Legal basis for processing
Legitimate interests
At a glance
- Legitimate interests is the most flexible legal basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be the most appropriate condition for processing where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
- There are three elements to the legitimate interests condition. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, the legitimate interests condition will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm or prejudice their rights, freedoms, and legitimate interests, the balancing exercise will likely be in favour against the processing.
- Keep a record of your rationale for using this condition to help you demonstrate compliance if required.
You must include details of your legitimate interests in your privacy notice.
Checklist
- We have checked that legitimate interests is the most appropriate legal condition.
- We understand our responsibility to protect the individual’s interests.
- We have conducted an assessment and kept a record of it, to ensure that we can justify our decision.
- We have identified the relevant legitimate interests served by the processing.
- We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.
- We have done a balancing test, and are confident that the individual’s interests do not override the legitimate interests served by the processing.
- We only use individuals’ data in ways they would reasonably expect, unless we have a very good reason.
- We are not using people’s data in ways they would find intrusive or which could cause them harm, unless we have a very good reason.
- If we process children’s data, we take extra care to make sure we protect their interests.
- We have considered safeguards to reduce the impact of processing under this legal condition where possible.
- We have considered whether we can offer an opt out.
- We keep our assessment of relying on this basis under review, and will repeat it if circumstances change.
- As best practice, we include information about our legitimate interests in our privacy notice.
In brief
- What is the ‘legitimate interests’ condition?
- When can you rely on legitimate interests?
- How can you apply legitimate interests in practice?
- What else do you need to consider?
What is the ‘legitimate interests’ basis for processing?
Paragraph 6 of Schedule 2 of the DPA provides the following condition for processing:
Processing for legitimate interests
- The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except if the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A wide range of interests may be legitimate interests. They can be your own interests or the interests of third parties, and commercial interests as well as wider societal benefits. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.
Examples of activities involving processing which can potentially be justified on the basis of legitimate interest include workplace surveillance, marketing, fraud prevention, intra-group transfers, IT systems monitoring as part of security measures, but this is not an exhaustive list. You may also have a legitimate interest in disclosing information about possible criminal acts or security threats.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.
This basis for processing involves balancing your interests against the individual’s interests. In particular, if they would not reasonably expect you to use data in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the individual’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the individual.
When can you rely on legitimate interests?
Legitimate interests is the most flexible legal basis for personal data processing, but it will not always be appropriate for all of your processing.
If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.
Legitimate interests is most likely to be an appropriate condition for processing where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.
You can rely on the legitimate interests condition for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object (subject to the individual’s absolute right to opt-out of any direct marketing).
You can consider legitimate interests for processing data relating to children or vulnerable individuals, but you must take extra care to make sure their interests are protected.
You may be able to rely on the legitimate interests condition in order to legally disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine the lawful condition for their own processing.
You should avoid using the legitimate interests as a legal basis for processing if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this condition if your processing could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact.
If you are a public authority, you cannot rely on the legitimate interests condition for any processing you do to perform your tasks as a public authority since there is the public functions condition available to you. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider the legitimate interests condition where appropriate. This will be particularly relevant for public authorities with commercial interests.
How can you apply legitimate interests in practice?
If you want to rely on the legitimate interests condition for processing, you can use the three-part test to assess whether it applies. You should do this before you start the processing.
This can be broken down into a three-part test:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
A legitimate interests assessment (LIA) is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will help you demonstrate compliance in case of a complaint or investigation. In some cases an LIA will be quite short, but in others there will be more to consider.
First, you should identify the legitimate interest(s). Consider:
- Why do you want to process the data – what are you trying to achieve?
- Who benefits from the processing? In what way?
- Are there any wider public benefits to the processing? If so, how important are those benefits?
- What would the impact be if you couldn’t go ahead?
- Would your use of the data be unethical or unlawful in any way?
Second, you should apply the necessity test. Consider:
- Does this processing actually help to further that interest?
- Is it a reasonable way to go about it?
- Is there another less intrusive way to achieve the same result?
Third, you should do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:
- What is the nature of your relationship with the individual?
- Is any of the data particularly sensitive or private? Is the data is sensitive personal data, does one of the conditions in Schedule 3 also apply?
- Would people expect you to use their data in this way?
- Are you happy to explain it to them?
- Are some people likely to object or find it intrusive?
- What is the possible impact on the individual?
- How big an impact might it have on them?
- Are you processing data relating to children or vulnerable individuals?
- Can you adopt any safeguards to minimize the impact?
- Can you offer an opt-out?
You then need to make a decision about whether you still think legitimate interests is an appropriate legal basis for processing. There is no foolproof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.
Keep a record of your LIA and the outcome. There is no standard format for this, but it is important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome in case a complaint is raised and the Ombudsman investigates.
Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.
If you are not sure about the outcome of the balancing test, it may be safer to look for another legal condition for processing. Legitimate interests will not often be the most appropriate condition for processing which is unexpected or high risk.
If your LIA identifies significant risks, consider whether you need to do a further assessment to assess the risk and potential mitigation in more detail.
What else do you need to consider?
Although it is not required under the DPA, it is best practice to tell people in your privacy notice what legal condition you rely on to process their data.
If you want to process the personal data for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose. We would still recommend that you conduct a new LIA, as this will help you demonstrate compatibility.
If you are relying on legitimate interests for direct marketing, the right to object is absolute and you must stop processing when someone objects. For other purposes, you must stop unless you can show that your legitimate interests are compelling enough to override the individual’s rights.
Relevant provisions
Data Protection Act (2021 Revision)
Schedule 2, para 6: Legal conditions for processing