When a data controller says that he is processing personal data for “purpose X”, what does “purpose X” mean in practice? The answer is important because the word “purpose” is used in the legislation to describe the Second, Third, and Fifth data protection principles.
For example, suppose a data controller claims that "personal data item Z is relevant to a housing benefit purpose". That claim can objectively be assessed; is the data item relevant or not relevant to the housing benefit purpose? However, if the purpose is broadly specified this assessment becomes more difficult.
Suppose the “housing benefit purpose” was broadened to become part of a general “housing related purpose”, then details that were irrelevant to the former can become relevant to the latter. For example, details of nuisance neighbours are unlikely to be relevant to personal data of a single person claiming housing benefit, but could be very relevant to a broadly specified “housing related purpose”.
Note the rule: the wider the purpose specification, the narrower the protection afforded by any Principle that is linked to that “purpose”. The converse is also true: the narrower the purpose specification, the wider the protection.
So when considering the retention of criminal records, the Court of Appeal had to grapple with the specification of the “policing purpose”. What did it do? Did the Court look at what data controller actually did with personal data? Was it what was stated on the data controller’s fair processing notice? Or was it what the data controller notified (registered) to the Information Commissioner? So, have a guess - where would you look?
The Court of Appeal went for registration to the Commissioner. At para 32, Waller LJ started his analysis with the words: “It is thus important in this case to identify what purposes were registered. It is important that the full details of the particulars are looked at including the persons to whom the data would be disclosed in order to identify the purposes registered by the data controllers”.
Those of you who can remember notification under the 1984 Act will recall it was very specific beast of burden. There were about 100 odd purposes and for each purpose there were 80 data classes, 40 data subject types, 60 disclosure and source categories, and 70 or more overseas transfers to choose from. There were 10 pages of registration form to complete per purpose and often data controllers had 10-20 purposes. In short, it was a bureaucrat’s form-filling nirvana.
This paperwork was cut by the Government when the 1998 Act was introduced and registration was replaced by the broadly based notification criteria that we have today. It was said that the Data Protection Act 1998 refocused data protection compliance on the application of eight Data Protection Principles, and notification requirements were kept, mainly as a means of paying for the Commissioner and his staff.
Now, thanks to the Court of Appeal notification is back with a vengeance, integrally linked to these Principles and indirectly linked to others. As the notified purposes are very broadly defined, it follows that the protection afforded by affected Principles now has the potential to be significantly diminished.
By how much? Only time will tell. But whenever matters are examined in a context of a Court or Tribunal hearing, the linkage between the notified “purpose” and the Principles that derive their meaning from that “purpose” will inevitably, in my view, conspire to weaken the protection afforded to data subjects.