Adequate, relevant and not excessive
"the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed"
- section 2(1)(c)(iii) of the Act
The personal data you keep should be enough to enable you to achieve your purpose, and no more. You have no business collecting or keeping personal information that you do not need, "just in case" a use can be found for the data in the future. You should not ask intrusive or personal questions, if the information obtained in this way has no bearing on the specified purpose for which you hold personal data.
Adequate, relevant and not excessive personal data: Test Yourself
You should be able to answer YES to the following questions:-
- Is the personal information I hold really necessary for my business?
- Am I asking people to provide me with just the information I need, and no more?
- Do I have a good reason for asking people sensitive or personal questions?
Decide on specific criteria by which to decide what is adequate, relevant, and not excessive.
Apply those criteria to each information item and the purposes for which it is held.
Some Case Studies relevant to this topic:
The following Case Studies, which have appeared in Annual reports of the Data Protection Commissioner over recent years, may be of some interest. Click on the Case Study details to see the full text.
CASE STUDY 7/05 - AIB - excessive information sought regarding Savings Account
CASE STUDY 1/02 - Motor insurance - excessive information - marital status not necessary
CASE STUDY 5/99 - voluntary organisation - role in administration of an official scheme - collection and use of RSI numbers - failure to register as a data controller
CASE STUDY 11/96 - disclosure to a bank by a credit referencing agency – adequacy of information supplied by the bank when making enquiry – how the credit referencing agency dealt with the enquiry
|MENU||Select Page No.||<- Previous Next ->|
» Permanent Link