THE SECOND DATA PROTECTION PRINCIPLE

The second data protection principle says:

As with the first data protection principle, the construction of the second data protection principle places three obligations on the data controller. First, the purpose of the processing must be specified. Second, the purpose of the processing must be lawful. Third, any further processing subsequent to the specified, lawful purpose must not be ‘incompatible’ with the specified, lawful purpose.

The first obligation has been discussed in Chapter 2, as part of the transparency provisions. To recap, the interpretation to the second data principle envisages the data controller giving the data subject some form of ‘notice’ in which the processing purpose is specified. The interpretation says that this notice may be given within the prescribed information required by the interpretation to the first data protection principle, or in the data controller’s notification. However, the inclusion of the word ‘may’ shows that the data controller may use another method to specify the purpose. An alternative method might be in the relevant particulars supplied by the data controller following a request made by a data subject under section 24 of the DPA.

The second obligation, the lawfulness of the specified purpose, essentially covers the same ground as the requirement for lawfulness within the first data protection principle. It is also noticeable that, as for the first data protection principle, the interpretation to the second data protection principle says nothing about lawfulness.

The interpretation does, however, provide some assistance with the third obligation, which prevents any further processing that is incompatible with the specified purpose for which the personal data were originally collected. The interpretation says:

The assistance provided by the interpretation is of limited value, however, as it deals only with the situation where personal data are intended to be disclosed to a third party. Indeed, it might also be suggested that the requirement to consider the intentions of the third party when examining compatibility is somewhat obvious. There is, however, a very important point lying within the requirement to consider the intentions of the third party, because if the third party processes the personal data in a manner that is incompatible with the purpose originally specified on collection of the data, this could leave the data controller vulnerable to enforcement action if the data controller failed to enquire into the third party’s intentions prior to disclosure.

The meaning of incompatibility is unclear and will remain so until examined by the courts. However, it is possibly the case that the incompatibility test presents data controllers with major opportunities to further process data. Much depends upon whether a narrow meaning of the word is justified, or a wide meaning. If a wide meaning is the correct meaning then it is suggested that the subsequent processing will need to be antagonistic to the original purpose to fall foul of the compatibility test.