Mills & Reeve logo in purple text with a purple tagline: Achieve more. Together.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.

Client extranet portal

Staff

Mills & Reeve system for employees.

Staff Login
05 Feb 2026
3 minutes read

Can you collect personal data for one purpose and re-use it for a new purpose?

After a few years where data protection laws in the United Kingdom were settled, the Data (Use and Access) Act 2025 (DUAA) is ushering in a period of change.

For those of you who have only just recovered from the GDPR, the news that data protection laws are changing again may not be entirely welcome.

The good news is that many of the changes DUAA is bringing in are intended to make your life easier, rather than introducing complex new obligations and – while some things are changing – much remains the same.

This series of blogs from the IT and data team at Mills & Reeve aims to help you understand the impact that DUAA will have on established ways of doing things.

If you need a reminder about the meaning of some of the key data protection terminology used (eg, personal data, data subject, data controller, processing), please refer to our glossary.

In this article, Mills & Reeve considers when the law allows you to collect personal data for one purpose and then re-use it for another.

What is the general rule?

The UK GDPR imposes a ‘purpose limitation’ on the processing of personal data. In effect, you cannot use personal data for a purpose you didn’t tell the data subject about when you first collected the data.

Are there exceptions? 

Yes. It is these exceptions which DUAA has sought to expand. 

Why?

It was felt that the exceptions under the UK GDPR were difficult to navigate and were particularly unclear in respect of certain public interest circumstances. 

What were the exceptions pre DUAA?

Under the UK GDPR, you could only process personal data for a new purpose in limited circumstances. These were:

  1. You obtain the data subject’s consent
  2. The new purpose is one of a short list of pre-approved purposes, namely:
    •    Archiving purposes in the public interest
    •    Scientific or historical research purposes
    •    Statistical purposes
  3. Your new purpose is compatible with the original purpose(s). To determine whether it is compatible you must undertake a ‘compatibility test’. This includes considering: 
    •    Any link between the original purpose and the new purpose
    •    The context in which the personal data was collected – in particular, your relationship with the individual and what they would reasonably expect
    •    The nature of the personal data – eg is it particularly sensitive;
    •    The possible consequences for individuals of the new processing
    •    Whether there are appropriate safeguards - eg encryption or pseudonymisation

What has DUAA changed?

DUAA has added a handful of new pre-approved purposes for which you can use personal data without being in breach of the purpose limitation. While there are quite a few, it should be noted that they are all ‘public interest’ orientated. Some key ones include:

  • To comply with a legal obligation (including orders of courts or tribunals)
  • To ensure processing complies with (or demonstrates that it complies with) the data protection principles
  • To allow disclosure to another controller where the controller will be processing the shared data to perform a task carried out in the public interest or to exercise official authority vested in the controller. This can only be relied upon where certain other requirements are met including that (a) the disclosing entity is not a public authority processing data on the basis of public task (b) the disclosure is made in response to a request from the receiving entity and (c) the request is for a purpose which safeguards specified objectives (these are set out in legislation).

When is the change happening?

5 February 2026.

What is the impact of the changes? The new purposes, while numerous, are relatively niche and, for most entities, are likely to be of limited relevance. We anticipate however that they will allow organisations to avoid tension between the purpose limitation rule and using data for what are clearly, in most cases, obviously societally beneficial purposes, albeit ones controllers may not have considered at the time of collection.   

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.