Part 5. Core International Data Protection Principles: Purpose specification
Another core principle of data protection is purpose specification, a primary instrument of international data protection that is closely related to the principles of data quality and use limitation. The purposes for which personal data are collected need to be specified before or at the latest, at the time of collection and processing should be limited to the fulfilment of the stated purposes or other purposes which can be considered compatible.
The trinity of purpose specification:
- the purposes for which data are collected,
- should be specified/defined, lawful/legitimate, and
- should not be incompatible with the purposes for which the data were first collected.
From the trinity of purpose specification is logical to conclude that processing for undefined and/or unlimited purposes is not compliant with this principle.
Within the context of Smart Data the principle of purpose specification takes on increased importance as ever-more often, large sets of data are analysed even when the data was collected for a different original purpose.
So how can we conceptualize the scope and limits of a particular purpose? The answer is the concept of compatibility where the use of data for compatible purposes is allowed on the ground of the initial legal basis which can include links between original collection and intended further processing, the context of the data collection and relationship between the data subject and the controller, the nature of the personal data, consequences for intended further processing for the data subjects, and the presence of appropriate safeguards.
There is clearly a link here to the principle of data minimization and retention where collected data must be minimal and identified based on the purposes of processing and retained only as long as necessary to achieve the scope of the processing.