The Information Commissioner’s Office (ICO) has issued new guidance on how to reuse personal information so as to comply with data protection law.

Underpinning the rules on reusing personal information is the concept of ‘compatibility’: the new purpose for which the personal information is intended to be processed must be ‘compatible’ with the original purpose for which it was collected and processed.

In some circumstances, the UK GDPR deems the reuse of personal information to be compatible with the original purpose for which it was collected. These include, for example, using the data for scientific or historical research purposes, or using it for the purposes of ensuring or demonstrating compliance with data protection principles. However, the guidance points out that if consent was the lawful basis for the original processing, reusing the data for these purposes may still not be compatible, or may only be so where an organisation cannot reasonably be expected to obtain the person’s consent.

Similarly, Annex 2 of the UK GDPR lists specific reuses of personal information that are “to be treated as compatible” with the original purpose, and the guidance expands upon these in some detail.

Outside of these particular circumstances, an organisation wishing to reuse personal information is required to conduct a ‘compatibility assessment’ in addition to identifying a lawful basis for the new purpose. According to the guidance, such an assessment will likely echo many of the same factors considered in a legitimate interests assessment, and must include consideration of:

• any link between the original purpose and the new purpose;
• the context in which the personal information was initially collected, including the relationship between the organisation and the person whose information was collected;
• the nature of the processing and whether it includes special category data or criminal offence data;
• the possible consequences for people of what the organisation intends to do with their information; and
• the existence of appropriate safeguards (e.g. encryption or pseudonymisation).

The guidance also makes clear that the new purpose is unlikely to be compatible with the original one if: (a) it is very different from the original purpose; (b) it would be unexpected to the people the information is about; or (c) it would have an unjustified impact on them. In such cases, the ICO states that an organisation is likely to need to obtain consent to process information for its new purpose.

To read the guidance in full, click here.