The ICO exists to empower you through information.

Purpose limitation means that you must only collect personal information for specified, explicit and legitimate purposes. You must not further process it in a way that’s incompatible with those purposes.

This data protection principle is closely linked to the others, including data minimisation; and fairness, lawfulness and transparency.

You must be clear from the outset: 

  • why you’re using personal information for content moderation (eg to comply with your obligations under the OSA, or to enforce your content policies); and 
  • what you intend to do with that information. 

You should regularly review your processing, documentation and privacy information to check that your purposes have not evolved, beyond those you originally specified.  

If your purposes change over time or you want to use personal information for a new purpose which you did not originally anticipate, you must ensure that:

  • the new purpose is ‘compatible’ with the original purpose;
  • you get the person’s specific consent for the new purpose; or
  • you can point to a clear legal provision requiring or allowing the new processing in the public interest.

You must have a lawful basis for your new purpose. This may be different from the original lawful basis you used to collect the information. (See the section on ‘How do we carry out content moderation lawfully?’ for more information.) You must update your privacy information to make sure that your processing is transparent.

In some cases, your third-party moderator(s) may want to use the personal information collected and generated during content moderation for other purposes. For example, developing and improving content moderation products. 

You should: 

  • establish whether any moderation service provider you intend to use wants to do this; 
  • confirm that the provider would be acting as a controller for this particular use of personal information. (See section on ‘Who is the controller in our content moderation systems?’ for more information); and 
  • establish how you, or the provider, would inform people about the use of their personal information for these purposes by the third party. 

You should regularly review any services you outsource and be able to modify or switch them to another provider if their use of personal information no longer complies.