What does data protection law say about the compatible reuse of personal information?
In detail
- What does ‘reusing’ personal information mean?
- Can we reuse personal information for a new purpose?
- What is a ‘compatible’ purpose?
- Are the rules on reuse affected by our original lawful basis?
- When do we have to assess compatibility?
- Do we need a lawful basis for our new purpose?
- Can we reuse special category data or criminal offence data?
What does ‘reusing’ personal information mean?
We refer to ‘reusing’ personal information in this guidance, although this term is not defined in the legislation. In this context, reusing is where you want to use personal information for a purpose other than the purpose you originally collected it for. This is also referred to as:
- ‘further using’ or ‘further processing’;
- ‘repurposing’;
- using it for a new purpose; or
- a change of purpose.
Can we reuse personal information for a new purpose?
Yes, but there are restrictions on when you can do so. The purpose limitation principle says:
“1. Personal data shall be:
(b) collected (whether from the data subject or otherwise) for specified, explicit and legitimate purposes and not further processed by or on behalf of a controller in a manner that is incompatible with the purposes for which the controller collected the data (‘purpose limitation’);”
Your new purpose must be compatible with your original purpose. If it’s not, you must not reuse the personal information you’ve already collected.
The UK GDPR sets out rules to help you decide whether your proposed processing for a new purpose is compatible with your original purpose.
There are several circumstances in which the UK GDPR says reuse of personal information is compatible with the original purpose you collected it for. To reuse personal information, you must meet one of these conditions. Otherwise, you must carry out what is known as a ‘compatibility assessment’.
Compatibility is important, as it links with the lawfulness, fairness, and transparency principle. Your transparency obligations mean that you must:
- provide privacy information about how you intend to use people’s information; and
- specify your purposes.
You should use people’s personal information only in ways they would reasonably expect. In most cases, it’s unfair to use someone’s information:
- for a completely different or unexpected purpose; or
- in ways they did not originally agree to.
In addition to compatibility, you must identify a lawful basis for your new proposed purpose. (See 'Do we need a lawful basis for our new purpose?' for more information.)
You must meet both of these requirements before reusing personal information for a new purpose.
Data protection law doesn’t prevent you from reusing personal information to:
- deal with an emergency;
- deal with a threat to public safety; or
- respond to other urgent issues.
But you should consider data protection in your planning for such urgent situations. This helps you avoid delays and uncertainty when making decisions about reusing personal information in these cases.
Your purposes may change over time, either because of an unexpected need or a change in practice. When your purposes change, you must update your privacy information to reflect this before you begin any further processing, unless an exemption applies.
You must also still comply with all your other obligations under data protection law.
Further reading – ICO guidance
What is a ‘compatible’ purpose?
The UK GDPR sets out the circumstances where reuse of personal information is compatible with the original purpose you collected it for. These are when you:
- obtain new consent to the processing for the new specified, legitimate and explicit purpose from the person whose information you originally collected;
- want to use it for scientific or historical research purposes, archiving purposes in the public interest, or statistical purposes, and in line with the UK GDPR provisions about those purposes;
- want to use the personal information for the purpose of ensuring, or demonstrating, compliance with a data protection principle;
- want to use it for a purpose described in a condition listed in annex 2 of the UK GDPR; or
- need to process it as it’s necessary to safeguard a public interest objective listed in article 23(1)(c) to (j) of the UK GDPR, and the processing is authorised by law.
The rules about when you can rely on these assurances of compatibility differ depending on whether you relied on the consent lawful basis for your original processing activity. (See 'Are the rules on reuse affected by our original lawful basis?' for more information.)
When your reuse of the personal information is for research, archiving or statistical purposes, data protection law has rules you must follow for handling this type of processing.
If your new purpose is to comply with a data protection principle, you may be able to reuse personal information in ways you did not make clear to people when you originally collected it. For example, you might later need to pseudonymise personal information as a security measure.
(For more details on the purposes for further processing set out in the conditions listed in annex 2, see 'What are the annex 2 compatibility conditions?'.)
Further reading – ICO guidance
Are the rules on reuse affected by our original lawful basis?
Yes. The rules are slightly more restrictive about what is “to be treated as compatible processing” if you relied on consent as your lawful basis when originally collecting and processing the personal information.
