Data Protection: Principles


The Data Protection Directive and the Data Protection Act (Malta) provide nine key principles which a person who processing personal data (the “data controller”) must adhere to:

The data must be is processed fairly and lawfully

This quite simply means that one must always be sure that the processing of such data is done according to law and that it is only done where necessary.

The data must be processed in line with good practice

This entails that where the processing of personal data is necessary, that it be done in conformity with good working practice. To illustrate, a bank should only process personal data where it is necessary for it to perform its functions as a bank and should do so according to responsible banking practices.

That personal data is only collected for specific and explicit purposes which are legitimate.

This effectively means that whenever such data has to be collected, the data subject always has to be advised as to the reason for the data collection. Furthermore, the data always has to be collected for the sake of something specific and that must also be legal.

That personal data, once collected is not used for purposes incompatible with the reason it was collected.

This requires that the Data Controller always remain vigilant that the data collected is always being consistently used for the reasons which were explained to the data subject when the data was collected. This does not bar the Data Controller from using the information for other purposes entirely though as long as the necessary consent to do so is given by the data subject.

That the personal data collected is adequate and relevant to the purpose for which it was collected.

If one intends to make a database of telephone numbers for the sake of a marketing contact list, one should not need to ask for a person’s I.D. card number. This means that one should only collect information that is relevant to the purpose for which it is needed. Any information which has no relation to the reason that other data is being collected should be avoided.

That no more personal data is processed than is necessary with regard to the reason for processing.

Similar to the previous principle, one should take a minimalist approach in the amounts of data that are used wherever necessary. While the previous principle mainly deals with issues of relevance, this one deals with the content that is being used. If for example, a group of companies in the financial services sector transferred information from one company to another related to a particular client, they should not pass on more information than is necessary for the reason the data was requested.

That personal data is always correct up to date.

It is one of the Data Controller’s most important duties to make sure that the data that’s being collected is kept up to date. This is less of a protective measure and more to ensure that where the information is used to render a service to the data subject that it is done efficiently. To illustrate, if a mobile phone operator has the wrong address of one of its clients, any invoices or personal information regarding that person’s mobile phone related activities will likely find itself in the hands of a person who has no right to it. It would also mean that the Data Subject would not know he is due to pay.

That all reasonable measures are taken to complete, correct, block or erase data which is incomplete or incorrect, taking into consideration the purposes for which they are processed.

This principles ensures that as far as possible, the Data Controller will always show due diligence in correcting any data which is in some way flawed. One should notice that the law requires that reasonable measures must be taken. This means that there is an element of discretion where a court finds itself deciding whether the Data Controller performed his functions to standard. This likely considers the fact that it is difficult for the Data Controller to catch every inaccuracy or discrepancy with data at the moment it occurs. It may often even require that the Data Controller maintain a certain degree of contact with the Data Subject, particularly where he has a suspicion that any information is incorrect.

That personal data is never kept for a longer time than is necessary, depending always on the reason for which it is being processed.

This is particularly relevant where information is being collected for statistical purposes. If the data is being used for a study with a view to achieving a particular goal, once that target has been reached, the data has no more reason to be kept and should be destroyed unless there is some other reason to hold onto it. Naturally, as is common to all matters related to personal data under this law, the Data Subject always has to be informed where there is any change in the reason for which the data is being used. Furthermore, they would have to consent to the data being used for the new purpose.