The Information Commissioner’s Office (ICO) has issued guidance on Compatibility and the reuse of personal information which provides important clarification on when it’s compatible to reuse personal information in line with the purpose limitation principle. The ICO refer to “reusing” personal information in its guidance, although this term is not defined in legislation. In this context, according to the ICO, reusing is where you want to use personal information for a purpose other than the purpose you originally collected it for; the guidance therefore is particularly relevant for organisations seeking to derive additional value by use of existing datasets.
The legal framework
The guidance centres on the purpose limitation principle in Article 5(1)(b) UK GDPR (and further discussed by the ICO in its brief guidance on Principle (b), Purpose limitation) which requires that:
- You must be clear about your purposes for processing personal information from the start.
- You must record your purposes as part of your documentation obligations and specify them in your privacy information.
- You must only reuse the personal information for a new purpose if this is compatible with your original purpose. The rules on this are slightly different depending on whether you originally collected the information under the consent lawful basis.
- The UK GDPR lists several specific reuses of personal information that are compatible with your original purpose.
- You must have a lawful basis for any new purpose. If your original lawful basis is not sufficient, you must find a new one.
While the principle permits further processing, it places the burden on data controllers to assess whether the new purpose is compatible with the original one. Compatibility matters because, where further processing is compatible, organisations do not need to identify a new lawful basis (beyond the one originally relied upon).
The compatibility assessment
There are several circumstances in which the UK GDPR says reuse of personal information is compatible with the original purpose you collected it for. To reuse personal information, you must meet one of these conditions. Otherwise, you must carry out what is known as a “compatibility assessment”. The factors to consider when assessing whether your proposed new use is compatible with your original purpose include:
- any link between your original purpose and the new purpose;
- the context in which you collected the personal information, including the relationship between you and the person whose information you collected;
- the nature of the processing and whether it includes special category data or criminal offence data;
- the possible consequences for people of what you intend to do with their information; and
- the existence of appropriate safeguards (eg encryption or pseudonymisation).
The UK GDPR doesn’t say that these are the only factors to consider when assessing compatibility; other factors may be relevant depending on the circumstances of each case. For example, if you are processing children’s information, this is likely to be an additional relevant factor to consider. In general, your new purpose is likely to be incompatible with your original purpose if it’s very different from the original purpose; it would be unexpected to the people the information is about; or it would have an unjustified impact on them. In such cases, you are likely to need to obtain people’s consent to the processing of their information for your new purpose. The ICO guidance emphasises that compatibility is context‑specific and must be assessed on a case‑by‑case basis.
The guidance references the addition of Annex 2 to the UK GDPR, which lists the following purposes as being automatically compatible with the original processing purpose:
- public task disclosure response;
- archiving disclosure response;
- public security;
- emergencies;
- crime;
- vital interests;
- safeguarding;
- taxation; and
- legal obligations.
Lawful basis
The guidance clarifies that compatibility does not override lawful basis requirements. It applies only where further processing is being carried out under the same lawful basis (other than consent). Where consent was relied upon initially, new consent is generally required for new purposes unless the original consent clearly covered the additional use. There must be a lawful basis for the new purpose: the UK GDPR says “for the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.” If your original lawful basis is not sufficient for your new purpose, you must identify a new lawful basis. This is because your original lawful basis may not be appropriate in the circumstances. This is particularly important if you originally collected personal information using consent. In such cases, people only agreed to the use of their information for your original purpose. Therefore, you must either get new consent for the new purpose or identify another lawful basis. For some reuses, you can still further process personal information if you cannot reasonably get new consent; you must still identify a lawful basis for the reuse to ensure new processing is fair and lawful.
Take-aways
The guidance is useful for businesses seeking to re-use personal data to extract value and remain compliant with the legal privacy framework. It is key to note that re‑use is permitted, but not automatic, personal data may be reused for a new purpose only if that use is compatible with the original purpose under the UK GDPR purpose limitation principle. In some cases (e.g. safeguarding, legal obligations), reuse is automatically considered compatible under Annex 2, if it’s necessary and proportionate. The guidance reinforces the need for documented decision‑making and compatibility assessments should be recorded and kept under review, particularly for novel or higher risk reuses of data. In appropriate cases, a data protection impact assessment (DPIA) may be required.