The UK GDPR allows further processing for some specified purposes to be treated as compatible. However, not all of these purposes are compatible if you originally relied on the consent lawful basis. Also, where consent was your original lawful basis, some other purposes for further processing are only treated as compatible in certain specified circumstances.
For information collected under any other lawful basis, the range of purposes that can be compatible is wider.
The table below shows whether a new use of personal information is compatible, depending on whether your original lawful basis was based on a person’s consent:
|
Purpose of proposed further processing |
Will reuse be compatible with the original purpose if the original lawful basis was: | |
|---|---|---|
| Consent | Another lawful basis | |
| New, specified, explicit and legitimate purpose for which you have obtained the person’s consent | Yes | Yes |
| Scientific or historical research or statistical purposes | No | Yes |
| Archiving in the public interest | Yes, if an annex 2 condition applies. | Yes |
| Ensuring, or demonstrating compliance, with data protection principles | Yes | Yes |
| A purpose set out in the conditions listed in annex 2 of the UK GDPR | Yes, but only where you cannot be reasonably expected to obtain the person’s consent to the further processing. | Yes |
| Safeguarding a public interest objective listed in article 23(1) of the UK GDPR where the processing is authorised by law | Yes, but only where you cannot be reasonably expected to obtain the person’s consent to the further processing. | Yes |
For personal information originally collected under any other lawful basis, the law doesn’t say that these are the only circumstances in which new processing can be compatible. This means you can still assess compatibility of other new purposes, if your original processing was based on any lawful basis other than consent. (See 'When do we have to assess compatibility?' for more information.)
When do we have to assess compatibility?
You must do a ‘compatibility assessment’ before you reuse personal information if:
- you didn’t originally collect it under consent; and
- your intended processing doesn’t meet any of the reasons listed in the table above.
You must consider several factors when assessing whether your proposed new use is compatible with your original purpose. These are:
- any link between your original purpose and the new purpose;
- the context in which you collected the personal information, including the relationship between you and the person whose information you collected;
- the nature of the processing and whether it includes special category data or criminal offence data;
- the possible consequences for people of what you intend to do with their information; and
- the existence of appropriate safeguards (eg encryption or pseudonymisation).
The UK GDPR doesn’t say that these are the only factors to consider when assessing compatibility. Other factors may be relevant, depending on the circumstances of each case. For example, if you are processing children’s information, this is likely to be an additional relevant factor to consider.
In general, your new purpose is likely to be incompatible with your original purpose if:
- it’s very different from the original purpose;
- it would be unexpected to the people the information is about; or
- it would have an unjustified impact on them.
In such cases, you are likely to need to obtain people’s consent to the processing of their information for your new purpose.
A compatibility assessment is likely to look at similar factors to a legitimate interests assessment (LIA). You could use our LIA template to help you assess compatibility.
Further reading – ICO guidance
Other resources
Do we need a lawful basis for our new purpose?
Yes. You must identify a lawful basis for your new purpose. Just deciding that your new purpose is compatible with your original purpose is not enough to comply with the purpose limitation principle. The UK GDPR says:
“For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.”
If your original lawful basis is not sufficient for your new purpose, you must identify a new lawful basis. This is because your original lawful basis may not be appropriate in the circumstances.
This is particularly important if you originally collected personal information using consent. In such cases, people only agreed to the use of their information for your original purpose. Therefore, you must either get new consent for the new purpose or identify another lawful basis. For some reuses, you can still further process personal information if you cannot reasonably get new consent. But you must still identify a lawful basis for the reuse. This is to ensure your new processing is fair and lawful.
It’s sometimes obvious that a particular lawful basis applies, depending on your new purpose. For example, many of the compatibility conditions in annex 2 have similarities with the conditions in the recognised legitimate interest lawful basis. This means one of these may apply (unless you’re a public authority and the reuse is for your public tasks).
You must be clear about what your lawful basis is. This avoids confusion for both you and the people whose information you’re reusing. It can also affect what rights they have over their personal information, as these can vary depending on the lawful basis you use.
Further reading – ICO guidance
Can we reuse special category data or criminal offence data?
Yes. The same rules apply if you want to reuse personal information that counts as special category data or criminal offence data. You must:
- ensure your further processing is compatible with your original purpose;
- identify a lawful basis for your proposed new processing; and
- satisfy the requirements for processing special category data or criminal offence data (including identifying a condition for processing).
Further reading