Guidance Note for Data Controllers on Purpose Limitation and Retention
The following guidance has been prepared as an aid to data controllers in the practical application of Section 2(1)(c) of the Data Protection Acts 1988 & 2003 which requires data controllers to comply with the following provisions concerning personal data kept by them:
- the data shall have been obtained for one or more specified, explicit and lawful purpose(s),
- the data shall not be further processed in a manner incompatible with that purpose or those purposes,
- the data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
- the data shall not be kept for longer than is necessary for that purpose or those purposes.
Specific, explicit and lawful purposes
Data Controllers who obtain personal data from a data subject may do so for one or more specific, lawful and clearly stated purposes. It is unlawful to collect information about people routinely and indiscriminately – a data controller must have a sound, clear and legitimate purpose for collecting personal data. An individual has a right to question the purpose for which you hold his/her data and you must be able to identify that purpose.
Data controllers who obtain personal information for one or more legitimate purposes may not use that data for any other purpose except in ways which are compatible with the original purpose(s). For example, personal images captured on CCTV cameras by a data controller where the CCTV was in operation solely for security purposes may not be used by the data controller for any other purpose such as staff monitoring.
Similarly, telephone service providers hold personal information for the purpose of providing a telephone service to subscribers (and the associated functions of telephone billing, line repairs, etc). They may be obliged by law to retain traffic and location data for three years. In the event of a subscriber terminating his/her relationship with a telephone service provider, the service provider may not, for example, process the personal data of that subscriber (which the service provider may be lawfully required to retain), to target him/her in person, by post, electronically or otherwise with direct marketing material or visits by sales agents [in an effort to win-back their business]. The only exception is where, prior to the termination of the customer relationship, the customer has clearly opted in (as opposed to not having opted-out) to such contact taking place in the event of the termination of the business relationship. This guidance note updates the previous position of the Office of the Data Protection Commissioner on that matter.
In order to meet this obligation, data controllers are advised to put in place appropriate procedures and security measures to ensure that information obtained for one purpose may not be accessed and used for another purpose within their organisation. This will include audit trails, etc. to ensure that such unauthorised access, where it might take place, can be tracked and provide a basis for appropriate measures to be taken to deal with it.
Adequate, relevant and not excessive.
The personal data sought and kept by data controllers should be sufficient to enable them to achieve their specified purpose(s) and no more. Data controllers should set down specific criteria to judge what is adequate, relevant and not excessive and they should apply those criteria to each information item and the purpose(s) for which it is held. Data controllers have no basis for collecting or keeping personal data that they do not need on the off-chance that a use might be found for it at a future date.
Data controllers must be clear about the length of time for which personal data will be kept and the reasons why the information is being retained. In determining appropriate retention periods, regard must be had for any statutory obligations imposed on a data controller. If the purpose for which the information was obtained has ceased and the personal information is no longer required, the data must be deleted or disposed of in a secure manner. It may also be anonymised to remove any personal data. In order to comply with this legal requirement, data controllers are advised to assign specific responsibility and introduce procedures for ensuring that files are regularly purged and that personal data is not retained any longer than is necessary.