Data Protection Principles
Second Data Protection Principle - Purpose limitation
At a glance
- You should be clear about what your purposes for processing are from the start, and you should avoid reusing personal data for different purposes.
- You should record your purposes as part of your processing documentation and specify them in your privacy notice for individuals.
- You can only use the personal data for a new purpose if either this is compatible with your original purpose, you obtain consent, or you have a clear basis in the Act.
Checklist
- We have clearly identified our purposes for processing.
- We have documented those purposes.
- We include details of our purposes in our privacy information for individuals.
- We regularly review our processing and, where necessary, update our documentation and our privacy information for individuals.
- If we plan to use personal data for a new purpose, we check that it is compatible with our original purpose or we get specific consent for the new purpose.
In brief
- What is the purpose limitation principle?
- Why do you need to specify your purposes?
- How do you specify your purposes?
- Once you collect personal data for a specified purpose, can you use it for other purposes?
- What is a ‘compatible’ purpose
What is the purpose limitation principle?
The second data protection principle (in schedule 1 of the DPA) says:
In practice, this means that you must:
- be clear from the outset why you are collecting personal data and what you intend to do with it;
- comply with your transparency obligations to inform individuals about your purposes;
- ensure that if you plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose, the new use is fair, lawful and transparent.
As well, it is best practice to:
- document the purposes for processing upfront.
Why do you need to specify your purposes?
This requirement aims to ensure that you are clear and open about your reasons for obtaining personal data, and that what you do with the data is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset and refraining from repurposing helps you to be accountable for your processing, and helps you avoid ‘scope creep’. It also helps individuals understand how you use their data, make decisions about whether they are happy to share their details, and assert their rights over their personal data where appropriate. It is fundamental to building public trust in how you use personal data.
There are clear links with other principles – in particular, the fair and lawful processing principle. Being clear about why you are processing personal data will help you to ensure your processing is fair, lawful, and transparent. Using data for unfair, unlawful or ‘invisible’ reasons is likely to be a breach of both principles.
Specifying your purposes is required in terms of being accountable for your processing.
How do you specify your purposes?
If you comply with your fairness and transparency obligations, you are likely to comply with the requirement to specify your purposes without doing anything more:
- You need to specify your purpose or purposes for processing personal data in your privacy notice for individuals.
- It is best practice to keep detailed documentation on your data processing activities, including all your purposes. This is not a legal requirement under DPA, however, it is vital to have good documentation to be able to respond to subject access requests, cooperate with investigations by the Ombudsman, and inform individuals what you do with their data.
Remember that whatever you document, and whatever you tell people, this cannot make fundamentally unfair processing fair and lawful.
If you have not provided privacy information (see 'The Right to be Informed') because you are only using personal data for an obvious purpose that individuals already know about, e.g. processing employees’ data, the “specified purpose” should be taken to be the obvious purpose.
You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified (‘function creep’).
Once you collect personal data for a specified purpose, can you use it for other purposes?
The DPA does not ban this altogether, but there are restrictions. In essence, if your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you can only go ahead if:
- the new purpose is compatible with the original purpose;
- you get the individual’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
If your new purpose is compatible, you don’t need a new lawful basis for the further processing. However, you should remember that if you originally collected the data on the basis of consent, you usually need to get fresh consent to ensure your new processing is fair and lawful.[1]
You also need to make sure that you update your privacy notice to ensure that your processing is still transparent.
What is a ‘compatible’ purpose?
The DPA specifically says that the following purposes can be considered to be compatible purposes:
- research purposes (in this context 'research’ is understood to be scientific research);
- historical research purposes; and
- statistical purposes.[2]
Other purposes can still be compatible, depending on the context. When deciding whether a new purpose is compatible with your original purpose it is best practice to take into account:
- any link between your original purpose and the new purpose;
- the context in which you originally collected the personal data – in particular, your relationship with the individual and what they would reasonably expect;
- the nature of the personal data – e.g. is it particularly sensitive;
- the possible consequences for individuals of the new processing; and
- whether there are appropriate safeguards – e.g. encryption or pseudonymization.
As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely to be incompatible with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose data for the new purpose
[2] DPA s.23(4)
Example
A GP discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.
There are clear links here with the fair and lawful processing principle. In practice, if your intended processing is fair, you are unlikely to breach the purpose limitation principle on the basis of incompatibility.
Relevant provisions
Data Protection Act (2021 Revision)
Schedule 1, Part 1, paragraph 2: Second data protection principle – Purpose limitation
Section 23(4): Compatible purposes - research, history and statistics