The Principles of Data Protection
The Principles of Data Protection are set out in section 2 of the Data Protection Acts. They are discussed in detail in Chapter 10 of Privacy and Data protection Law in Ireland. The Principles apply to the decision to begin the processing of personal data in the first place. They must be complied with once the data processing has begun. The principles are:
- The data must be obtained and processed fairly, in particular the subject must be informed of it;
- The data must be accurate, complete and up-to-date;
- The data must be kept securely.
- The data processing must comply with the purpose limitations.
All of the above are of equal significance, thought the security principle tends to gather the most attention. The other principle that causes particular difficulty is the limitations on purpose. The purpose of a processing operation must be set out when the data is first collected. This purpose will then bind the controller, even if his or her need for the data should subsequently change. The purpose limitation is that data:
“…shall have been obtained only for one or more specified, explicit and legitimate purposes…” a purpose which the controller cannot subsequently change. Nor can the controller set out a purpose that is deliberately vague; the purpose must be “specified” and “explicit”.
“…shall not be further processed in a manner incompatible with that purpose or those purposes”
“…shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they were collected or are further processed, and
“…shall not be kept for longer than is necessary for that purpose or those purposes”
There is also the obligation to secure data, which requires that controllers take “appropriate” security measures. This obligation is discussed in further detail in Chapter 11 of Privacy and Data protection Law in Ireland.