In a seashell
You must ensure the personal information you are using is:
adequate – sufficient to properly fulfil your stated purposes;
relevant – has a rational, justifiable link to the purposes; and
not excessive in relation to the purposes for which it is used – you don’t hold more information than you need for those purposes.
Note: Other jurisdictions such as the UK or EU refer to “data minimisation” to describe this concept.
☐ We only collect personal information we actually need for our purposes.
☐ We have sufficient personal information to properly fulfil those purposes, and not extra.
☐ We periodically review the information we hold and dispose of safely anything we don’t need.
What is the proportionality principle?
Section 11, Proportionality, states that:
“An organisation shall ensure that personal information is adequate, relevant, and not excessive in relation to the purposes for which it is used.”
Here, a general “less is more” rule applies. As an organisation, you should identify the minimum amount of personal information you need to fulfil your purpose. You should hold only that amount of information, not more. You need to be able to demonstrate that you have appropriate processes to ensure that you only collect and hold the personal information you need.
Remember that under the right to correction, PIPA says individuals have the right to complete any incomplete information which is inadequate for your purpose. They also have the right to get you to delete any information that is not necessary for your purpose, under the right to erasure.
How do we decide what is adequate, relevant, and not excessive?
PIPA does not define these terms. This will depend on your purposes for collecting and using the personal information. It may also differ from one individual to another.
To assess whether you hold the right amount of personal information, you must first be clear about why you need it.
For sensitive personal information, it is particularly important to make sure you collect and retain only the absolute minimum amount of information.
You may need to consider this separately for each individual, or for each group of individuals sharing relevant characteristics. In particular, you should consider any specific factors that an individual brings to your attention – for example, as part of an objection, request for correction of incomplete information, or request for erasing unnecessary personal information.
You should periodically review your use of personal information to check that the personal information you hold is still relevant and adequate for your purposes and delete anything you no longer need.
When could we be processing too much personal information?
You should not have more personal information than you need to achieve your purpose. Nor should the information include irrelevant details.
A debt collection agency is engaged to find a particular debtor. It collects information on several people with a similar name to the debtor. During the enquiry some of these people are disregarded. The agency should delete most of their personal information, keeping only the minimum information needed to form a basic record of a person they have removed from their search. It is appropriate to keep this small amount of information so that these people are not contacted again about debts which do not belong to them.
If you need to process particular information about certain individuals only, you should collect it just for those individuals – the information is likely to be excessive and irrelevant in relation to other people.
An employment agency places workers in a variety of occupations. It sends applicants a general questionnaire, which includes specific questions about health conditions that are only relevant to particular manual occupations. It would be irrelevant and excessive to obtain such information from an individual who was applying for an office job.
You must not collect personal information on the assumption that it might come in handy in the future. However, you may be able to hold information for a foreseeable event that may never occur if you can justify it.
An employer holds details of the blood groups of some of its employees. These employees do hazardous work and the information is needed in the event of an accident. The employer has in place safety procedures to help prevent accidents so it may be that this information is never needed, but it still needs to hold this information in case of emergency.
If the employer still holds the blood groups of those members of the workforce who have left, though, such information is likely to be irrelevant and excessive as they no longer work for the employer.
If you are holding more information than is actually necessary for your purposes, this is likely to be unlawful, as well as a breach of the proportionality principle. Individuals will also have the right to erasure.
When could we be processing inadequate personal information?
If the processing you carry out is not helping you to achieve your purposes, the personal information you have is probably inadequate. You should not use personal information if it is insufficient for its intended purpose.
In some circumstances you may need to collect more personal information than you had originally anticipated using so that you have enough information for the purpose in question.
A researcher working for a Bermuda-based research company is undertaking a sociological study that consists of conducting interviews and focus groups with individuals from a racial/ethnic minority group, asking them about their experiences of discrimination. The researcher obtains consent from each of the participants in the interviews and focus groups, especially as the interviews and focus groups are likely to refer to their personal sensitive information. When holding the interviews and focus groups, the researcher also explains to the participants that it is possible that after the interview and the focus group, some other topics may emerge which the researcher would like to ask the participants about later. Indeed, as the research proceeds, it becomes necessary to collect additional information about the participants. The researcher collects more information from those participants who give additional consent to provide it.
Information may also be inadequate if you are making decisions about someone based on an incomplete understanding of the facts. In particular, if an individual asks you to supplement incomplete information under their right to correction, this could indicate that the information might be inadequate for your purposes.
Having inadequate personal information is an issue – but you must be careful not to go too far the other way and collect more information than you actually need.
Additionally, you must not keep personal information longer than you need it:
You need to think about – and be able to justify – how long you keep personal information. This will depend on your purposes for holding the personal information.
You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
You should also periodically review the personal information you hold and erase or anonymise it when you no longer need it.
You must carefully consider any challenges to your retention of personal information. Individuals have a right to erasure if you no longer need the information.
You can keep personal information for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
Be sure to consider legal requirements to retain information. These requirements will be part of your purpose and notice.
☐ We know what personal information we hold and why we need it.
☐ We carefully consider and can justify how long we keep personal information.
☐ We have a policy with standard retention periods where possible, in line with documentation obligations.
☐ We regularly review our information and erase or anonymise personal information when we no longer need it.
☐ We have appropriate processes in place to comply with individuals’ requests for erasure.
☐ We clearly identify any personal information that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.