One of the issues we're asked a lot is about the secondary use of data for analytics purposes. Sometimes, but not always, this is in the context of an AI or machine learning application, but similar issues tend to arise whatever the context: can data be 'repurposed' for the proposed secondary use?

This involves looking closely at the lawful basis that was originally relied upon for its collection and what notice, if any, was given of the possibility of this secondary processing when the data was originally collected?

Often the solution lies in finding an appropriate level of de-identification, one that allows useful analytics processing to be performed, while minimising the amount of data in identifiable form, such that a change of purpose may be regarded as 'compatible' and so possible.

Overall, there's a lot to think about, so the launch of an analytics toolkit by the ICO, to help companies work through these issues is welcome, adding to the existing AI & ML-related guidance they've produced, much of which is excellent.


The ICO’s new toolkit takes organisations through some of the key data protection points they need to think about from the outset of any project they are planning to undertake involving data analytics and personal data.