As the next in our series of “back to privacy basics”, we look at the rules regarding accuracy and proportionality in the processing of personal data.
As we will do throughout this series, we take a look at the current position and what is best practice for an organisation. We will also briefly consider what the new Data Protection Regulation may mean in this area.
Accuracy and proportionality
Data protection law requires the data controller to ensure personal data is accurate and up-to-date. In practice this means an organisation should:
- try to ensure personal data it collects is accurate;
- keep a record of the source of any personal data;
- assess the risks of personal data being, or becoming, inaccurate; and
- consider how it will ensure the information stays up-to-date.
Data protection law also requires that personal data collected is not excessive for the purpose for which it was collected. In practice this means organisations should not hold more information about the individual than it needs.
Organisations should consider these simple steps for keeping data up to date:
- Before adding information to your database, ask the individual to confirm it is accurate. For example, in call centre scripts, ensure the operator reads the information back to the individual and confirms it is correct.
- Ask the individual to confirm the data remains accurate on a periodic basis. For example, once a year when an individual logs into their account, you could present their information to them and ask them to amend it, or tick a box to confirm it is accurate.
- If you replace IT, securely delete personal data from legacy systems. If the database is not maintained, get rid of it!
Similarly, procedures should be put in place to ensure you are not collecting excessive data:
- Review your databases regularly and ask yourself if you need all of the information you are collecting. If not, stop collecting it!
- Don’t hold personal data on the off-chance that it might be useful in the future – you must know the purpose for collecting it first!
- It’s ok to hold information, even if you never need to use it, as long as you are holding it for a legitimate purpose – for example, emergency contact details.
- Identify information that is insufficient for its intended purpose – for example, CCTV images that are poor quality so they are not able to achieve their purpose.
Position under draft Data Protection Regulation
The draft Data Protection Regulation raises the bar:
- It requires that “every reasonable step” must be taken to ensure that inaccurate personal data are erased, or corrected, without delay.
- Only “the minimum necessary” information may be collected and may only be processed if processing non-personal information could not fulfil the purposes. So regulators are likely to expect anonymisation of data where de-personalised data could achieve the same purpose.
It remains to be seen what will be considered as sufficient to comply with the new requirements of the Regulation. However, the good practice steps identified above are a good starting point. Next up in our series is the topic of data retention.