On 23 March 2026, the ICO updated its guidance on purpose limitation to reflect the changes brought in by the Data (Use and Access) Act 2025. In particular, reference to the new Annex 2 to the UK GDPR has been added, which lists the following purposes as compatible with the original processing purpose:
-
Public task disclosure response
-
Archiving disclosure response
-
Public security
-
Emergencies
-
Crime
-
Vital interests
-
Safeguarding
-
Taxation
-
Legal obligations
It is worth noting that if you are using consent as your legal basis and wish to change the purpose of your processing, the options are narrower than where other legal bases are used. Where consent is used, In the new purpose must be:
-
consented to by the individual
-
the reuse personal information to comply with a data protection principle or to demonstrate that it does so
-
the reuse the information for a purpose listed in annex 2 of the UK GDPR where consent is not reasonable, or
-
the reuse the information where this is necessary to safeguard a public interest objective listed in article 23(1)(c) to (j) of the UK GDPR and this processing is authorised by law, and it’s not reasonable to expect you to obtain new consent.
Reuse of the data which satisfies the compatibility test or for research/statistics/archiving are only relevant where the basis is not consent.
You can find the updated guidance here.
