Derived Data / Obtained from Other Data: Definition and Core Concepts

Derived data refers to information, datasets, or conclusions created through processing, analysis, transformation, or extraction from existing data sources—rather than being collected directly from events, experiments, or observations. Unlike raw or primary data (such as sensor readings or original documents), derived data is a secondary product, often refined, aggregated, or interpreted. This distinction is fundamental in legal, regulatory, and technical settings, as the status and handling of derived data can trigger different obligations for organizations, data users, and processors.

For example, in aviation, air traffic surveillance data is derived from radar returns and processed into aircraft tracks or conflict alerts. In cybersecurity, threat intelligence is derived from logs, network activity, and incident histories. Each transformation introduces new metadata, potential errors, and compliance considerations, such as traceability and the risk of re-identification in personal data.

Derived data management underpins data lifecycle governance. Derived products—such as analysis reports or summary statistics—must be managed according to both the properties of the original data and those introduced during derivation, including accuracy, lineage, and compliance with privacy or security requirements.

Source Data: The Foundation of Derivation

Source data is the original, unprocessed information collected directly from its point of origin—such as sensors, human input, or direct observation. Examples include raw aircraft telemetry, unedited video, survey responses, or transaction logs. The integrity and security of source data are paramount, as errors or biases at this foundational level propagate through any derived data.

Source data often faces stricter controls regarding access, modification, and retention. In aviation safety, for example, cockpit voice and flight data recorder outputs are preserved in their original form to ensure accurate incident reconstruction. Maintaining the chain of custody and robust metadata (timestamps, sensor calibration, context) is critical for downstream reliability and regulatory compliance.

Derivative Work: Intellectual Property and Legal Implications

A derivative work is new material created by adapting, modifying, or building upon existing content. This is central in copyright law and government contracts. Derivative works may include translations, adaptations, abridgments, or any transformation that incorporates substantial elements of the original.

For instance, software modified from open-source code is a derivative work and subject to the original license. In government contracts, especially in aviation and defense, contractors generate derivative works by enhancing or analyzing supplied data. The Federal Acquisition Regulation (FAR) distinguishes between “data first produced in the performance of the contract” and “data delivered to the Government,” each with different data rights. Proper documentation and compliance with licensing and attribution requirements are essential to avoid legal disputes.

Derivative Classification: Security and Confidentiality in National Security

Derivative classification is a formal process by which new materials are created from previously classified sources. In the U.S., Executive Order 13526 regulates derivative classification, requiring that all markings and declassification instructions from the source material be carried forward. Unlike original classification, derivative classification does not require original authority but demands rigorous adherence to marking and documentation procedures.

This is especially important in aviation when summarizing classified threat intelligence or technical vulnerabilities. Errors in derivative classification can lead to unauthorized disclosures or legal liabilities, making documentation and compliance critical.

Limited Rights Data and Restricted Computer Software: Data Rights in Federal Contracts

Limited Rights Data and Restricted Computer Software are terms for intellectual property created or delivered under government contracts. Limited Rights Data covers technical data developed at private expense and may contain proprietary or sensitive information; the government’s use is restricted, usually to internal purposes only. Restricted Computer Software refers to software developed at private expense, protected as a trade secret or under copyright, with the government only permitted to execute—not modify or reverse-engineer—the software.

Contractors must assert their rights at contract award or data delivery, using prescribed legends or notices. In aviation, correct labeling ensures proprietary software or data is protected while meeting government needs. Failure to properly assert rights can result in loss of protection and unintended disclosure.

Secondary Use and Data Protection: Regulatory Safeguards

Secondary use is the reuse or further processing of personal data for purposes beyond the original collection reason. Under the UK GDPR and Data Protection Act 2018, secondary use is tightly regulated to protect privacy. Organizations must ensure the new purpose is compatible with the original, establish a lawful basis, and comply with data minimization and security obligations.

Law enforcement agencies, for example, cannot repurpose data collected for investigations for other uses unless specifically authorized. Additional safeguards apply to special category (e.g., biometric) or criminal offence data, requiring more stringent conditions and possibly Data Protection Impact Assessments (DPIAs). Organizations must document processing activities and demonstrate compliance to avoid penalties.

Fruit of the Poisonous Tree: Exclusionary Rule in Criminal Evidence

The fruit of the poisonous tree doctrine in U.S. law excludes evidence obtained as a result of illegal searches or seizures, along with any derivative evidence. This doctrine deters Fourth Amendment violations by making such evidence inadmissible in court. For example, in aviation, evidence from unauthorized searches of baggage or improperly accessed records may be excluded.

