Data Protection Principle 2 - Lawful obtaining

The DPA is not intended to prevent employers from carrying out their legitimate business practices. If there is a need for additional personal data to be collected, the first step is to include the appropriate purpose in the register entry, along with its related characteristics. Only then should the data start to be collected and used for the new purpose.

Alternatively, an employer may wish to process existing personal data for a new purpose. That again is not a problem, as long as the register entry is updated with the new purpose.

For example, an employer may make products that are of interest to the employees and may wish to promote the products internally. To use data that has been collected for staff administration purposes for internal marketing purposes would be in breach of this Principle, unless the register entry is updated first. It may also be necessary to provide the employees initially with "fair processing information", explaining the additional use of data that they originally provided for a completely different purpose. All employees should be given the opportunity to opt-out on marketing arrangements.

Another example would be the use of information about an employee's physical or mental health or condition for disciplinary purposes. Information collected for SSP purposes may show that an employee has a pattern of absence that might suggest that the sickness claims are not genuine. Although the use of sickness information would fall with the general "staff administration" purpose, the sickness information is "sensitive" data and cannot be used for that purpose one of the "Schedule 3" conditions is met. In this situation, that would involve obtaining the employee's specific, i.e. written, consent.

Another example would be publishing an employee's date of birth in the birthday column of a company magazine. Although such use may also be viewed as "staff administration", and it is not "sensitive" data, it must still meet one of the "Schedule 2" conditions for processing. The only available condition is obtaining the employee's prior consent - not "explicit in this situation, so it does not necessarily have to be in writing.