25 Sep PDPA Series: Purpose Limitation
Only Collect, Use or disclose an individual’s personal database based on the specific purpose they have given consent for.
- Collect personal data only to the extent that is necessary and reasonable for legitimate business purposes.
- Organisations will need to obtain fresh consent if the purpose has changed.
- When collecting personal data, always indicate which information is optional/required.
Case Study 1: Excessive use of CCTV in Nursing Home
In Ireland, there was a complaint against a nursing home which installed CCTV cameras in corridors, day room, kitchen, front entrance, staff room, residents’ dining room, games room and drug therapy room. Concerns were raised that the CCTV system was linked to the owner’s smart phone, allowing the cameras to be checked remotely.
Case Study 2: Excessive disclosure for unreasonable purposes
In Singapore, there was an insurance company who disclosed bank account details of an insurance policy holder to a medical clinic that was not for a reasonable purpose. The bank account details were displayed on the same claim form and visible to the medical clinic. The bank account details were not relevant for the latter at all.
You can read the full Purpose Limitation from PDPC.