Recognised legitimate interest: requesting personal information for your public tasks or official functions

At a glance 

• If you’re an organisation that has a public task or official function, such as a public authority, sometimes you may need to ask other organisations to share personal information with you.
• If you have existing statutory powers to obtain the personal information you need, you should continue to use these to seek personal information from other organisations.
• However, if you don’t have these powers, you can ask the organisation to voluntarily share personal information with you. 
• If you need the personal information for your public tasks or official functions that come from UK law, tell the organisation this when you request the information. We call a request for personal information you need for your tasks or functions a ‘public task disclosure request’. 
• The UK GDPR helps facilitate this data sharing by providing a lawful basis that the organisation you make a request to can choose to rely on to share the personal information. If you make a ‘public task disclosure request’, they may rely on the ‘recognised legitimate interest’ lawful basis.
• You should plan how you’ll comply with your data protection obligations before you make a public task disclosure request. This is because once you get the personal information, you’re responsible for making sure how you use it complies with data protection law.
• Check that your public task or official function covers the type of personal information you seek. Also, check the information is necessary for, and proportionate to, the task or function you’ve identified.
• Put your public task disclosure request in writing and make sure you state you need the information for your public tasks or official functions that are laid down in UK law.
• A public task disclosure request doesn’t give you a right of access to people’s information. The organisation that holds the information can choose not to share it with you.

In brief

• What’s the purpose of this guidance?
• How should we use this guidance?
• What is recognised legitimate interest?
• Who can make a public task disclosure request?
• When can we make a public task disclosure request?
• Is it important to plan ahead before making our public task disclosure request?
• How do we make a public task disclosure request?
• Are organisations required to share personal information with us?
• Checklist

What’s the purpose of this guidance?

This guidance is aimed at organisations that have tasks in the public interest or official functions that come from UK law. For example, a public authority (eg a local authority, an NHS trust). If this applies to you, sometimes you may want to ask another organisation to share personal information with you that you need for those tasks or functions.

The UK GDPR facilitates this data sharing by providing lawful bases that an organisation can rely on if you make a request to them. 

If an organisation is legally required to share the personal information with you, it’s likely they will rely on the ‘legal obligation’ lawful basis to do so. 

But if they aren’t under a legal obligation, they can still decide to share the information with you. In these cases, they may rely on the ‘recognised legitimate interest’ lawful basis. 

This guidance is most relevant to public authorities, but it can apply to any organisation that performs these tasks or functions. It will help you to understand: 

• the role that recognised legitimate interest may play when you request personal information from another organisation; and
• the approach you should take to request the personal information you need for your tasks or functions (if that organisation has no legal obligation to share it with you).

How should we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.

Legislative requirements

• Must refers to legislative requirements.

Good practice

• Should does not refer to a legal requirement, but is what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to (good practice). If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law. 
• Could refers to an option or example that you could consider to help you comply effectively. There are likely to be various other ways you could comply. 

We have highlighted these words throughout the guidance for ease of reference.

What is recognised legitimate interest?

Recognised legitimate interest is one of the seven lawful bases for handling personal information in the UK GDPR. You and the organisations you deal with must have a lawful basis in order to handle personal information, including for data sharing purposes.

As a public authority, you can’t rely on the recognised legitimate interest basis when you handle personal information to perform your public tasks or official functions. But, depending on the circumstances, if you want to handle personal information outside your tasks or functions, you may be able to rely on it. However, in most cases it will be organisations that are not public authorities who use this lawful basis.

A ‘recognised legitimate interest’ is a specified purpose for handling personal information that is in the public interest. These pre-approved purposes are set out in five recognised legitimate interest conditions. One of them covers sharing personal information when it is needed for another organisation’s public task or official function. We refer to this as the ‘public task disclosure request’ condition (although this isn’t a term used in the UK GDPR).

This condition acknowledges the importance of facilitating data sharing with those that need the personal information for their public tasks and official functions. This condition may be relevant to the organisation that you request personal information from when you need it for your public tasks or functions. But only if they don’t already have a legal obligation to share the information with you. 

Annex 1 of the UK GDPR says:

“1. This condition is met where -

(a) the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and

(b) the request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).”

Article 6(1)(e) is the public task lawful basis and article 6(3) advises that such tasks or functions must come from UK law. This includes laws made by a devolved Parliament or Assembly.

Who can make a public task disclosure request?

Depending on the circumstances, you can make a public task disclosure request if you’re an organisation that has public tasks or official functions as ‘described’ in the public task lawful basis (eg a public authority). 

The public task basis covers handling personal information necessary: 

• for the performance of a task carried out in the public interest that is laid down by law; or 
• in the exercise of official authority (eg a public body’s tasks, functions, duties or powers) that is laid down by law.

For example, it covers uses that are necessary for administering justice and exercising statutory functions and government powers. This is most relevant to public authorities, but other types of organisations may also have these tasks and functions.

