Info Gov

The Information Commissioner’s Office (ICO) has issued amended guidance on the re-use of personal information under the UK GDPR in preparation for the full implementation of the Data (Use and Access) Act 2025 in June this year.

Article5(1)(b) of the UK GDPR requires that personal data must be collected for specific, explicit, and legitimate purposes and must not be further processed in ways incompatible with those original purposes.

According to the updated guidance , the ICO has clarified that organisations can reuse personal data for a new purpose if it is compatible with the original purpose for which it was processed, backed by consent, required by law, or necessary for specific research or the public interest. 

However, the ICO’s guidance also emphasises that if the original basis for lawful processing was consent then new consent may be required if purposes change. Moreover, even where compatibility can be demonstrated, the ICO also emphasised that data controllers still need to identify a lawful basis for their new proposed purpose for the use of personal data.

The list of "automatically compatible" purposes under Annex 2 (https://www.legislation.gov.uk/eur/2016/679/annex/2) which now includes archiving in the public interest, public security, responding to an “emergency”, detecting, investigating or preventing crime, or apprehending or prosecuting offenders, protection of the vital interests of data subjects and others, safeguarding vulnerable individuals, taxation and complying with legal obligations.

Also in this section

Jul 13, 2026

ICO refreshes law enforcement subject access guidance following DUAA 2025

The Information Commissioner's Office has updated its detailed guidance on the right of access under part 3 of the Data Protection Act 2018, incorporating the changes made by the Data (Use and Access) Act 2025 to how competent authorities handle subject access requests for law enforcement processing.
Jul 07, 2026

Section 166 application dismissed after ICO opens fresh investigations into school, council and diocese data sharing

The First-tier Tribunal (General Regulatory Chamber) has dismissed an application under section 166(2) of the Data Protection Act 2018 against the Information Commissioner, despite finding that the regulator's original response to a school employee's data sharing complaint was not an outcome to the Applicant's complaints, because a series of further investigations and outcome letters issued after…

InfoGov Masthead Newsletter 800