Privacy Principle 4: Limiting Use, Disclosure and Retention Principle

Personal information must not be disclosed, made available or otherwise used for any purposes other than for those purposes for which it was collected. Personal information should be used for other purposes only with the express permission from the person about whom the information applies, and as required to comply with applicable laws.

Question: Do you use and disclose personal information only for the purposes for which you collected it, unless you have obtained consent, or the use or disclosure are required by law?

Discussion: Organizations have historically used personal information for many other uses than those for which the personal information was collected. International privacy principles require organizations to obtain consent from applicable individuals for each new use or disclosure an organization wants to make, with law enforcement activities being an exception. For example, in 1999 Microsoft was found in violation of EU Data Protection laws and had to pay $60,000.00 USD in damages to Spain for not disclosing how personal registration information for Windows was being used.

It is important to communicate to individuals that there may be times when personal information has to be used for other purposes, such as those required by law. To ensure such exceptions are properly followed, procedures need to be created and communicated to the personnel handling the personal information.

Very few organizations communicate clearly to individuals how long their information will be retained. Not only is this a good international privacy practice, it is an action your customers will notice and appreciate.

Suggested Policy: Company X will use personal information only for the purposes for which it was collected unless Company X procedures have been followed to obtain consent from the individual for using the personal information beyond the original purposes, or as required by law.

Read the assessment for Privacy Principle 3: Purpose Specification Principle

Note: Assessment and discussion from the Privacy Management Toolkit, Version 1. The Privacy Impact Assessment within the Toolkit contains a complete assessment.