In a seashell
You must be clear about what your purposes for use of personal information are from the start.
You need to record your purposes as part of your obligations to adopt “suitable measures and policies” and specify them in your privacy policies.
You can only use the personal information for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear obligation or function set out in law.
Section 10, Purpose limitation, states that:
(1) An organisation shall use personal information only for the specific purposes under section 9(1)(b) or for purposes that are related to those specific purposes.
(2) Subsection (1) shall not apply—
(a) when the use of the personal information is with the consent of the individual whose personal information is used;
(b) when the use of the personal information is necessary to provide a service or product required by the individual;
(c) where the use of personal information is required by any rule of law or by the order of the court;
(d) where the use of the personal information is for the purpose of detecting or monitoring fraud or fraudulent misuse of personal information; or
(e) where the personal information is used for the purposes of scientific, statistical or historical research subject to the appropriate safeguards for the rights of the individual.
☐ We have clearly identified our purposes for using personal information.
☐ We have documented the purposes.
☐ We include details of our purposes in our privacy notice for individuals.
☐ We regularly review our use of personal information and where necessary, update our documentation and our privacy notice for individuals.
☐ If we plan to use personal information for a new purpose other than a legal obligation or function set out in law, we check that this is compatible with our original purpose or we identify the relevant reason at section 10(2), such as getting specific consent for the new purpose.
What is the purpose limitation principle?
Section 10(1) says:
“1. An organisation shall use personal information only for the specific purposes under section 9(1)(b) or for purposes that are related to those specific purposes.”
Section 9(1)(b) says:
“1. An organisation shall provide individuals with a clear and easily accessible statement (“privacy notice”) about its practices and policies with respect to personal information, including (b) the purpose for which personal information is or might be used.”
In practice, this means that as an organisation you must:
be clear from the outset why you are using personal information and what you intend to do with it;
comply with your obligations to specify and document your purposes;
comply with your obligations to inform individuals about your purposes; and
ensure that if you plan to use or disclose personal information for any purpose that is additional to or different from the originally specified purpose, the new use is lawful and fair.
Why do we need to specify our purposes?
This requirement aims to ensure that you are clear and open about your reasons for obtaining personal information, and that what you do with the information is in line with the reasonable expectations of the individuals concerned.
Specifying your purposes from the outset helps you to be accountable for your use of personal information. It also helps individuals understand how you use their personal information, make decisions about whether they are happy to share their details, and assert their rights over their information where appropriate. It is fundamental to building public trust in how you use personal information.
There are clear links with other principles – in particular, the fairness principle. Being clear about why you are processing personal information will help you to ensure you use personal information in a manner which is lawful and fair. And if you use personal information for unfair, unlawful, or “invisible” reasons, you will be likely to be in breach of the principle.
Specifying your purposes is necessary to comply with your accountability obligations.
How do we specify our purposes?
If you comply with your responsibility obligations, you are likely to comply with the requirement to specify your purposes without doing anything more:
You need to specify your purposes for using personal information within the suitable measures and policies you are required to adopt as part of your obligations under section 5(1) of Responsibility and compliance.
You also need to specify your purposes in your privacy notice for individuals.
However, you should also remember that whatever you document, and whatever you tell people, this cannot make fundamentally unfair use of personal information fair and lawful.
If you have not provided a privacy notice because you are only using personal information for an obvious purpose that is within the reasonable expectations of individuals, the “specified purpose” should be taken to be the obvious purpose.
You should regularly review your use of personal information, documentation, and privacy notice to check that your purposes have not evolved over time beyond those you originally specified.
Once we collect personal information for a specified purpose, can we use it for other purposes?
Under PIPA, if your purposes change over time or you want to use personal information for a new purpose which you did not originally anticipate, you can only go ahead if:
you get the individual’s specific consent for the new purpose; or
you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
You must also use the personal information in a manner which is lawful. The original basis you used to collect the information may not always be appropriate for your new use of that information.
If your new purpose aligns with the original one and your use of the personal information is necessary for that purpose, you can generally be confident it will also be lawful. In most cases, the appropriate basis for your new use of the personal information is likely to be fairly obvious.
However, you should remember that if you originally collected the personal information on the basis of consent, you usually need to get fresh consent to ensure your new use is fair and lawful.
You need to make sure that you update your privacy notice to describe this other purpose.
Under section 10(1)(e), PIPA specifically lists the following purposes where subsection (1) does not apply:
historical research purposes.
Otherwise, you need to conduct an assessment to decide whether your organisation’s new purpose aligns with the original one. The assessment should take into account the following, which is not an exhaustive list:
any link between your original purpose and the new purpose;
the context in which you originally used the personal information – in particular, your relationship with the individual and what they would reasonably expect;
the nature and scope of the personal information – e.g., is it particularly sensitive;
the possible consequences for individuals of the new use of their information; and
whether there are appropriate safeguards - e.g., encryption or anonymization.
What you need to take into account depends on the particular circumstances.
As a general rule, if the new purpose is either very different from the original purpose, would be unexpected, or would have an unjustified impact on the individual, it is likely not to align with your original purpose. In practice, you are likely to need to ask for specific consent to use or disclose personal information for this type of purpose.
A lawyer discloses their client list to his husband who runs an entertainment agency, so that he can offer special event deals to the lawyer’s clients. Disclosing the information for this purpose would be incompatible with the purposes for which it was obtained.