The Information Commissioner’s Office (ICO) has issued amended guidance on the re-use of personal information under the UK GDPR in preparation for the full implementation of the Data (Use and Access) Act 2025 in June this year.
Article 5(1)(b) of the UK GDPR requires that personal data must be collected for specific, explicit, and legitimate purposes and must not be further processed in ways incompatible with those original purposes.
According to the updated guidance , the ICO has clarified that organisations can reuse personal data for a new purpose if it is compatible with the original purpose for which it was processed, backed by consent, required by law, or necessary for specific research or the public interest.
However, the ICO’s guidance also emphasises that if the original basis for lawful processing was consent then new consent may be required if purposes change. Moreover, even where compatibility can be demonstrated, the ICO also emphasised that data controllers still need to identify a lawful basis for their new proposed purpose for the use of personal data.
The list of "automatically compatible" purposes under Annex 2 (https://www.legislation.gov.uk/eur/2016/679/annex/2) which now includes archiving in the public interest, public security, responding to an “emergency”, detecting, investigating or preventing crime, or apprehending or prosecuting offenders, protection of the vital interests of data subjects and others, safeguarding vulnerable individuals, taxation and complying with legal obligations.