Exceptions exist, including the good faith exception (reasonable reliance on a valid warrant), independent source doctrine (evidence obtained independently of the illegal act), and inevitable discovery rule (evidence would have been found lawfully regardless). Proper training and clear procedures are vital to ensure evidence is lawfully obtained and admissible.

Legal and Regulatory Frameworks: Overview

National Security and Classification

Handling derived data in national security contexts is governed by statutes and executive orders, notably U.S. Executive Order 13526. All derivative products must maintain the source’s highest classification, proper marking, and documentation. Agencies like DoD, FAA, and the intelligence community maintain detailed guides for marking and handling derivative information. Violations can result in penalties or loss of clearance.

Government Contracting and Data Rights

FAR 52.227-14 and related clauses govern data handling in federal contracts, distinguishing between data first produced under the contract, data delivered but not produced, and third-party data. Government rights (unlimited, limited, restricted) depend on funding and contract terms. Contractors must identify, mark, and document rights at submission. Failure to do so may result in loss of protection. Flow-down of rights to subcontractors and clear documentation are required for compliance.

Personal Data Processing and Law Enforcement

Personal data processing, especially by law enforcement, is tightly regulated under the UK GDPR, DPA 2018, and other frameworks. Derived personal data—such as behavioral profiles or analytics—must be handled with the same rigor as direct collections. Law enforcement cannot repurpose data without explicit legal basis, and special categories (e.g., biometric or health data) require further conditions and safeguards.

Criminal Procedure and Exclusionary Rule

Courts scrutinize the admissibility of evidence, especially if derived from unlawful conduct. The exclusionary rule and “fruit of the poisonous tree” doctrine require courts to examine the chain of causation, recognizing exceptions where exclusion is not warranted. These standards apply to both physical and digital evidence.

Operational Principles and Compliance Checklists

Derivative Classification (National Security)

• Source Identification: Review all source documents for classification, declassification, and caveats.
• Marking: Apply the highest classification and carry forward declassification instructions.
• Documentation: List all sources for traceability.
• Training: Complete and document training every two years.
• Accountability: Identify the classifier on each document.
• Recordkeeping: Maintain records of classification actions and audits.

Government Contract Data Rights

• Data Identification: Distinguish data by origin and funding source.
• Rights Assertion: Assert and label limited or restricted rights at submission, with supporting documentation.
• Licensing: Secure licenses for third-party components.
• Notices: Attach prescribed legends/notices to deliverables.
• Subcontractor Flow-Down: Ensure consistent rights and obligations through the supply chain.
• Recordkeeping: Keep comprehensive records for audits and disputes.

Personal Data Sharing and Processing

• Assessment: Evaluate necessity and proportionality of secondary use.
• Legal Basis: Identify and document statutory authority.
• Lawful Basis: Determine lawful basis under GDPR (public interest, consent, etc.).
• Special Data: Meet conditions for special category/criminal data.
• Minimization: Limit data scope; use redaction or pseudonymization if possible.
• Compliance: Implement ongoing compliance controls and transparency.

Criminal Evidence Exclusion

• Acquisition Check: Confirm lawful acquisition of evidence.
• Derivative Review: Analyze chain of custody and derivation.
• Exception Assessment: Consider applicability of exceptions.
• Objection Procedure: Raise admissibility objections promptly.
• Recordkeeping: Maintain comprehensive evidence and procedural records.

Examples and Use Cases

National Security: Preparing a Derivative Intelligence Summary

An aviation security analyst receives a classified threat assessment. To brief leadership, the analyst summarizes key findings, paraphrased for the audience, and marks the summary with the same classification as the source, including declassification instructions and references. This maintains protection and traceability per Executive Order 13526.

Government Contracting: Performance Reports from Test Data

A defense contractor uses government-furnished test data to generate performance reports, applying proprietary algorithms. The raw data (produced under contract) is delivered to the government with unlimited rights; proprietary enhancements are asserted as limited rights data or restricted software with proper notices, protecting both parties’ interests.

Personal Data: Law Enforcement Data Shared with Civil Authorities

A law enforcement agency collects personal data during an investigation. Later, a civil authority requests data for statistical analysis. Before sharing, the agency evaluates the legal basis, ensures compatibility with the original purpose, minimizes the dataset, and documents compliance with GDPR and DPA 2018.

Conclusion

Derived data—whether in government, national security, commercial, or personal contexts—carries unique legal, regulatory, and operational implications. Organizations must distinguish between source and derived data, manage intellectual property and data rights, comply with security and privacy regulations, and ensure lawful evidence handling. Robust documentation, compliance checklists, and ongoing training are essential to mitigate risk and maximize the value of derived information.