The Article 29 Working Party, the EU data protection advisory body, has published an opinion on purpose limitation. The purpose limitation principle, which is set out in the European Directive and is replicated in the UK's Data Protection Act 1998, restricts the purposes for which data controllers are permitted to use personal data. The opinion gives guidance on how the principle should be applied in practice, as well as on how policy should be developed in the future.
According to the Article 29 Working Party, purpose limitation consists of two main building blocks. Firstly, personal data must be collected for "specified, explicit and legitimate" purposes. The opinion provides guidance on how these terms should be understood, since interpretation varies between Member States. For a purpose to be specified, it must be communicated to the data subject before, or when, the data subject provides the relevant data. For a purpose to be explicit, it must be "clearly revealed, explained or expressed in some intelligible form", usually in writing. And for a purpose to be legitimate, it must be based on a legal ground mentioned in article 7 of the Data Protection Directive. In practice this means that organisations need to ensure that clear and easily accessible privacy notices are provided to individuals at the point of data collection and that one of the conditions in Schedule 2 of the Data Protection Act is satisfied.
The second building block is that personal data may not be "further processed in a way incompatible" with those purposes. The Article 29 Working Party believes that compatibility should be assessed on a case-by-case basis, taking account of all relevant circumstances. Particular attention should be given to the following factors:
the relationship between the purposes for which the personal data is collected and the purposes of further processing;
the context in which personal data has been collected and individuals' reasonable expectations on how it will be used;
the nature of the personal data and the impact further processing would have on the individuals; and
the safeguards the controller has adopted to ensure fair processing and prevent undue impact on individuals.
So, if you want to use data for a new purpose that is not covered by existing privacy notices, a careful analysis will need to be carried out to determine whether the new purpose is compatible with the original purposes, taking into account the factors outlined above. This will not always be a straightforward assessment, as much will depend on the context of the original data collection and the extent to which you can gauge the reasonable expectations of individuals in relation to use of their data.
The Article 29 Working Party also believes the provisions in the draft Data Protection Regulation relating to purpose limitation should be amended. Article 6(4) of the draft Regulation gives a broad exception from the requirement of compatibility, and in the Working Party's view, this does not fit with the correct understanding of compatibility and the article should be deleted.
In addition to these recommendations to legislators, the Article 29 Working Party has provided examples of how its recommendations will apply in practice. The opinion also contains annexes dealing with purpose limitation issues arising from big data and open data, and some practical examples of how compatibility assessments should be carried out.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at June 2013. Specific advice should be sought for specific cases; we cannot be held responsible for any action (or decision not to take action) made in reliance upon the content of this publication.
TLT LLP is a limited liability partnership registered in England & Wales number OC 308658 whose registered office is at One Redcliff Street, Bristol BS1 6TP England. A list of members (all of whom are solicitors or lawyers) can be inspected by visiting the People section of this website. TLT LLP is authorised and regulated by the Solicitors Regulation Authority under number 406297.