Purpose limitation: Re-using data

This is the second update in a series on how the Government’s proposed Data Protection and Digital Information (No. 2) Bill (the Bill) would affect data controllers. This post will consider how the Bill would:

• amend the definition of the ‘purpose limitation’;
• introduce the concept of a compatible purpose;
• clarify the meaning of scientific research; and
• impact privacy policies.

Using data for a new purpose

One of the Government’s stated aims from its consultation was to clarify the existing law on the re-use of personal data (see section 1.3). With that aim, the Bill sets out a number of changes to the way the so-called ‘purpose limitation’, as defined in Article 5(1) UK GDPR, would apply.

The Bill would amend that definition as follows (the new text is in bold):

Personal data shall be:

1. b) collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes and not further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data(‘purpose limitation’)

The changes may look minor, but they are potentially far-reaching. A controller applying the purpose limitation will now only have to consider the purposes for which it collected the data. If the controller obtained the data from another controller, it does not need to consider the purposes for which that other controller may have originally obtained the data.

This will be of particular interest to controllers who acquire personal data from third party sources for their own purposes. For example, it has long been common practice for charities to conduct research about potential major donors by using publicly accessible registers. In the past one of the criticisms that the ICO has made of that practice is that using data for those purposes may not be compatible with the purpose for which the register originally collected the data from the individual. With the changes to the purpose limitation a charity using Companies House records to research company directors as prospective donors would no longer need to consider whether the charity’s purpose, ie donor research, was compatible with the purpose for which Companies House had originally collected the data, ie maintenance of a legal register. The charity would, of course, still need to ensure that the processing was fair, lawful, and transparent and establish a lawful basis for the processing.

Compatible purposes

As well as restricting, or rather ‘clarifying’, the scope of the purpose limitation, the Bill also sets out a list of situations in which a new purpose will always be treated as compatible with the original purpose. Again, the intention here seems to be to make compliance decisions simpler in those situations.

The Bill (Schedule 2) would add a new Annex to the UK GDPR listing situations in which processing is to be treated as compatible with the original purpose. In brief, those situations would be:

• where processing is necessary for making a disclosure of data to a public authority that requests the data in reliance upon the ‘public task basis’;
• where processing is necessary for protecting public security, or responding to an emergency;
• where it is necessary to protect the vital interests of the data subject or another individual;
• where it is necessary for safeguarding a vulnerable individual;
• where processing is necessary for the purposes of assessing or collecting tax; and
• where the processing is necessary for the purposes of complying with the controller’s legal obligations.

In addition to the list in that Annex, the Bill also provides that a new purpose is compatible with the original one if the new purpose is to safeguard one of a number of public interests listed in Article 23(1)(c) to (j) UK GDPR and the processing is authorised by law.

Research

Clause 6 of the Bill also clarifies that processing for the purposes of scientific or historical research or archiving in the public interest or for statistical purposes will be compatible with the original purpose of the processing. This is consistent with the current legislation, but is one of a number of clarifications concerning research.

The Government consultation and response prior to the publication of the Bill emphasised the Government’s desire to facilitate the use of personal data for scientific research. That aim has translated into relatively modest reforms in the Bill.

At clause 2 of the Bill ‘scientific research’ and ‘scientific research purposes’ is defined in the following terms:

‘any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity.’

The definition gives a handful of more detailed examples of what qualifies as scientific research, but does not come as much of a surprise.

The Bill provides scope for researchers to seek more open-ended consent from data subjects – researchers would be able to seek valid consent to use data for a particular area of scientific research without having to be able to fully identify the purposes of the research. This would mean, for instance, that researchers could seek consent to include data in a research database that could be used for future research projects in a particular area of scientific investigation, without having to plan what those projects are at the time the consent is collected.

Those changes come with a restatement of some of the existing limits on the use of data for research:

Firstly, the Bill restates requirements for researchers to put in place certain safeguards for the rights of data subjects whose data is used in research.

Secondly, the Bill defines processing for statistical purposes, confirming that this only means processing for statistical surveys or the production of statistical results where the processing generates aggregated results that are not personal data, and that the controller does not use the personal data processed or the results from the processing to make decisions about particular data subjects to whom the personal data relates.

Privacy policies

As most readers will be aware, when collecting personal data a controller must provide a data subject with various information at the time the personal data is collected. The controller will need to inform the data subject of the purpose of the processing and this will typically be achieved by the controller pointing the data subject to their privacy policy. Current legislation requires a controller to provide updated information to the data subject should the controller decide to use the personal data for any other reason to that specified in the privacy policy.

The Data Protection and Digital Information (No. 2) Bill would allow the controller to use the personal data for another purpose without informing the data subject in certain circumstances.

The first situation is if the further processing of the data relates to either:

• scientific or historical research; or
• archiving in the public interest or for statistical purposes (both defined above).

The second situation is if it would be impossible or require disproportionate effort on the part of the controller to inform the data subject of the new purpose. The Bill introduces a non-exhaustive list of factors indicating when providing information to data subjects will involve ‘disproportionate effort’. Notably, a controller can factor in the existence of ‘any appropriate safeguards applied to the processing’ when they assess whether providing the information would involve ‘disproportionate effort’ on their part.

Key Takeaways:

• Organisations should think carefully about the redefined ‘purpose limitations’ and how it may assist them where they intend to process data collected by a third party. The Bill would require controllers to consider only the purpose for which they themselves collected the data, not the purpose for which the third party collected that data;
• the Bill provides purposes for processing data that will be automatically compatible with the original purpose it was collected for. The compatible purposes may only be of immediate use to certain organisations, however it should be a useful tool for all organisations in relation to certain decision making processes; and
• those undertaking research and those processing data for statistical purpose should familiarise themselves with the new definitions – provided their activities meet the criteria their processing will be automatically compatible.

In our next article we will look at the rights of data subject and the right to complain. You can read the last article on Data Protection and Digital Information (No. 2) Bill (the Bill) in our series here.