Purpose Limitation and Data Minimization in the 2019 Data Protection Bill
By Alex Gatawa*
The following post is the second of CIPIT’s analysis of the data protection principles provided for under section 25 of the Data Protection Bill. This post focuses on Section 25 (c) & 25 (d) of the Bill which provides for the processing of personal data collected should be for an explicit, specific and legitimate purpose and that the personal data should be adequate, relevant, limited to the purposes.
As was pointed out in the previous blog, available here, the central objective of the Data Protection Bill is to give effect to the Right to Privacy enshrined in Article 31 of the Constitution. Over and above this objective the preamble of the Bill provides other objectives of the Bill. It states that the Bill is to make provision for the regulation of the processing of personal data, provide for the rights of data subjects and impose obligations on the data controller and processors.
In order to ensure that the objectives of the Bill, in particular, the regulation of the processing of personal data, are catered for, the Bill contains several provisions which help facilitate the achievement of these objectives. One such provision is Section 25 which contains the data protection principles, this blog will focus on the principles of purpose limitation and data minimisation provided for in section 25(c) & 25(d).
Purpose Limitation Principle
Section 25(c) of the Data Protection Bill states that “every data controller or data processor shall ensure that personal data is collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes.” This section is similar to Article 5(1) of the GDPR
From the definition of the principle of purpose limitation, it is clear that data controllers and data processors are to collect data for a specific explicit and legitimate purpose. They are also required to clearly inform the data subject on the purpose of the collection of their personal data. Inherent to this principle is that data should not be used for any purpose other than that for which it was collected. To expand the scope of use, the data controller and data processor must ask the data subject to authorize the new use.
Section 26 of the Bill highlights the rights of data subjects. Of the rights provided for in section 26, the most relevant ones with regard to the principle of purpose limitation are the right of a data subject; to be informed of the use to which their personal data is to be put, to object to the processing of all or part of their data and to correct false or misleading data.
These rights give the data subjects control over the use of their personal data by the data controller and data processor. These rights help promote the principle of purpose limitation because they impose corresponding obligations on data controllers and data processors to process the data they collect according to the purpose they had informed the data subject.
Section 30 of the Bill states that a data controller or data processor shall not process personal data unless the data subject consents to the processing for one or more specified purposes. Consent is defined in section 2 of the Bill as the voluntary, specific and informed expression of the will of a data subject to process personal data. Section 30 further states that lawful processing of personal data shall be in accordance with the purpose of collection of the information and that any person who contravenes this section commits an offence.
This section helps promote the principle of purpose limitation by not only requiring the consent of the data subject to be sought before processing, if their data is to be processed for multiple purposes, but by also making it an offence by the data controller or data processor to process data without the consent of the data subject. It should be noted, however, that there is currently much debate internationally as to the definition and usefulness of “informed consent” provisions. Many times, we are asked for consent only to find that our refusal to provide such consent means that we are denied service.
Section 29 of the Bill imposes a duty on data controllers and data processors to notify the data subject. The data controller or data processor has a duty to notify the data subject on the purpose for which their personal data is being collected. The principle of purpose limitation is captured under this specific duty which the data controller and data processor must perform.
Data controllers and processors are also allowed to collect personal data indirectly. Personal data may be collected indirectly where; it is contained in a public record, the data subject has made the data public, the data subject has consented to the collection from another source, the data subject’s guardian has consented to the collection from another source. This provision does, however, impose certain obligations on data controllers and data processors in case the data is obtained indirectly. It states that the data controller or processor shall collect store or use the personal data for a purpose that is lawful, specific and explicitly defined.
Section 34 of the Bill provides restrictions on the processing of personal data, it states that a data controller or processor shall, at the request of the data subject, restrict the processing of personal data where the personal data is no longer required for the purpose of the processing. The effect of the restriction is that the data shall only be processed with the consent of the data subject and the data controller shall inform the data subject before withdrawing the restriction on the processing of the personal data.
