Principle Two

(1)The second data protection principle is that—

(a)the purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and

(b)personal data so collected must not be processed in a manner that is incompatible with the purpose for which it is collected.

(2)Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).

(3)Personal data collected by a controller for one purpose may be processed for any other purpose of the controller that collected the data or any purpose of another controller provided that—

(a)the controller is authorised by law to process the data for that purpose, and

(b)the processing is necessary and proportionate to that other purpose.

(4)Processing of personal data is to be regarded as compatible with the purpose for which it is collected if the processing—

(a)consists of—

(i)processing for archiving purposes in the public interest,

(ii)processing for the purposes of scientific or historical research, or

(iii)processing for statistical purposes, and

(b)is subject to appropriate safeguards for the rights and freedoms of the data subject.


These purposes are registered with the Information Commissioner or are to be given to data subjects.