3.1 Introduction
Data protection principles are the core values of all data protection legislation and policies. These principles are widely accepted, recognized and adopted across all international and domestic data protection instruments and legislation. The principles have been developed as a means to regulate collection, processing and storage of personal data that can be connected to a natural person. The principles are a guiding compass for any data controller or data processor when handling personal data. Essentially, the principles provide the framework for privacy and data protection regime which any data collector, data controller or data processor has to abide by.[1] Adherence and observance of these principles is important to ensure privacy and respect of data subject’s rights.
3.2 Data Protection Principles
3.2.1 Lawfulness and fairness
Personal data must only be processed when the data processor or data controller has valid legal ground for processing the data and must be done within the ambit of legislation.[2] This means that Personal data have to be processed in a manner that is lawful and fair. Normally, the lawful grounds for processing personal data are consent, contract, legal obligation, legitimate interest, public interest and vital interest. These grounds are the justifications that give a data processor or data controller the authorization to process personal data.
Furthermore, this principle requires that the processing of personal data not only be lawful but also fairly done.[3] This means that personal data should be processed reasonably and without adverse effects or detriment on the data subject. The data processor or data controller must therefore make sure that personal data are obtained and treated in a rational manner, not misused or mishandled in any way. In determining whether data processing is fair, it is normally considered what would reasonably be expected of the data controller or data processor given the circumstances.
For example, article 12 of the Data Protection: Southern African Development Community (SADC) Model Law states that:
(1) The data controller shall ensure that the processing of personal data is necessary and that the personal data is processed fairly and lawfully.
Clearly, this principle demands that personal data are only collected and/or processed on a lawful basis in a fair manner without violation of any legislation. The aim of this principle is to avoid infringement of data subject’s privacy and rights by ensuring that personal data is not processed unjustifiably or unfairly by a data controller or data processor.[4] The breach of this principle amounts to unlawful collection or processing of personal data which is an offence as provided in various data protection legislation.
3.2.2 Transparency of personal data processing
This principle requires data controller or data processor to be honest, clear and open with the data subject on how and why they use the data subject’s personal data.[5] Transparency in data protection demands that the processing of personal data is open and clear to the data subject. The principle further requires that any information or detail relating to collection, processing or storage of personal data be easily available, accessible, understandable, clear and written in plain language.[6] This principle is well articulated as principle 5 under Article 13 of the Malabo Convection which states that:
“The principle of transparency requires mandatory disclosure of information on personal data by the data controller”
Also, section 3(1) (F) of the Uganda Data Protection and Privacy Act provides that:-
“A data collector, data processor or data controller or any person who collects, processes, hold or uses personal data shall ensure transparency and participation of the data subject in the collection, processing, use and holding of personal data.”
The principle of transparency in data protection laws is based on the legal tenet that ‘there should be no covert surveillance without lawful authority’.[7] The best practice is for an organization to have tools or mechanisms in place which inform the data subject of data processor’s privacy practice and personal data processing operations. The information may be provided through policies, issuance of forms or privacy notes in clear, simple and plain language to enable data subjects to make a decision. It is normally expected that the following information below will be stated in the policies or privacy notices:
- Identity and contact of the data controller or data processor;
- What data will be collected from the data subject (either directly or indirectly);
- Reason or purpose for processing the personal data ;
- How the personal data will be used or processed;
- Recipients of the personal data (if any);
- The data subject’s rights and obligations;
- Security measures, how the notification will be done in case of a data breach;
- Whether the personal data will be transferred outside the country; and,
- How will the information be stored and the retention period.
This principle guards the data subject’s right of access and right to be informed. It is geared towards making sure that data subjects are well informed of the processing process and are able to give informed consent on the processing of their personal data. This principle in connection with the principle of fairness ensures that personal data is processed in a fair and transparent manner.
3.2.3 Data security (Confidentiality and security of personal data processing)
A data controller or data processor has the duty to ensure that there are suitable technical and organizational measures to prevent data breach, safeguard the confidentiality and protect the personal data it holds. Generally, this principle requires that personal data be collected, processed and stored securely without any negligence, unlawful disclosure or unauthorized access. The data security principle aims at ensuring the integrity and confidentiality of personal data are maintained throughout the data life cycle.[8] The main objective of this principle is to avoid cyber-crimes and breaches of privacy in the processing of personal data. Under Article 5(1) (f) of the GDPR, this principle is known as ‘integrity and confidentiality of personal data. The principle provides that personal data shall be:
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
It is important to point out that there is no uniform standard of data security measures or techniques. The level of data security required will depend on the level of risk, organization size, nature of the personal data, scope and scale of processing.[9] The best practice is for organizations to adopt relevant security measures that are appropriate to the risks likely to be faced. The data security measures are well expressed under Article 32 of the GDPR, part IV of the Uganda Data Protection and Privacy Act, 2019 and Section 41 & 42 of the Kenya Data Protection Act, 2019. Some of the proposed security measures required in the above-mentioned data protection Legislation are as pointed herein below:
- Encryption;
- Pseudonymization of personal data;
- Data impact assessment;
- Having data protection officers;
- Policies on security measures;
- Notification of data disclosure, security breaches and remedies of the data breach;
- Ensuring recipient of personal data or third party comply with data protection practices and legislation.