However, the Bill does give circumstances upon which the restriction of the processing of data, on the ground, that the personal data is no longer required for the purpose of processing, may not apply. The Bill states that where the data controller or processor requires the personal data for the establishment, exercise or defence of a legal claim they may process the data despite it no longer being required for the purpose of processing.
Section 25 (d) states that “every data controller or data processor shall ensure that personal data is adequate, relevant, limited to what is necessary for relation to the purpose for which it is processed.” This provision is the basis of the principle of data minimisation. Personal data is deemed adequate if it is can properly fulfil the purpose it was collected for, relevant if it has a link to the purpose and limited if it is processed only for the purpose it was collected.
Section 41(3) of the Bill charges the data controller or processor with implementing measures to ensure that by default, only personal data which is necessary for each specific purpose is collected. In order to implement such measures, this section provides certain considerations which will guide the data controller or data processor. Data controllers or processors should consider the amount of personal data collected, the extent of the processing, the period of storage and the accessibility of the data.
Section 41(3) does not expressly provide any sanctions in the event that the data controller and data processor violate this provision. However, section 56 allows for complaints to be made to the Data Commissioner, where there is an alleged violation of the provisions of the Act a complaint can be lodged with the Data Commissioner who will investigate the complaint and if the Commissioner is satisfied that there has been a violation of any provision of the Act they serve an enforcement notice to the person requiring them to take such steps as may be specified in the notice.
The Bill also makes provisions which exempt a data controller and data processor from complying with data protection principles relating to lawful processing, minimisation of collection, data quality and adoption of security safeguards to protect data. Section 51 of the Bill states that the processing of personal data is exempt if:
- it relates to the processing of personal data by an individual in the course of personal or household activities;
- if it is for national security or public order; or
- disclosure is required by or under any written law or by an order of the court.
Therefore, where these situations arise personal data may be processed without regard to the provisions of this Bill including the principles of data protection. The national security or public order exemption exempts data controllers or data processors from complying with the data protection principles of purpose limitation and data minimisation and this is of great concern because national security is a very broad concept and therefore it provides an avenue for the violation of these principles. The Bill needs to provide guidelines that indicate the specific bodies that may exercise this national security exemption and the instances where it would apply, in order to avoid arbitrary decisions which may violate the provisions of the Bill. Alternatively, additional legislation or regulations should be passed which outlines the type of exempt data that may be processed by such organs. Perhaps the best solution is to require judicial approval of any instances of exemption (e.g., through a warrant or other judicial order).
Section 52 of the Bill gives exemptions for journalism, literature and art. It states that the principles of processing of personal data shall not apply where the processing is undertaken by a person for publication of literary or artistic material, the data controller reasonably believes that publication would be in public interest and, the data controller believes that compliance with the provision is incompatible with the special purposes.
Section 53 of the Bill also contains exemptions that affect the principle of purpose limitation and data minimisation. It states that the further processing of personal data shall be compatible with the purpose of collection of the data is used for historical, statistical or research purposes and the data controller or processor shall ensure that the further processing is carried out solely for historical, statistical or research purposes. This exemption allows the data controller and data processor to continue the processing of personal data beyond the original purpose of collection if it is for historical, statistical or research purposes.
The Bill does contain provisions that bring to light the principles of purpose limitation and data minimisation. It grants rights on data subjects as well as imposing duties on data controllers and data processors that are in line with the principle of data minimisation and purpose limitation. However, as has been pointed out there are serious concerns on the usefulness and definition of informed consent of the data subject.
The principles of data minimisation and purpose limitation require the data subject to be notified and to consent to their data being processed and therefore in this regard, the Bill insufficiently protects the principle of purpose limitation because it does not succinctly define the concept of informed consent. The Bill also provides for exemptions on the grounds of national security or public order. This provision gives leeway for violation of these data protection principles and therefore in its current form, the exemption of national security or public order undermines the principles highlighted in the Bill. This exemption needs to be reviewed in order to ensure that the principles of purpose limitation and data minimisation are adhered to.
*Alex Gatawa is a Graduate Assistant at CIPIT.