Principle (b): Purpose limitation

At a glance  

• You must be clear about your purposes for processing personal information from the start. 
• You must record your purposes as part of your documentation obligations and specify them in your privacy information. 
• You must only reuse the personal information for a new purpose if this is compatible with your original purpose. The rules on this are slightly different depending on whether you originally collected the information under the consent lawful basis. 
• The UK GDPR lists several specific reuses of personal information that are compatible with your original purpose. 
• You must have a lawful basis for any new purpose. If your original lawful basis is not sufficient, you must find a new one. 

In brief 

• What is the purpose limitation principle? 
• Why do we need to specify our purposes? 
• How do we specify our purposes? 
• Once we collect personal information for a specified purpose, can we use it for other purposes? 
• Can anything else be a compatible purpose? 
• Do we need a lawful basis for our new purpose? 
• Where can we get more information?
• Checklist

What is the purpose limitation principle? 

Article 5(1)(b) says: 

 “1. Personal data shall be: 

(b) collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes and not further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data (‘purpose limitation’);” 

This means that you must: 

• be clear from the outset about why you’re collecting personal information and what you intend to do with it; 
• document your purpose for collecting the information; 
• tell people why you’re collecting their information; and 
• ensure that if you plan to reuse personal information for a different purpose from the originally specified purpose, the new use is compatible with the original. 

Why do we need to specify our purposes?

You must specify your purposes. Doing so ensures that you’re clear and open about your reasons for collecting personal information and that what you do with people’s information is in line with their reasonable expectations.

Specifying your purposes from the outset helps you remain accountable for your processing and helps you avoid ‘function creep’. It also helps people: 

• understand how you’ll use their information;
• make decisions about whether they’re happy to share their information; and
• exercise their data protection rights over their information, where appropriate. 

It is fundamental to building public trust with people, who are more likely to agree to you using their information if they can see what you intend to use it for.

There are clear links with other principles. For example: 

• being clear about why you’re processing personal information helps you ensure your use is fair, lawful and transparent;
• specifying your purpose helps you comply with the data minimisation principle, because this determines what personal information you need to achieve your purpose; and
• defining your purpose helps you comply with the accountability principle.

How do we specify our purposes?

There isn’t a set way for you to specify your purposes. However, if you comply with your documentation and transparency obligations, you’re likely to comply with the requirement to specify your purposes without doing anything more. Under those obligations, you must:

• specify your purpose or purposes for collecting and using personal information in the documentation you’re required to keep as part of your records of processing (documentation) obligations under article 30 of the UK GDPR; and
• specify your purposes in the privacy information you give to people. 

However, whatever you document, and whatever you tell people, this does not make fundamentally unfair processing fair and lawful.

You may not need to formally document all of your purposes to comply with the purpose limitation principle if you’re: 

• a small organisation employing fewer than 250 people; and
• you’re exempt from some documentation requirements. 

In this case, listing your purposes in the privacy information that you must provide to people is enough. However, you could still document all of your purposes. 

If you’ve not provided privacy information because you’re only using personal information for an obvious purpose that people already know about, that obvious purpose is the ‘specified purpose’ of the processing. 

You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved over time beyond those you originally specified and to prevent function creep.

If your purposes change over time, whether because of some unexpected need or a change in practice, you must update your privacy information to reflect this. You must do this and tell people before reusing their personal information.

Once we collect personal information for a specified purpose, can we use it for other purposes?

Yes, but there are restrictions on when you can do so. If your purposes change over time, or you want to use personal information for a new purpose that you didn’t originally expect, you must ensure your new purpose is compatible with the original purpose before you go ahead.

Data protection law provides a set of rules to help you determine if your new purpose is compatible. These rules differ slightly depending on whether you originally collected the personal information under the consent lawful basis.

For personal information collected under consent, the rules are more restrictive. For a new use to be compatible, you must: 

• get consent from the person for the new specified, legitimate and explicit use;
• reuse personal information to comply with a data protection principle or to demonstrate that it does so;  
• reuse the information for a purpose listed in annex 2 of the UK GDPR – “Processing to be treated as compatible with original purpose" and it is not reasonable to expect you to obtain new consent; or
• reuse the information because it is necessary to safeguard a public interest objective listed in article 23(1)(c) to (j) of the UK GDPR and this processing is authorised by law, and it’s not reasonable to expect you to obtain new consent.  