Furthermore, this principle requires that when personal data is transferred or shared to another recipient, the data controller or processor must ensure that the third party is located in a country with data protection legislation or has security measures in place to ensure integrity and confidentiality of the personal data. This is clearly pointed out under Article 13 of the Malebo convention which provides for confidentiality and security of personal data processing;-
- Personal data shall be processed confidentially and protected, in particular where the processing involves transmission of the data over a network.
- Where processing is undertaken on behalf of a controller, the latter shall choose a processor providing sufficient guarantees. It is incumbent on the controller and processor to ensure compliance with the security measures defined in this convention.
3.2.4 Accountability
The accountability principle places an obligation on data controllers or data processors to observe the law, data protection principles and take responsibility for how they process and handle personal data. The accountability principle incorporates the obligation of the data controllers or data processors to be properly registered, have necessary internal measures, binding corporate rules, and policies, keep logs, records, handling complains, conduct audits, data impact assessment and/or have data protection officers.[10]
Ideally, the principle calls for the adoption of concrete and practical measures to turn general data protection principles into concrete policies and procedures to ensure compliance with the applicable legislation and regulations.[11] Article 30 of the Data Protection: Southern African Development Community (SADC) Model Law states that:
The data controller shall:
(a) take all the necessary measures to comply with the principles and obligations set out in this model law including chapters 4 and 5. and
(b) have the necessary internal mechanisms in place for demonstrating such compliance to both to data subjects and to the Authority in the exercise of its powers
This principle is designed to ensure that initiatives are taken by a data controller or data processor to secure privacy, data subject’s rights, data integrity and avoid cybercrimes. This principle also helps to solve the issue of imbalance of power that might exist in the processing of personal data.[12] An imbalance of power can exist where the data controller or processor is a person of authority over the data subject thereby presumed to exert influence or pressure over the data subject. On such occasions, the accountability principle comes into play by ensuring that the data controller or processor is still held accountable and responsible to the data subject.
Accountability & transparency are two sides of the same coin and both are essential elements of good data governance. The accountability principle expects organizations to not only be accountable but also be able to prove the same. It is under this principle where the data controller or data processors can be held liable and fined for breaching data protection principles or legislation. Data protection legislation normally establish an authority (data protection office) to hold accountable data controllers and data processors by overseeing and regulating data controllers and data processors.
3.2.5 Accuracy of personal data
The accuracy principle simply requires that personal data being processed must be correct, complete and precise. The personal data being processed of the data subject should be accurate in order to fit the purpose that the data was collected for. It is important for personal data to be accurate in order to avoid misrepresentation or misleading details or information of the data subject. The duty to ensure the accuracy of personal data is normally placed on both the data subject and data controller or data processor. Section 15 of the Uganda Data protection and privacy Act provides for personal data accuracy as stated below:
- A data collector or data processor or data controller shall ensure that the data is complete, accurate, up-to-date and not misleading having regard to the purpose for its collection or processing.
- A data subject shall ensure that the personal data given to the data collector or data processor or data controller is complete, accurate up to date and not misleading.
A data controller or processor has to take reasonable steps to ensure personal data is accurate, complete and the source of the data is reliable. The data controller should therefore always keep the personal data up-to-date (especially if reused), afford the data subject the right to access, right to rectification, right to object processing or right to be forgotten (erasure) whenever requested. If the data processor or controller becomes aware that personal data is inaccurate, good practice dictates that the data processor should immediately stop processing the persona data until it is rectified.[13]
Most legislation do not specifically define data accuracy but rather state that personal data will be inaccurate if it is not correct or misleading.[14] Additionally, it is normally required that Personal data be collected directly from the data subject in order to ensure data quality. Breach of this principle can result into a compensation claim.
3.2.6 Purpose limitation
The purpose limitation principle demands that the collection and processing of personal data should only be for a specific, clear and lawful purpose. Normally, data protection legislation require that Personal data is collected and used or processed for a defined intended purpose and not in any other manner that is incompatible with the purpose. For example, personal data collected for settling a third-party claim by an insurer should not subsequently be used for direct marketing without the consent of the data subject. The purpose limitation principle is clearly echoed in the below-mentioned provisions:
Article 13(1) of the Data protection: SADC Model law provides that
The data controller shall ensure that personal data is collected for specified, explicit and legitimate purposes and, taking into account all relevant factors, especially the reasonable expectations of the data subject and the applicable legal and regulatory provisions, is not further processed in a way incompatible with such purposes.