The relevant task, function or authority must be laid down by UK law (eg a statutory function). But it doesn’t have to be an explicit statutory provision as long as the application of the law is clear and foreseeable. This includes established common law tasks.

The public task disclosure request condition refers to requests for personal information as ‘described’ by the public task lawful basis where that task comes from UK law. This means you can make a public task disclosure request for personal information that you want to use for purposes not covered by the UK GDPR, such as under part 3 (law enforcement) or part 4 (intelligence services) of the Data Protection Act 2018 (DPA). 

For example, in general the police handle people’s information under part 3 of the DPA rather than the UK GDPR. However, even though the UK GDPR won’t apply to these purposes, the use of people’s information by the police is as ‘described’ in article 6(1)(e) of the UK GDPR and it is laid down in UK law. This is because in most instances the police handle personal information under section 35(2)(b) of the DPA which refers to the use of the information being based on law and necessary for the performance of a task carried out by a competent authority. In addition, their powers come from UK laws such as the Police and Criminal Evidence Act 1984 and the Police Act 1996.

When can we make a public task disclosure request?

If you have statutory information gathering powers that enable you to require another organisation to share people’s information with you, you should use these powers rather than making a public task disclosure request.

If you don’t have these powers, you can ask the organisation to voluntarily share the personal information you need by making a public task disclosure request.

But you can only make a public task disclosure request to another organisation if you need the specific personal information for the purposes as ‘described’ in the UK GDPR public task lawful basis. You can’t make this type of request if you’re seeking the information for a purpose that is outside your tasks and functions. In this situation, the organisation won’t be able to rely on the recognised legitimate interest basis to share the information with you (although they may decide that another lawful basis applies to the sharing).

Is it important to plan ahead before making our public task disclosure request?

Yes, it is important to plan ahead and you should do this before you request the personal information. This is because once the requested personal information is in your possession, you’re responsible for it and you must ensure how you use it complies with the law. 

For example, as part of your planning, you must consider how you will:

• take a data protection by design approach to ensure that you’re aware of any data protection implications of your request;
• comply with the data minimisation principle so you don’t ask for more personal information than you actually need for your task or function;
• be transparent with the people whose information you are seeking – plan how you’ll comply with their right to be informed (unless an exemption applies), including how you’ll tell people about the source of their information; and
• deal with people’s existing objections to the use of their personal information as this may affect your request (depending on the circumstances). 

We recognise that your planning may be more limited in certain situations (eg when your request is urgent).

How do we make a public task disclosure request?

If you don’t have statutory information gathering powers, you should check if your task or function covers the type of personal information you want to ask for in your request. If your tasks and functions don’t cover it, this may result in you handling the requested personal information unlawfully.

You should also check that the personal information you seek is actually necessary and proportionate for the task or function you’ve identified. This is because you are responsible for the information once you’ve got it, so you must comply with the data protection principles. This includes data minimisation – you must ensure that the personal information you collect is adequate, relevant and not excessive for the purposes you need it for. You must not use your request as a way to get personal information just in case it might be useful in future. 

You must tell the organisation in your request that you need the personal information for your public task or other power given to you under UK law. However, the UK GDPR doesn’t require you to say what these tasks or powers are. But, depending on the circumstances, you could provide further details to make the process easier and help the organisation understand why you want the personal information. For example, explain why you need that information or say what these tasks or functions are.

If you want to ask an organisation to voluntarily share personal information needed for your task or function, you should do the following:

• Put your public task disclosure request in writing
  The UK GDPR doesn’t specify the form of your request. But both you and the organisation receiving your request must be accountable and able to demonstrate compliance with data protection law. As part of this, you should have an effective audit trail of the personal information that is shared with you. Make sure that your request is in writing (eg email, post) and don’t make verbal requests.
• Be clear what personal information you seek
  You should explain what personal information you want from the organisation. If you’re not clear what’s in the scope of your request, the organisation may ask you for more details. In order to prevent confusion, avoid including other things alongside your request. 
• Make it easy for the organisation to verify your request
  In many cases, the organisation will want to make sure your public task disclosure request is authentic. For example, they may want to clarify that your employee has authority to make the request and is doing so on your behalf. 
• Be prepared to answer questions
  The organisation may have questions or want more details from you. Put yourself in their position – they’re responsible for protecting the information they hold so they will want to be confident that sharing it with you complies with the law. Don’t try to leverage any real or perceived power imbalance.

Are organisations required to share personal information with us?

No. A public task disclosure request is a way to ask an organisation to voluntarily share personal information that you need for your public task or official function. This means the organisation can decide not to share the personal information. 

Although the recognised legitimate interest lawful basis helps enable responsible data sharing in certain circumstances, it doesn’t give you a right to people’s information. You can’t compel the organisation to rely on this basis and share the information with you. It’s their choice to share the information in response to your request and they don’t need to justify themselves if they decide not to share.

Checklist