How do we define our purposes for profiling and ensure data minimisation?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
In detail
How do we define our purposes?
Purpose limitation means that you must only collect personal information for specified, explicit and legitimate purposes.
From the outset, you must be clear about:
- why you’re using personal information for profiling in your trust and safety systems (eg to comply with your obligations under the OSA, or to enforce your terms of service); and
- what you intend to do with that information.
In some cases, you might process personal information for multiple different purposes. For example, you might use information about a user’s activity on your service as input data to generate a risk score about them. You might also use this user activity data in a different system that provides personalised features to users.
If this is the case, you must:
- provide users with clear and specific information about these different purposes at the outset;
- explain what personal information is used for each purpose and why; and
- explain your lawful basis for each purpose (which may differ).
You must ensure your purposes are detailed enough so that users have a clear understanding about why and how you are using their personal information.
Example
A social media service develops and deploys a tool that aims to detect and remove bot accounts. As part of its analysis, the tool analyses information about a user’s interactions with content on the service (eg likes, shares and comments).
The service also uses the information about the user’s interactions with content in its content recommendation systems.
The service is collecting the same information for two distinct purposes (ie the same information is used by the bot removal tool and another, separate, recommender system).
The service provides clear and specific information about its different purposes in its privacy policy. It provides detailed information on what personal information it uses and the lawful basis it relies on for each purpose.
What about further processing of personal information that we’ve already collected?
There might be cases where you want to use personal information for purposes you did not originally specify. For example, you may already collect your users’ personal information (such as their content and activity data) in the context of providing the service to them. If, at a later point, you intend to use a profiling tool for trust and safety purposes that analyses the same information, these purposes are different from those you originally told your users about when you first collected the information.
The purpose limitation principle means that you must not further process the personal information you collect for trust and safety profiling purposes for other reasons, unless:
- your new purpose is ‘compatible’ with the original purpose;
- you get the person’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest.
For example, if you introduce a new trust and safety tool that involves retrospective analysis of personal information you’ve already collected for another purpose (eg to facilitate the operation of your service), you must ensure one of the three criteria above is met before you carry out the processing.
If you told your users that you would use their information for trust and safety purposes, but you then also used it for a completely different and unrelated purpose (such as advertising), this is not compatible. In this case, you would infringe the purpose limitation principle.
(Our guidance on purpose limitation has more information on how you can assess whether a new purpose is compatible with your original purpose.)
When assessing if your new purpose is compatible, you must consider:
- any link between your original purpose and the new purpose;
- the context you originally collected the personal information in. In particular, your relationship with the person and what they would reasonably expect;
- the nature of the personal information (eg is it particularly sensitive);
- the possible consequences for people of the new processing; and
- whether there are appropriate safeguards (eg encryption or pseudonymisation).
You must identify a lawful basis for your new processing. Even if your processing is compatible, the lawful basis you originally relied on may not be appropriate.
You must ensure that your new processing complies with all other aspects of data protection law, including the requirement to be clear and open with users about how you use their personal information.
Further reading
Principle (b): Purpose limitation including the section on Once we collect personal data for a specified purpose, can we use it for other purposes?
Example
A service introduces a new tool that produces a reputation score about users. The score represents how likely they are to be in breach of the service’s terms of service. The service uses the score to support its trust and safety processes and inform moderation actions it takes on users.
The tool uses information about a user’s moderation history, including whether they have previously been banned for breaching the service’s terms of service. It also uses information about whether the user has been blocked by other users.
The service already processes this information as part of its existing content moderation strike system and user blocking processes. But, using this data to apply a reputation score to users is a new purpose that the service did not originally anticipate.
The service needs to consider whether this new purpose is compatible with the purpose it originally collected the information for. The service considers the link between its original and new purpose. It determines that the purposes are closely linked because they are both related to the service’s trust and safety processes and ensuring that users adhere to its terms of service.