Similarly, Article 13 of the Malebo convection under principle 3 states that;
- Data collection shall be undertaken for specific, explicitly and legitimate purposes, and not further processed in a way incompatible with those purposes.
This principle dictates that a data controller should disclose to the data subject clear reasons and intention of processing the personal data and make sure that the personal data is used for the exact specific purpose which was disclosed. This means that the data subject has to be aware of the purpose of processing personal data. The principle aims to ensure that the data controllers or processors process and use personal data in line with the purpose which was communicated to the data subject.[15]
Further, the principle prohibits the re-use of existing data in a new way that is incompatible with the originally specified purpose. The purpose limitation principle safeguards the rights of the data subject by ensuring that the processing of the personal data is only done in line with the specified purpose. This principle prevents the misuse of personal data as per the wish of the data controller or processor without permission of the data subject.
More importantly this principle affords the data subject control over the processing of his/her personal data by giving the data subject the choice to approve or reject the processing of personal data for certain purposes. This entails that a data processor or controller who wishes to processes personal data for a different purpose than the one communicated to the data subject will have to obtain fresh consent from the data subject. The principle of purpose limitation is crucial to an effective data protection regime and helps minimize the big data phenomenon. The breach of this principle amount to an offence in data protection legislation. This entitles the data subject to a right to claim against the data controller or data processor.
3.2.7 Data minimization (Collection limitation)
This principle implores that collection of personal data must be adequate, relevant and limited to what is necessary and proportionate. The data minimization principle requires that only personal data that is genuinely needed for the specified purpose is collected from the data subject. This means that there should be limits in the collection and processing of personal data. The principle further demands that the data collected should be sufficient and fit for the purpose it was collected for. It is therefore important for personal data to be collected as necessary and fit for the processing. The principle is well articulated under Article 5(1) (c) of the GDPR principle which provides that;
“1. Personal data shall be:
(c) Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)”
Similarly, the Malebo Convention under Article 13 principle 3 (b) states that
Data collection shall be adequate, relevant and not excessive in relation to the purpose for which they are collected and further processed.
The data minimization approach is one of the core standards of privacy as it set boundaries for personal data collection and processing which in turn minimizes the risk of privacy intrusion. The data minimization approach means one has to answer whether the processing of personal data is proportional (with respect to the purpose) and whether no other, less invasive, means exist to achieve the same purpose.[16]
Under this principle, the data controller or data processor are normally expected to design tools or mechanism that ensure data minimization. This principle conflicts with Big Data analytics (methodology) which discourages ‘data minimization’.[17] The big data methodology normally emphasizes collecting a large amount of data and keeping all data, since it may be ‘useful’ at some future date.[18]
In some data protection legislation data minimization principle is normally integrated with the principle of accountability and/or adequate. The goal of this principle is to prohibit and reduce the excessive collection of personal data beyond the specified purpose or law. In practice, data minimization is challenging to implement in cyberspace. In order to control this issue, the data protection legislation normally provide for the right to be forgotten (erasure) and data portability[19].The collection or holding of personal data than what is necessary for the purpose is unlawful and amounts to a breach of the data protection principle.[20]As a rule, the principle of data minimization is to be strictly adhered to where personal data collected is from the special category of personal data such as sensitive personal data.
3.2.8 Storage Limitation
Personal data should only be retained for the period of time that is necessary for the purposes for which it was originally collected and processed.[21]This means that personal data must not be stored for longer than it is needed for the specified purpose or law. The principle dictates that upon personal data being no longer required, personal data must be securely erased from the data processor’s or data controller’s records. The Malebo convention Under Article 13 provides that;-
- Data shall be kept for no longer than is necessary for the purposes for which the data were collected or further processed
- Beyond the required period, data may be stored only for specific needs of data processing undertaken for historical, statistical or research purposes under the law.
Ordinarily, data protection legislation do not explicitly provide for a specific time limitation of personal data storage. Nevertheless, in order to adhere to this principle, a data controller should establish storage limitation timelines and conduct periodic reviews to ensure personal data is not kept longer than necessary and immediately deleted when the retention period expires. The aim of this principle is to ensure that only relevant and necessary personal data is retained by the data controller or data processor.
Even though the data protection principles take on different normative or terms across different legal instrument, they basically articulate the same values and standards of data protection. it is imperious for processing of personal data to be in in full compliance with the data protection principles. The implementation of the data protection principles is key to having good data management and governance for entities. Due to change in technology and behaviors, the data protection principles keep evolving, getting wider scope and broad interpretation.[22]
This current article encompasses the third part of the VAC data protection and privacy articles series. The next part which is titled grounds for lawful processing and Dimensions of Consent in An Ideal Data Protection & Privacy Framework will be released on 17th May 2022.