This is becoming a very interesting question in the modern world of data retention and data management but too many companies are either holding insufficient data for their needs or, even worse, too much!! Either way, both are potentials for breach under The Data Protection Act 1998 (DPA) and the Information Commissioner’s Office (ICO) is starting to take notice of these types of things.
There are 8 data protection principles that organisations have to observe, but the three I want to focus on are that personal data must be: –
- Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
- Accurate and where necessary kept up to date;
- Kept for no longer than is necessary for the purposes;
These cover the actual holding of the data and dictate what the Data Processor must do. And it is quite clear on the actions you have to take, if you are a company that is using your data for profiling/marketing purposes you really should be doing this anyway, unfortunately there are too many that don’t.
Let’s have a look at the three individually although I usually take all three as one combined ‘rule’ as they are all interlinked.
3: Personal data must be:
– Adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed;
This is really basic and means to you the user that you should only hold enough information about a person to enable you to safely process their data within the realms of your notification. Therefore, if you have too little data you are not realistically able to use that data for any active purpose as it is too sketchy. Also, if you have too much you are in danger of using it incorrectly and be open to at least to an assessment being passed to you by the ICO. So the important thing here is make sure you only hold the data you need, if you are not using it then securely delete it, do not keep it ‘just in case’ as this is one of the measures of relevancy.
4: Personal data must be:
– Accurate and where necessary kept up to date
Again, this is very self evident and also good practice for any database, information you are holding and using has to be accurate otherwise it is worthless and, in the eyes of the ICO, should never be used unless it is being updated by asking the customer to clarify and update their information. This should be a standard exercise for all data users, so make sure you check with your customers that the information being held is current otherwise, failure to do this, could result in interest being shown by the ICO and a possible assessment or worse if the result causes any damage to the customer.
5: Personal data must be:
– Kept for no longer than is necessary for the purposes;
But how long is long? This is a very crucial answer and one that requires you to have and use a Retention Schedule or Policy. These can be built by either a Practitioner like myself or by looking at the data you use, comparing it to the legal, statutory or best practice retentions and then tabulating it and ensuring everyone knows about it and what it means to them. It is often easier to get an external person to look at this as they have a different perspective on the data you hold an use and are more inclined to ask the question, “Why is this being held/used?” Create a data retention schedule/policy and circulate to all staff to ensure they are aware that documents should not be disposed of until the agreed date.
If you would like to find out more about this or have a chat with me please either respond to this blog or use the contact page on my website – http://www.kpgprofessionalservices.co.uk