Third Principle - adequacy and relevance of data

"Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed."

The aims of this principle are to ensure that:

  • only the minimum amount of information required to properly fulfill the purpose is held by the data controller.
    • This must be assessed by the data controller for each separate purpose.
  • the information is not inadequate - i.e. it gives the whole picture not just one side
  • information cannot be held on the basis that it might possibly be useful in the future.
    • This should be distinguished from information about, for example, employees engaged in hazardous duties, where data regarding their blood group is held in case an emergency arises
  • organisations have adequate procedures in place to regularly monitor the data held for their business purposes and to ensure that neither too much nor too little data are held.

The Third, Fourth and Fifth Principles overlap slightly, so they should be read in conjunction with each other and data processed accordingly.

Further guidance on the third data protection principle is available below.