Principles of Data Protection

Section 3 of the Data Protection and Privacy Act, 2019 (the Act) sets out key principles of data protection regime. These key principles influence obligations of data collectors, data processors and data controllers. Therefore, compliance with these fundamental principles is the first step for data collectors, data processors and data controllers in ensuring that they fulfil their obligations under the Act. The following is a brief overview of the principles:

  1. Accountability: A data collector, data processor or data controller is accountable to the data subject for data collected, processed, held or used. Accountability is about demonstrating compliance and being transparent about such compliance.
  2. Lawfulness and fairness: Personal data must be processed only if a legal ground exists. There are various available lawful/legal bases for processing personal data under Section 7 of the Data Protection and Privacy Act. No single basis is ’better’ or more important than the others. At least one of the bases is applicable whenever personal data is processed.
  3. Data Minimisation: The principle of data minimisation means that data collectors, data processors or data controllers must only collect or process personal data that is adequate, relevant, and necessary to accomplish the purposes for which it is collected or processed.
  4. Retention: Personal data must not be retained for longer for the period authorized by law or longer than necessary for the purposes for which the personal data is processed or collected. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
  5. Quality: A data collector, data processor or data controller must ensure that personal data is complete, accurate, kept up to date; and not misleading. Processes should be implemented to prevent inaccuracies during the data collection process (i.e., verifying the data is accurate, complete and not misleading).
  6. Transparency: The principle of transparency requires a data collector, data processor, or data controller to be open and honest about the ways in which personal data is collected and processed. It also obliges a data collector, data processor or data controller to make data subjects aware of their rights in relation to their personal data collected or processed.
  7. Security: Personal data should be processed in a manner that ensures appropriate, reasonable, technical and organizational measures to prevent loss, damage, or unauthorized destruction and unlawful access to or unauthorized processing.