What do we mean by “information standards”?
As well as creating a framework for collecting and using personal data, the Data Protection Act sets standards that personal data must meet before you can use it. The standards are that personal data should be:
- adequate, relevant and not excessive;
- accurate and, where necessary, kept up to date; and
- kept for no longer than necessary.
The following three sections of the Guide look at each of these standards. Using examples, they show what each of the standards means in practice and tackle some common questions and areas of uncertainty.
There are clear links between the three standards (the third, fourth and fifth data protection principles) and you need to be aware of how they connect. For example, if you don’t update information when circumstances change, information that was originally adequate becomes inadequate. If information is kept for longer than necessary, it may be irrelevant and excessive.
In most cases, deleting or adding items of personal data should ensure that the information you hold complies with all three standards. However, you must check the quality of the information you hold before you use it. From then on, you should regularly review the information to identify when you need to do things like correct inaccurate records, remove irrelevant ones and update out-of-date ones. You may not always be able to check the quality of every record you hold, but you should at least be able to check a sample.
In checking that the personal data you hold meets the information standards, you should consider:
- the number of individuals whose personal data you hold;
- the nature of the information;
- what you use it for, and how you use it;
- the way you obtained it;
- how long you hold it for; and
- the possible consequences for the individuals concerned of retaining or deleting the information.