing their personal data.
How do you decide what is adequate, relevant and not excessive?
The DPA does not define these terms. Clearly, though, this will depend on your specified purpose for collecting and using the personal data. It may also differ from one individual to another.
So, to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
For sensitive personal data, it is particularly important to make sure you collect and retain only the minimum amount of information.
You may need to consider this separately for each individual, or for each group of individuals sharing relevant characteristics. You should in particular consider any specific factors that an individual brings to your attention – for example, as part of an objection, request for rectification of incomplete data, or request for erasure of unnecessary data.
You should periodically review your processing to check that the personal data you hold is still relevant and adequate for your purposes, and delete anything you no longer need. This is closely linked with the storage limitation principle.
When could you be processing too much personal data?
You should not have more personal data than you need to achieve your purpose. Nor should the data include irrelevant details.
Example
A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are discounted. The agency should delete most of their personal data, keeping only the minimum data needed to form a basic record of a person they have removed from their search, if necessary. It may be appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
If you need to process particular information about certain individuals only, you should collect it just for those individuals – the information is likely to be excessive and irrelevant in relation to other people.
Example
A recruitment agency places workers in a variety of jobs. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.
You must not collect personal data on the off-chance that it might be useful in the future. However, you may be able to hold information for a foreseeable event that may never occur if you can justify it.
Example
An employer holds details of the blood groups of some of its employees. These employees do hazardous work and the information is needed in case of accident. The employer has in place safety procedures to help prevent accidents so it may be that this data is never needed, but it still needs to hold this information in case of emergency.
If the employer holds the blood groups of the rest of the workforce, though, such information is likely to be irrelevant and excessive as they do not engage in the same hazardous work.
If you are holding more data than is actually necessary for your purpose, this is likely to be unlawful (as most of the lawful bases have a necessity element) as well as a breach of the third data protection principle dealing with data minimization. Individuals will also have the right to demand that processing cease.
When could you be processing inadequate personal data?
If the processing you carry out is not helping you to achieve your purpose then the personal data you have is probably inadequate. You should avoid processing personal data if it is insufficient for its intended purpose. For example, a data controller should not make a decision which affects a data subject if the personal data in respect of that data subject is or may be incomplete.
In some circumstances you may need to collect more personal data than you had originally anticipated using, so that you have enough information for the purpose in question.
Example
A group of individuals set up a club. At the outset the club has only a handful of members, who all know each other, and the club’s activities are administered using only basic information about the members’ names and email addresses. The club proves to be very popular and its membership grows rapidly. It becomes necessary to collect additional information about members so that the club can identify them properly, and so that it can keep track of their membership status, subscription payments etc.
Data may also be inadequate if you are making decisions about someone based on an incomplete understanding of the facts. In particular, if an individual asks you to supplement incomplete data under their right to rectification, this could indicate that the data might be inadequate for your purpose.
Obviously it makes no business sense to have inadequate personal data – but you must be careful not to go too far the other way and collect more than you need.
What about the adequacy and relevance of opinions?
The definition of personal data includes the expression of an opinion about a living individual and any indication of intentions in respect of the living individual.
A record of an opinion is not necessarily inadequate or irrelevant personal data just because the individual disagrees with it or thinks it has not taken account of information they think is important.
However, in order to be adequate, your records should make clear that it is opinion rather than fact. The record of the opinion (or of the context it is held in) should also contain enough information to enable a reader to interpret it correctly. For example, it should state the date and the author’s name and position.
If an opinion is likely to be controversial or very sensitive, or if it will have a significant impact when used or disclosed, it is even more important to state the circumstances or the evidence it is based on. If a record contains an opinion that summarizes more detailed records held elsewhere, you should make this clear.
Example
A GP's record may hold only a letter from a consultant and it will be the hospital file that contains greater detail. In this case, the record of the consultant’s opinion should contain enough information to enable detailed records to be traced.
For more information about the accuracy of opinions, see our guidance on the data accuracy principle.
Relevant provisions
Data Protection Act (2021 Revision)
Schedule 1, part 1, paragraph 3: Third data protection principle – Data minimization
Schedule 1, part 1, paragraph 4: Fourth data protection principle – Data accuracy