The service considers the impact on users from this new processing. In this case, the consequences of the processing are similar to those that arise from its existing content moderation processes. When considering the expectations of its users, the service concludes that users are likely to expect this processing, given its particular service offering and relationship with its users. In this case, the service is not processing any sensitive personal information, such as special category information.
The service has existing safeguards in place as part of its moderation processes that would also apply to its use of the reputation scoring tool. These include a human review and appeal process, and regular audits of the system to check it is functioning accurately and as intended.
In this case, the service judges its new purpose to be compatible with its existing purpose for processing the information. It goes on to consider the most appropriate lawful basis for the processing, and its wider compliance with data protection law. The service understands that users might not anticipate this profiling based on the information previously provided in its privacy policy. Therefore, the service also considers its transparency obligations and how it can update its privacy policy to inform users of this new processing.
What if we introduce new purposes for future processing?
Sometimes your purposes for processing change over time. For example, if you plan to introduce a new trust and safety tool (that doesn’t involve re-using personal information you already collected for a different purpose).
In these cases, you are not re-using personal information for a new, different purpose. Instead, you are carrying out a new processing activity that involves collecting personal information you didn’t already have.
Where this applies, you must:
- ensure you have a lawful basis for this processing;
- notify people about your new purpose and how you plan to process their information;
- tell people about their rights in relation to this processing; and
- comply with all the other requirements of data protection law.
How do we ensure data minimisation?
The data minimisation principle means you must only process personal information that’s necessary to achieve your purpose.
Profiling tools have the potential to gather and use a wide range of information about users. (See the section on What personal information processing do profiling tools involve? for more information.) There is a risk that profiling tools use larger amounts of information than may be necessary to achieve your purpose, which would result in unnecessary intrusion into your users’ privacy.
To comply with the data minimisation principle, you must be able to demonstrate that:
- the personal information your profiling tools use is limited to what is necessary to achieve your purpose; and
- no less intrusive option is available to achieve this.
There may be different ways to implement profiling tools that use different types and amounts of personal information. You must ensure that the personal information you use is adequate, relevant and limited to what is necessary. Remember, you must not use the personal information just because you can, or just in case you think it might be useful.
You must specify what personal information you need to achieve your purpose. You must consider this in the design stage of your tool and throughout its operation. (See the section on How do we integrate data protection by design and by default? for more information.)
You should:
- consider whether you can limit your profiling to certain areas of your service (this is also a key factor in your overall assessment of the necessity and proportionality of your planned profiling. (See the section on How do we assess and mitigate the data protection risks involved in our use of profiling tools?);
- be able to justify the personal information you plan to use in your profiling tools; and
- carry out periodic reviews of the personal information your profiling tools need to achieve your purpose. This is to determine whether further types of personal information are necessary in future, or if certain categories of personal information are no longer necessary.
If you use profiling tools from third-party providers who are acting as data processors on your behalf, you must limit the information you give them to what is relevant and necessary for them to deliver their service. (See the section on Who is the controller for our profiling tools? for more information on controllers and processors.)
Example
A service is considering deploying a grooming behaviour detection tool.
At the design stage, the service assesses what information is needed for the tool to adequately detect grooming behaviour on its service. It documents the personal information it plans to use and includes a justification for why each type of personal information is necessary.
The service provider sets a regular review period to enable it to determine whether its use of the information remains limited to what is necessary to achieve its purpose.
Example
A social media company deploys a profiling tool that detects and removes fake and bot accounts.
The service provider deploys the tool only on the dating section of its service. This is because it has determined that this part of the service requires this trust and safety measure to address bot accounts.
The service does not deploy the tool in the other areas of its service, as it determines that this is not necessary to profile users for trust and safety purposes in those areas.
In this situation, the service provider effectively limits the use of the profiling tool to where it is needed, which is in keeping with the data minimisation principle.
Further reading
- Principle (c): Data minimisation
- Children’s code – see Standard 8 for more information on data minimisation
- Privacy-enhancing technologies (PETs)
- Draft guidance on anonymisation and pseudonymisation