Data and privacy

The one data privacy principle no one talks about

You know you must keep your customers’ data secure and limit who can see it, but many businesses are not up to speed on ‘purpose limitation.’

Share article

Let’s say there’s a short form on your organization’s website visitors use to sign up to receive company news. They’re asked to give their name and email address. One day, you hear colleagues in marketing are going to add something to the regular company news email those sign-ups receive: Promotions of partner companies’ products.

Are your data protection alarm bells ringing? They should be, but if they’re not, you’re not alone. Purpose limitation is a data security principle many are unfamiliar with. Understanding it will help you reduce data security and data privacy risks and show your customers you respect their data.

What is purpose limitation?

Purpose limitation has two parts. First, when you gather anyone’s personal information, your organization must be clear about how it will use the information from the start. Second, you must not use the data for another purpose. Much data protection regulation around the world includes some kind of purpose limitation requirements, notably the EU’s General Data Protection Regulation (GDPR.) Under GDPR, organizations must document the data’s purposes and specify the purposes in the privacy information they supply.

But why does purpose limitation matter? Surely if someone chooses to give their data, your organization can use it without limit as long as you keep it private? Not so fast. This is one tin of spaghetti that fast turns into a can of worms.

The young woman, the chaplain and the hospital

Some privacy trainers tell a story about a young woman who was asked to fill in a form when she was admitted to hospital. One question on the form is asking for her religion. Perhaps this information is important in medical care and she’s been asked this question on forms before, so she dutifully fills in her religion as she always has.

Why the question? This hospital uses the information to tell the hospital chaplain there’s a patient who may appreciate a visit, but they don’t tell the patient this.

Small world – the hospital chaplain is a friend of the young woman’s family. She is unmarried and is in hospital for a pregnancy-related issue. Her family doesn’t know she’s pregnant and she has no intention of telling them. Now, the young woman and the chaplain are in an awkward position.

Apart from infringement of data use regulation, some might say the woman had free choice over whether to give the information, so the results are her responsibility. On the other hand, the trust patients place in hospitals is crucial to the hospital being able to achieve its purpose: To help patients get well.

Any organization that gathers personal information, whether they’re out to make money, help people or save the world, needs trust to be effective.

Can organizations live up to the trust customers need to place in them?

Data recycling happens all too often

Several incidents around customers surprised how companies used or sold their data, given why they provided it, have hit headlines recently. Take for example, the period-tracker app that fed customer data to Facebook, where it was used to market products for expectant Moms. One user found herself suddenly marketed to as though she were pregnant, when she’d only forgotten to use the app to log her period. It’s easy to imagine how this kind of sensitive information re-use could emotionally harm some customers.

Uber settled a complaint to the Federal Trade Commission out of court when it was found employees had used the software’s ‘God View’ function to track the movements of politicians, celebrities and even ex-partners. Although Uber hadn’t sanctioned these misuses, it had no effective processes to prevent it.

When caught recycling personal data, companies often say, “we didn’t mean to.” They may be truthful, but it keeps happening.

Do companies, and their employees, understand their responsibilities in limiting how they use customer data?

Can you recycle personal data? What the law says

GDPR is up front on purpose limitation being a core principle of data protection. Article 5 section 1b outlines how personal data must only be collected when its use is specified and explicit. The data cannot be further used in ways that don’t match the original purpose. There’s exceptions for historic, scientific and statistical uses, and “if the legitimate interests of that controller or a third party override the interests of the data subject.”

The European Commission gives guidance to help organizations know if what they’re planning to do with data is consistent or inconsistent with its purpose. They suggest considering for example, whether the data is sensitive (including health information, political beliefs and more) and how further use could affect the person who gave the data.

While penalties for breaching the purpose limitation principle so far haven’t been huge, there’s been a steady stream of reputation-damaging prosecutions. Norway’s data protection authority fined the Norwegian Public Roads Administration the equivalent of 50,000 US dollars for using ‘security’ cameras to monitor contractors’ work. Breaching the principle with just one customer’s data doesn’t mean lesser fines – Spanish authorities fined bank Bankia the equivalent of 50,000 US dollars for retaining and reusing one customers’ data 16 years after they’d stopped being a customer.

When considering fines, regulators punish not for violation of principle, but for the consequences. For example, if companies don’t comply with data processing purpose limitation, they may also violate other GDPR requirements, such as having a legitimate reason to process the data.

It’s not just Europe that has enshrined purpose limitation in data use law. California added a purpose limitation clause to their California Consumer Privacy Act (CCPA) in 2018. The clause says businesses must, before collecting personal information, inform consumers how it will be used and need consumer agreement to use the data for another purpose.

What do businesses do to meet purpose limitation obligations?

“Every organization processes different kinds of personal data, in different ways, for different purposes,” says Kaspersky’s Head of Data Protection and Privacy for Europe, Alexey Testsov. “GDPR requires data controllers and processors keep records of what data the organization gathers, why they’re gathering it and how long it’s kept for. Alongside information auditing and data mapping, these records are vital in complying with purpose limitation responsibilities.

“Employees must know how to collect, store and use personal data within the law. Given the high risks of data processing, it’s more reliable to discuss changes in processes with a security officer or legal department. Employees should know how to consult internal experts and not be afraid to do so.”

Here are two examples of identified problems that can lead to failures to control data use purposes.

Systems to keep data separate

Effective safeguards to prevent any set of data being used for other purposes might have avoided some recent cases of data recycling. In the UK, the Information Commissioners’ Office (ICO) fined a political campaigning organization and an insurance company 120,000 UK pounds (around 165,000 US dollars.) The ICO found personal information given for political campaigning had been used to market insurance. It highlighted ineffective data protection systems within the two organizations. “Systems for segregating the personal data of insurance customers’ from that of political subscribers’ were ineffective.”

Look for changes in how upgraded software uses data

Data controllers and processors should keep in mind that incremental developments to software might lead to changes in how data is used, or ‘function creep.’

Hunter Nelson, President of Tortoise and Hare Software, says software developers should realize the potential privacy impacts of ‘function creep.’ He advises, “Controllers and processors must use care when developing systems not to breach privacy law as new features are released. A process checkpoint should be included in the release to review new features with a privacy lens.”

Regardless of the privacy legislation your organization operates under, knowing the importance of purpose limitation will help you uphold high data privacy standards. Ensure that when you ask customers for personal information, they understand how you will use it. Put in place systems to ensure their data cannot be used for other purposes. These actions will show your respect for customers’ privacy and help build the trust that every organization needs.


Engaging the wider cybersecurity community and stakeholders in verifying the trustworthiness of our products, processes and operations.

About authors

Suraya Casey is a freelance writer, editor and content strategist based in New Zealand. Her interests include cybersecurity, technology, climate, transport, healthcare and accessibility.