Secondary Purpose: Don’t be a creep
By Sharon Bauer and Nitsan Shachor
A big risk facing many companies today is what is known as “purpose creep” or “secondary purpose.” This is when personal information is collected for one purpose but is also used for a different purpose. If the individual who provides their information is not aware of the secondary purpose or does not provide consent to use the information for that other purpose, it may result in misuse of personal information, which is a breach.
Processor: Using Information For Secondary Purpose
Here is a very typical scenario. A company (the “controller”) collects personal information from its end users to provide a service. It hires a vendor (the “processor”) to assist it in providing the service. In doing so, the company provides the vendor with the personal information it collected from its end users. In addition to providing the service to the company, the vendor also uses that same information to train its artificial intelligence system, improve its cloud services, or for marketing or research purposes. In other words, the vendor is using the personal information for a secondary purpose.
In many cases, vendors excuse their use of information for a secondary purpose because they anonymize the information. Is the anonymization of information enough to allow a processor to use the information for a purpose other than the original purpose it was collected?
Privacy regulators suggest that processors can reuse personal information for their own purpose, however, under strict conditions. Those conditions include:
obtaining explicit permission to do so by the controller (i.e. the party that originally collected the information for its own primary purpose and shared it with the processor to help the controller fulfil its primary purpose); and
the secondary purpose is compatible with the original purpose for processing.
When entering into a relationship with a processor, a controller must clearly understand how the processor intends to use the information. The processor’s intention should be clearly stipulated in an agreement. If the processor intends to use the information for a secondary purpose, even if it is anonymized, the controller must explicitly grant them the right to use the information in this way. Companies should refrain from granting blanket authorizations in agreements which allow processors to repurpose the information. Rather, the controller should take a contextual approach and evaluate the compatibility of the secondary purpose with the primary purpose on a case-by-case basis.
As part of its analysis, the controller should consider what the original lawful basis is for processing the personal information. A common lawful basis is “consent.” In such cases, the individual that provided the original consent must also provide consent to process the information for a secondary purpose, as they did for the original purpose. This may be a challenge since the processor does not have close proximity to the individuals it intends to process personal information about. The processor may rely on the co-operation of the controller to inform those individuals of the new or additional use of information. For example, the controller may inform the individuals of the secondary purpose in its privacy notice or seek explicit consent to have their personal information processed for more than one purpose. This may be tricky as controllers should not seek “bundled” consent. Individuals should have the option to opt out of the secondary purpose without compromising their option to opt into the primary purpose. Controllers should think strategically about whether they want to seek consent on behalf of the processor and how to manage that consent.
If, however, a processor can communicate directly with individuals and seek consent independently, then the controller should delegate that responsibility to the processor. The controller, however, should still clearly and explicitly outline the secondary purpose in its privacy notice.
It is important to note that once a processor processes information for a secondary purpose, it becomes a controller over that information when it is used for the secondary purpose and therefore assumes additional responsibility for that information.
Controller: Using Information For A Secondary Purpose
While secondary purpose often arises with processors, controllers may also use personal information for a secondary purpose. For example, a company may share personal information it collected with its marketing team to target individuals or use the information for analytics. These uses of data may not be directly correlated to the original purpose the information was collected and, therefore, there may be a lack of consent or lawful basis for processing the information for the secondary purpose. So how can a company minimize this risk?
Step 1: Map the company’s data inventories, including the purpose for its collection, the types of consent and notices for collecting, using, disclosing and retaining these types of information.
Step 2: Use the data inventory, to map and document the actual uses of that information by the company and the types of disclosure of the information to third parties.
Step 3: In the cases where there is a difference between the actual practice (of collecting, using and disclosing that information) and the declared practices, make the appropriate adjustments to your privacy notice and/or seek explicit consent. Where there is a material change to the privacy notice that affects what the individual already agreed to, notify the individuals of the change to the privacy notice.
This article was originally published by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.