Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?
Explanation
Purpose limitation is the principle being tested: whether you collect personal information only for the purposes agreed with the institution or stated in your privacy notice.
In simpler terms: Are you only collecting personal data for the reasons you've explicitly told users about, or are you collecting additional data for undisclosed purposes?
Why this matters in a security assessment:
- Data minimization is a core privacy principle - collecting only what you need reduces risk
- Transparency builds trust with users and institutions
- Legal compliance with regulations like GDPR, CCPA, and other privacy laws that require purpose limitation
- Scope control - collecting data beyond stated purposes increases liability and security risks
The guidance specifically mentions quality assurance, marketing, and advertising as examples where organizations might collect data beyond their primary purpose without proper disclosure.
To best answer this question:
- Review your data collection practices and map them to specific, documented purposes
- Ensure these purposes match what's in your agreements or privacy notices
- Be honest about any gaps between stated purposes and actual practices
- If you do collect data for purposes beyond what's stated, explain your plan to address this compliance gap
Guidance
This includes quality assurance, marketing and advertising, etc.
Example Responses
Example Response 1
Yes, we strictly limit our personal information collection to the purposes explicitly defined in our service agreements with institutions Our data inventory maintains a mapping between each data element we collect and its corresponding purpose as defined in our agreements For example, we collect student email addresses solely for account authentication and service-related communications as specified in our agreements We have implemented technical controls that prevent the collection of data elements not tied to contractually defined purposes Our privacy program includes quarterly audits to verify alignment between our data collection practices and our contractual commitments.
Example Response 2
Yes, our organization adheres to purpose limitation principles for all personal information collection We maintain a comprehensive data inventory that documents each category of personal information collected, the specific purpose for collection, and the corresponding disclosure in either our institutional agreements or privacy notice For example, when we collect IP addresses for security monitoring, this purpose is explicitly stated in our privacy notice Before implementing any new data collection, our privacy review process requires verification that the purpose is documented in the appropriate agreement or notice If a new purpose is identified, we update our privacy notice and/or institutional agreements before proceeding with collection.
Example Response 3
Partially While our primary data collection aligns with the purposes stated in our institutional agreements and privacy notice, we have identified some instances where we collect additional data for internal quality assurance that isn't explicitly mentioned in our agreements or privacy notice For example, we collect user session recordings to improve our interface, but this purpose isn't clearly articulated in our privacy documentation We're currently working to update our privacy notice and institutional agreements to accurately reflect all data collection purposes, with an expected completion date of Q3 this year In the meantime, we've implemented additional access controls to limit who can view this QA data and established retention policies to minimize risk.
Context
- Tab
- Privacy
- Category
- Data Privacy
Related questions
- Have you performed a Data Privacy Impact Assesssment for the solution/project?
- Do you provide an end-user privacy notice about privacy policies and procedures that identify the purpose(s) for which personal information is collected, used, retained, and disclosed?
- Do you describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information?
- Do you have a documented list of personal data your service maintains?
- Do you retain personal information for only as long as necessary to fulfill the stated purpose(s) or as required by law or regulation and thereafter appropriately dispose of such information?
- Do you provide individuals with access to their personal information for review and update (i.e., data subject rights)?