For personal information collected under a lawful basis other than consent, a new use is compatible if you: 

• get consent for the new use;
• reuse personal information for the purposes of research, archiving in the public interest or statistical processing and in accordance with the provisions relating to this processing;
• reuse personal information to comply with a data protection principle or to demonstrate that it does so;
• reuse the information for a purpose listed in annex 2 of the UK GDPR – “Processing to be treated as compatible with original purpose”;
• reuse the information because it’s necessary to safeguard a public interest objective listed in article 23(1)(c) to (j) of the UK GDPR and the processing is authorised by law; or 
• satisfy a compatibility test.

Annex 2 of the UK GDPR lists several specific reuses of personal information that are “to be treated as compatible” with your original purpose when applying the purpose limitation principle: 

• Public task disclosure response compatibility condition. This allows an organisation to respond to a request for personal information from a public body (or other bodies carrying out public tasks) that has confirmed it needs the information for that purpose and to safeguard a public interest objective listed in article 23(1)(c) to (j).
• Archiving disclosure response compatibility condition. This allows an organisation to respond to a request for personal information from an archiving body that needs it to archive in the public interest, if:
  • it originally collected the information under the lawful basis of consent;
  • the use of the information complies with the research, archiving and statistical processing requirements in data protection law;
  • the requesting body confirms that it will only use the information for the purposes of archiving in the public interest; and
  • it reasonably believes that the requesting body will only use the information in line with generally recognised standards relevant to its archiving in the public interest.
• Public security compatibility condition. This allows an organisation to use personal information to protect public security.
• Emergencies compatibility condition. This allows an organisation to use personal information to respond to an emergency, as defined by part 2 of the Civil Contingencies Act 2004.
• Crime compatibility condition. This allows an organisation to use personal information to:
  • detect, investigate or prevent crime; or
  • apprehend or prosecute offenders.
• Vital interests compatibility condition. This allows an organisation to use personal information to protect the vital interests of the person the information is about or another person.  
• Safeguarding compatibility condition. This allows an organisation to use personal information to safeguard a “vulnerable” person.
• Taxation compatibility condition. This allows an organisation to use personal information to assess or collect a tax, duty or an imposition of a similar nature.
• Legal obligations compatibility condition. This allows an organisation to use personal information to comply with a legal obligation.

If you originally collected personal information under the consent lawful basis, you may be able to reuse information for one of these conditions, but only if it’s not reasonable to get consent for the new use.

Can anything else be a compatible purpose?

Yes. If your proposed new processing is not for any of the above purposes, you must do a compatibility assessment to decide whether the new purpose is compatible with your original purpose. In your assessment, you must consider:

• any link between your original purpose and the new purpose;
• the context in which you originally collected the personal information – in particular, your relationship with the person whose information you collected and what they would reasonably expect;
• the nature of the personal information (eg whether it’s particularly sensitive or involves special category data or criminal offence data);
• the possible consequences of the new processing for the people the information is about; and
• whether there are appropriate safeguards (eg encryption or pseudonymisation).

This list is not exhaustive, and you may need to look at other factors depending on the circumstances of each case.

A compatibility assessment is likely to look at similar factors to a legitimate interests assessment (LIA). You could use our LIA template to help you assess compatibility. 

In general, the new purpose is likely to be incompatible with your original purpose if it:

• is very different from the original purpose;
• would be unexpected; or
• would have an unjustified impact on the people involved. 

In practice, you’re likely to need to ask for specific consent to further use or share people’s personal information for this type of purpose.

Do we need a lawful basis for our new purpose?

You must have a lawful basis for all of your processing. But the original basis you relied on to collect the personal information might not be appropriate for your new use of that information.

In most cases, the appropriate basis for your new use of the information is likely to be obvious. For example, if you’re reusing information for an annex 2 condition, some of these have a similar condition in the recognised legitimate interest lawful basis.

However, if you originally collected the personal information using consent, you must either get new consent for your intended new purpose or identify another lawful basis. For some reuses (such as those listed in annex 2), you can still further process personal information if it’s not reasonable to get new consent. But you must still identify a lawful basis for the reuse. This is to ensure your new processing is fair and lawful.

Remember, if you want to reuse special category data, you must also identify a condition for processing under article 9 of the UK GDPR for this type of information. Similarly, if you want to reuse criminal offence data, you must identify a condition for processing under article 10 of the UK GDPR. 

Where can we get more information?

For more detailed information on reusing personal information for a new purpose, see our guidance on compatibility and the reuse of personal information. 

 

Checklist