DRPV-04

Do you collect personal information only for the purpose(s) identified in the agreement with an institution or, if there is none, the purpose(s) identified in the privacy notice?

Explanation

This question is asking whether your organization limits its collection of personal information to only what is necessary for the specific purposes that have been formally agreed upon with the institution or disclosed in your privacy notice. In simpler terms: Are you only collecting personal data for the reasons you've explicitly told users about, or are you collecting additional data for undisclosed purposes? Why this matters in a security assessment: 1. Data minimization is a core privacy principle - collecting only what you need reduces risk 2. Transparency builds trust with users and institutions 3. Legal compliance with regulations like GDPR, CCPA, and other privacy laws that require purpose limitation 4. Scope control - collecting data beyond stated purposes increases liability and security risks The guidance specifically mentions quality assurance, marketing, and advertising as examples where organizations might collect data beyond their primary purpose without proper disclosure. To best answer this question: 1. Review your data collection practices and map them to specific, documented purposes 2. Ensure these purposes match what's in your agreements or privacy notices 3. Be honest about any gaps between stated purposes and actual practices 4. If you do collect data for purposes beyond what's stated, explain your plan to address this compliance gap

Guidance

This includes quality assurance, marketing and advertising, etc.

Example Responses

Example Response 1

Yes, we strictly limit our personal information collection to the purposes explicitly defined in our service agreements with institutions Our data inventory maintains a mapping between each data element we collect and its corresponding purpose as defined in our agreements For example, we collect student email addresses solely for account authentication and service-related communications as specified in our agreements We have implemented technical controls that prevent the collection of data elements not tied to contractually defined purposes Our privacy program includes quarterly audits to verify alignment between our data collection practices and our contractual commitments.

Example Response 2

Yes, our organization adheres to purpose limitation principles for all personal information collection We maintain a comprehensive data inventory that documents each category of personal information collected, the specific purpose for collection, and the corresponding disclosure in either our institutional agreements or privacy notice For example, when we collect IP addresses for security monitoring, this purpose is explicitly stated in our privacy notice Before implementing any new data collection, our privacy review process requires verification that the purpose is documented in the appropriate agreement or notice If a new purpose is identified, we update our privacy notice and/or institutional agreements before proceeding with collection.

Example Response 3

Partially While our primary data collection aligns with the purposes stated in our institutional agreements and privacy notice, we have identified some instances where we collect additional data for internal quality assurance that isn't explicitly mentioned in our agreements or privacy notice For example, we collect user session recordings to improve our interface, but this purpose isn't clearly articulated in our privacy documentation We're currently working to update our privacy notice and institutional agreements to accurately reflect all data collection purposes, with an expected completion date of Q3 this year In the meantime, we've implemented additional access controls to limit who can view this QA data and established retention policies to minimize risk.

Context

Tab: Privacy
Category: Data Privacy