1.5 What is excessive information?

The Data Protection Acts require that only the minimum necessary personal data should be sought and used to allow for the performance of the function to which it relates.  This requires a Data Controller in all situations to be certain that the data that is being sought is appropriate to the reason for which it was sought.  A data controller must be able to show that each piece of personal data sought from a person is needed for a legitimate reason.  Where data is not needed for the reason for which it was sought this would constitute a breach of the Data Protection Acts.