Second Principle - purpose for which data are obtained and processed

"Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes."

This principle requires organisations to be open about their reasons for obtaining personal data and that what they subsequently do with the information is in line with the individual's expectations.

The Act does not prohibit the use of information obtained for one purpose being used for another, but limits the use to that which is not "incompatible" with the original purpose, i.e. a reasonably adjacent purpose.

If you intend to disclose information for a purpose that was not originally contemplated, or included in your register entry or privacy notice, you must consider whether this processing will still be fair and comply with the first data protection principle.

If the use or disclosure of the information would be unfair because it is outside what the individual would reasonably expect or has an unjustified damaging effect on the person, then you should regard the disclosure as being incompatible with the purpose you obtained the information for.

It is therefore important to remember:

  • if you are required to notify, be clear about the purpose(s) for processing personal data
    • if you are clear about the purpose for processing you will be able to assess whether further processing (e.g. disclosure) will be compatible, or whether the processing complies with the other principles - for example whether the information sought is adequate or relevant to the purpose;
    • If you are clear about the purposes for processing at the outset, this minimises the possibility of "function creep";
  • if you are not required to notify and the processing is for an obvious purpose (such as staff administration) the "specified purpose" should be taken to be the obvious purpose;
  • to ensure that individuals are given, or have easy access to, a fair processing notice or privacy notice - whilst the Act says that you can specify your purposes for processing in "a notification given to the Information Commissioner", in reality few people actually know this, or know how to make such a check;
  • ensure that if data are disclosed, you take into account the purposes for which the recipient will use the data
    • are the individuals aware of this use, and
    • is this use in line with the expectations of the individual?
  • If you are unsure about whether you should disclose, you should contact the individual and seek their consent.

Further guidance on the second principle is available below.