The Second Data Protection Principle
"Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes."
This requirement aims to ensure that organisations are open about their reasons for obtaining personal data and that what they do with the information is in line with the individual's expectations.
The Act does not prohibit the use of information obtained for one purpose being used for another, but limits the use to that which is not "incompatible" with the original purpose, i.e. a reasonably adjacent purpose.
If you intend to disclose information for a purpose that was not originally contemplated, or included in your register entry or privacy notice, you must consider whether this processing will still be fair and comply with the first data protection principle.
If the use or disclosure of the information would be unfair because it is outside what the individual would reasonably expect or has an unjustified damaging effect on the person, then you should regard the disclosure as being incompatible with the purpose you obtained the information for.
It is therefore important to remember:
if you are required to notify, be clear about the purpose(s) for processing personal data
- if you are clear about the purpose for processing you will be able to assess whether further processing (e.g. disclosure) will be compatible, or whether the processing complies with the other principles - for example whether the information sought is adequate or relevant to the purpose;
- If you are clear about the purposes for processing at the outset, this minimises the possibility of "function creep";
- if you are not required to notify and the processing is for an obvious purpose (such as staff administration) the "specified purpose" should be taken to be the obvious purpose;
- to ensure that individuals are given, or have easy access to, a fair processing notice or privacy notice - whilst the Act says that you can specify your purposes for processing in "a notification given to the Supervisor", in reality few people actually know this, or know how to make such a check;
- ensure that if data are disclosed, you take into account the purposes for which the recipient will use the data
- are the individuals aware of this use, and
- is this use in line with the expectations of the individual?
- If you are unsure about whether you should disclose, you should contact the individual and seek their consent.
Click here for further guidance on the second principle
Material on the Data Protection Supervisor's site is independent of that hosted by the Isle of Man Government and is protected by copyright. The copyright owner is the Isle of Man Data Protection Supervisor. You may not make alterations or additions to the material on this site, or sell it or misappropriate it. Material may be downloaded or copied for personal use. However, appropriate acknowledgement of the copyright owner is required if material is re-published in any format.