Other sections of this Guide explain that you may only process personal data if you have a legitimate basis for doing so, and that any processing must be fair and lawful. This section explains the Data Protection Act’s additional requirement that you specify the purpose or purposes for which you obtain personal data, and that anything you do with the data must be compatible with this (or, as the Data Protection Act says, “not … in any manner incompatible” with it.)
In brief – what does the Data Protection Act say about specifying the purposes for which personal data is processed?
The Data Protection Act says that:
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
This requirement (the second data protection principle) aims to ensure that organisations are open about their reasons for obtaining personal data, and that what they do with the information is in line with the reasonable expectations of the individuals concerned.
There are clear links with other data protection principles – in particular the first principle, which requires personal data to be processed fairly and lawfully. If you obtain personal data for an unlawful purpose, for example, you will be in breach of both the first data protection principle and this one. However, if you comply with your obligations under the other data protection principles, you are also likely to comply with this principle, or at least you will not do anything that harms individuals.
In practice, the second data protection principle means that you must:
- be clear from the outset about why you are collecting personal data and what you intend to do with it;
- comply with the Act’s fair processing requirements – including the duty to give privacy notices to individuals when collecting their personal data;
- comply with what the Act says about notifying the Information Commissioner; and
- ensure that if you wish to use or disclose the personal data for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair.
In more detail…
Why do I need to specify the purpose (or purposes) for which personal data is to be processed?
You need to be clear about the purpose or purposes for which you hold personal data so that you can then ensure that you process the data in a way that is compatible with your original purpose or purposes (or ”not incompatible”, as the Data Protection Act says.) Specifying those purposes at the outset is likely to help you avoid the possibility of “function creep”. It should also help you decide what information to give individuals to comply with the Act’s fair processing requirements.
How should I specify the relevant purpose (or purposes)?
If you make sure that you process personal data in accordance with the other data protection principles, and that you have notified the Information Commissioner if you need to do so, you are likely to comply with the requirement to “specify” without doing anything more. Nevertheless, the Act says that there are two ways in particular in which you can specify the relevant purposes:
- in a “privacy notice” given to individuals at the time their personal data is collected; or
- in a notification given to the Information Commissioner.
In reality, of course, members of the public do not check your ICO notification entry very often, and you can inform people more effectively by sending them good privacy notices than just by notifying the Information Commissioner. You should also remember that whatever you tell people, and whatever you notify to the Information Commissioner, this cannot make fundamentally unfair processing fair.
Where your organisation is exempt from notification, and processes personal data only for an obvious purpose (and therefore does not need to give a privacy notice), the “specified purpose” should be taken to be the obvious purpose.
A not-for-profit chess club only uses personal data to organise a chess league for its members. The club is exempt from notification, and the purpose for which it processes the information is so obvious that it does not need to give privacy notices to its members. The specified purpose of processing should be taken to be the organisation of a members’ chess league.
Once personal data has been obtained for a specified purpose, can it then be used for other purposes?
The Data Protection Act does not prohibit this, but it does place a limitation on it: the second data protection principle says, in effect, that personal data must not be processed for any purpose that is incompatible with the original purpose or purposes.
When is one purpose compatible with another?
The Act clarifies to some extent what is meant by compatibility – it says that when deciding whether disclosing personal data is compatible with the purpose for which you obtained it, you should bear in mind the purposes for which the information is intended to be used by any person to whom it is disclosed.
An additional or different purpose may still be compatible with the original one. Because it can be difficult to distinguish clearly between purposes that are compatible and those that are not, we focus on whether the intended use of the information complies with the Act’s fair processing requirements. It would seem odd to conclude that processing personal data breached the Act on the basis of incompatibility if the organisation was using the information fairly.
If you wish to use or disclose personal data for a purpose that was not contemplated at the time of collection (and therefore not specified in a privacy notice), you have to consider whether this will be fair. If using or disclosing the information would be unfair because it would be outside what the individual concerned would reasonably expect, or would have an unjustified adverse effect on them, then you should regard the use or disclosure as incompatible with the purpose you obtained the information for.
A GP discloses his patient list to his wife, who runs a travel agency, so that she can offer special holiday deals to patients needing recuperation. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.
In practice, you often need to get prior consent to use or disclose personal data for a purpose that is additional to, or different from, the purpose you originally obtained it for.