In a seashell
You must identify valid, lawful grounds under PIPA for using personal information.
You must ensure that you do not use the information in breach of any other laws.
You must use personal information in a manner that is fair. This means you must not process the information in a way that is unduly detrimental, unexpected, or misleading to the individuals concerned.
You must inform people clearly, openly, and honestly from the start about how you will use their personal information.
☐ We use the information in a lawful manner and identify the law requiring use of personal information.
☐ If we are using sensitive personal information or criminal offence information, we have identified a condition for processing this type of information.
☐ We don’t do anything unlawful with personal information.
☐ We have considered how the processing of information may affect the individuals concerned and can justify any adverse impact.
☐ We only handle people’s information in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
☐ We do not deceive or mislead people when we collect their personal information.
What is the fairness principle?
Section 8, Fairness, says:
“An organisation shall use personal information in a lawful and fair manner”.
Lawfulness and fairness overlap, but you must make sure you satisfy both. It is not enough to show your processing is lawful if it is fundamentally unfair to or hidden from the individuals concerned.
What is “a lawful manner”?
To use personal information in a lawful manner, you need to identify specific grounds for the processing. This is called a “lawful manner” of using personal information. There are also specific additional requirements for using some especially sensitive types of personal information.
If information is not used in a lawful manner, it means your organisation’s processing will be unlawful and in breach of this principle.
It also means that you don’t do anything with the personal information which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will be unlawful. However, use of personal information may also be unlawful if it results in, for example:
a breach of a duty of confidence;
your organisation exceeding its legal powers or exercising those powers improperly;
an infringement of copyright;
a breach of an enforceable contractual agreement;
a breach of industry-specific legislation or regulations; or
a breach of the Human Rights Act 1981.
This list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.
Although the examples of using personal information in breach of copyright or industry regulations involve unlawful processing in breach of this principle, allegations that are primarily about breaches of copyright, financial regulations, or other laws are likely outside PrivCom’s remit and expertise as data privacy regulator. In such situations, there are likely to be other legal or regulatory routes of redress where the issues can be considered in a more appropriate forum.
If you have used personal information unlawfully, PIPA gives individuals the right to erase that information or block your use of it.
What is fairness?
Use of personal information must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
In general, fairness means that you should only handle personal information in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal information, but also about whether you should.
Assessing whether you are using information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal information is obtained, then this is unlikely to be fair.
To assess whether or not you are processing personal information fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.
Personal information may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified, as the following scenario shows.
Where personal information is collected to impose a fine for speeding, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal information for these purposes will not be unfair.
You should also ensure that you treat individuals fairly when they seek to exercise their rights over their information. This ties in with your obligation to facilitate the exercise of individuals’ rights.