How to process personal data
Anyone who collects and processes personal data must make sure that the information is:
used in a fair, legal and transparent way
used for clear and objective purposes
used in a way that is adequate, appropriate and limited to what is necessary
accurate and updated, if necessary
not stored for longer than necessary
treated in a manner that ensures appropriate safety and protection against illegal or unauthorized processing, access, loss, destruction or damage.
More about the principles of the Data Protection Act
The above explanation summarizes the main points that need to be considered. The points that are stated therein are derived from the so-called principles of the Data Protection Act.
The principles thus assume that personal data are always processed accordingly and that they are kept in mind from the beginning to the end.
The rules are:
1. The principle of fairness
The principle of fairness is primarily concerned with the rights of individuals, for example their right to information and access.
The responsible person must be able to demonstrate that individuals have received adequate education when appropriate and he must give individuals access to their personal data. All the rights must be reviewed and mapped out how they should be granted.
Example
For example, regarding the right to information and the obligation to educate, the company documented in the employee manual that every year an education on monitoring is conducted in the workplace. Employees register on a checklist and this is kept within the company until the education is re-introduced after the year, after which the checklist is deleted.
The principle of fairness also includes the legality of the processing. This means that the processing of personal data must always be authorized, for example, consent, legal obligation or legitimate interests.
2. The Purpose Principle
The purpose is primarily when personal data should be processed.
All processing must have a clear purpose.
A list of processing activities, which in most cases are mandatory, can be a useful tool to demonstrate compliance with the provisions of the Data Protection Act. The list thus frame the purpose of processing and facilitates all the following work.
Other tools, such as the implementation of an Data Protection Impact Assesment (DPIA), can also help assess whether the purpose of the processing is legitimate and legal.
3. The principle of proportionality
The principle of proportionality means that no more personal data should be processed than is needed.
Here tools such as a list of processing activities and an assessment of the Data Protection Impact Assessment (DPIA) can help in assessing whether the processing is sufficient or whether information that is not needed is being collected.
It is often helpful to understand what types of personal data and categories of individuals are to be worked with.
Then you might ask yourself why you need to work with the information.
This also relates to the principle of purpose, that is to say, the purpose must be clear so that it is possible to understand what information is necessary for the processing.
Example
For example, an administrative authority receives general inquiries through the form of inquiries on its website.
Investigations are not intended to be related to specific cases that are being handled by the government.
The Administration does not consider it necessary to require full name and ID number of individuals, but rather a sufficient email address for the person to answer the question.
4. The reliability principle
The principle of reliability means that personal data must be correct.
To demonstrate compliance, it may be necessary to document a procedure for when information in information systems, such as contact information of individuals, should be updated.
This can be particularly important in the case of sensitive personal data.
In the case of governments and those subject to the rules on return to archives, information can rarely be deleted and therefore it is important to record the correct information or to add a description that corrects the information that has already been recorded, when appropriate.
5. The data minimization principle
The data minimization principle includes the responsibility to delete personal data when it is no longer needed for the initial purpose it was processed for.
This can be the case for personal data in the accounts, for example, but the general rule is that accounting data can be deleted after seven years. In that case, it may be necessary to delete personal data contained in such data. If the data needs to be stored for longer, it must be documented why this is done.
Example
Another practical example is the preservation of personal data on former employees.
Some information can be important to keep for a long time, such as information about reasons for termination and such, but other information can probably be deleted after seven years, such as information about holidays and more.
It is best to document procedures on when to delete certain types of personal data.
Here a list of processing activities can also be useful in getting an overview of when destruction should be carried out.
6. The safety principle
The security principle is a matter of ensuring the security of personal data. It is reflected in many provisions of the data protection legislation.
The controller must therefore document the risk assessment with regard to the security of the personal data and decide on security measures based on the conclusion of the risk assessment.
This includes documentation regarding a specific Data Protection Impact Assesment (DPIA) and documentation of procedures related to the notification of security breaches.
The controller must also keep a record of any security breaches that occur during the operation and may demonstrate it to the Data Protection Authority, if requested.
