Appendix B — Controlled Purpose Vocabulary
The following values are defined as the standard controlled vocabulary for the allowed_purposes field. Implementers may use additional values expressed as URIs. Values are case-sensitive.
| Term | Definition |
|---|---|
clinical_analytics | Processing for the purpose of analysing clinical or health data to derive insights, support diagnosis, or inform treatment pathways. |
treatment_support | Processing in direct support of delivering healthcare treatment to the data subject. |
clinical_trial_protocol_{id} | Processing within the scope of a specific, identified clinical trial protocol. Replace {id} with the trial identifier. |
research_public_interest | Scientific or academic research conducted in the public interest, consistent with applicable ethical approvals. |
fraud_prevention | Processing to detect, prevent, or investigate fraud or financial crime. |
compliance_reporting | Processing required to fulfil a statutory reporting obligation. |
service_delivery | Processing necessary to deliver a contracted service to the data subject. |
marketing_targeted | Processing to deliver targeted marketing communications where consent has been obtained. |
marketing_general | Processing to deliver general marketing communications on the basis of legitimate interests. |
model_training | Processing to train, fine-tune, or evaluate a machine learning model. |
model_inference | Processing as input to a deployed machine learning model for inference only, not training. |
data_portability | Processing to fulfil a data portability request from the data subject. |
legal_proceedings | Processing in connection with legal proceedings or legal advice. |
audit_internal | Processing for the purpose of internal audit, governance, or risk management. |
audit_external | Processing by an external auditor or regulator. |
archiving_public_interest | Long-term archiving in the public interest, consistent with applicable exemptions. |