Recognised legitimate interest
Latest updates - 23 March 2026
23 March 2026 - this guidance was published.
At a glance
- Recognised legitimate interest is one of the lawful bases for handling personal information. It is different from the legitimate interests lawful basis.
- Recognised legitimate interest has five conditions containing pre-approved purposes that are in the public interest. You can only use this basis if what you want to do meets the criteria for one of these purposes.
- These conditions cover situations where you need to use personal information for:
- crime prevention;
- public security;
- national security or defence;
- safeguarding;
- emergencies; or
- sharing personal information to help other organisations perform their public tasks or official functions.
- For these purposes, you don’t have to assess whether a person’s rights, freedoms or interests outweigh the recognised legitimate interest. But you must consider whether what you want to do is necessary.
- You can use recognised legitimate interest for handling different types of personal information depending on the circumstances (eg special category data). It may also be suitable for sharing personal information with other organisations, if you meet its requirements.
- You don’t have to change lawful basis if you currently use legitimate interests for a purpose that is a recognised legitimate interest.
- If you’re a public authority, you can’t rely on recognised legitimate interest to perform your tasks or functions (public task is likely to be appropriate).
- Recognised legitimate interest is a lawful basis not an exemption. You must still comply with the rest of the UK GDPR and the DPA even if this basis applies.
In brief
- What is the recognised legitimate interest basis?
- When can we use recognised legitimate interest?
- What are the recognised legitimate interest conditions?
- What else do we need to consider?
- Where can we get more information?
- Checklists
What is the recognised legitimate interest basis?
You must have a lawful basis to use personal information. Recognised legitimate interest is one of the seven lawful bases in the UK GDPR.
A ‘recognised legitimate interest’ is a specified purpose for handling personal information that is in the public interest. These pre-approved purposes are in annex 1 of the UK GDPR and are the recognised legitimate interest conditions. They cover situations where you need to use personal information to:
- share it with another organisation which has requested it from you because they need it for their public task or official functions (the ‘public task disclosure response condition’);
- safeguard national security, protect public security or for defence reasons (the ‘national security, public security and defence condition’);
- respond to, or deal with, an emergency situation (the ‘emergencies condition’);
- prevent, detect or investigate crimes, including the apprehension and prosecution of offenders (the ‘crime condition’); or
- protect the physical, mental or emotional well-being of people who need extra support to do this or protect them from harm or neglect (the ‘safeguarding condition’).
Because handling personal information for these purposes has been pre-approved by the law, you don’t need to balance people’s rights and freedoms against the relevant interests you have identified because the law has already done so.
But this doesn’t mean you can use personal information without any restrictions. You must satisfy yourself that using the information is necessary for the particular recognised legitimate interest condition. You must also comply with all the other requirements of the UK GDPR.
Recognised legitimate interest is a different lawful basis from legitimate interests, even though their names sound very similar. There are differences in the criteria that you must meet to be able to use each of these. But they both say you must ensure that what you want to do with the personal information is necessary for your purpose.
If you’re currently using legitimate interests as your lawful basis for a purpose which meets a recognised legitimate interest condition, you don’t have to change basis (unless you want to).
When can we use recognised legitimate interest?
If you want to rely on recognised legitimate interest, you must be clear about your purpose. This is because you can only use this basis for the pre-approved purposes listed in its five conditions.
In some circumstances, more than one condition might apply to a particular situation. If this is the case, you should identify and document all of them.
If you’re a public authority, the UK GDPR says you can’t rely on recognised legitimate interest to use personal information when performing your tasks. Other lawful bases are likely to be available for this instead, such as public task. But you could use recognised legitimate interest if you’re not performing your public tasks or functions and it’s suitable for your purpose.
Any of the recognised legitimate interest conditions may be suitable for use with children’s personal information, but you must take extra care to ensure their interests are protected.
If you want to handle special category data or criminal offence data, you can use recognised legitimate interest if your purpose is necessary for one of its five conditions. But you must also ensure that you meet the additional rules for using these types of personal information.
Depending on your purpose, recognised legitimate interest may be a suitable lawful basis if you want to share people’s information with other organisations.
You can’t use recognised legitimate interest as your lawful basis if you want to make significant decisions about someone based solely on automated processing.
What are the recognised legitimate interest conditions?
There are five recognised legitimate interest conditions. You must be able to meet all of the requirements of a condition if you want to rely on this lawful basis.
Public task disclosure response condition
This condition is for when you want to voluntarily share personal information in response to a request from another organisation that needs it for their public tasks or official functions. If you’re legally required to share personal information with an organisation, your lawful basis is legal obligation, not recognised legitimate interest.
If you want to use this condition, the organisation making the request must tell you that they need the personal information for their public task or another power given to them by UK law or “relevant international law” (as described in the DPA).
The requesting organisation should:
- put their request in writing (eg by post or email) so that you have an effective audit trail; and
- specify what personal information they seek from you (if it’s not clear what they want, you should ask them to give you more details).
Sharing the personal information with the requester may be a new purpose. If you want to use the related compatibility condition in annex 2 of the UK GDPR, the requester must also say it needs the personal information because it’s necessary to safeguard a public interest objective listed in article 23(1)(c) to (j) in the UK GDPR.
You must consider whether the personal information you want to share is proportionate and necessary to meet the organisation’s request. You don’t need to decide if sharing the information is actually necessary for them to perform their public task or function.
Remember, you must ensure that personal information is handled securely. To help with this, you should make further checks with the requesting organisation if you’re not sure the request is authentic or whether the employee has the authority to make the request.
It’s your choice whether or not to share the personal information the organisation has asked for. Recognised legitimate interest doesn’t give the requesting organisation a right of access to personal information.
Further reading – ICO guidance
We’ve produced separate guidance for those organisations likely to make these requests to help them understand this lawful basis and make responsible requests.
National security, public security and defence condition
This condition is for when you need to handle personal information for:
- national security (eg to safeguard the well-being of the UK);
- public security (eg protecting the public); or
- defence (eg defending the UK from threats).
Many organisations that use personal information for these purposes don’t need to use this recognised legitimate interest condition. This is because a different lawful basis applies instead (such as legal obligation or public task) or they’re subject to different parts of data protection law.
You must be able to demonstrate that your use of the personal information is necessary to support one of those purposes. This means that what you want to do is a reasonable way to achieve this.
Emergencies condition
This condition is for when you need to use personal information to respond quickly to certain types of emergency events or situations (as set out by part 2 of the Civil Contingencies Act 2004).
These can be:
- events or situations that threaten serious damage to people’s welfare or the environment in the UK (eg extreme weather events, pandemics or chemical spills); or
- war and acts of terrorism that threaten serious damage to the security of the UK.
If you’ve identified the situation is an emergency, you must decide if using people’s personal information is necessary for the purpose of responding to it. You should include data protection in your contingency planning for emergencies. This helps to avoid uncertainty if you have to make these decisions in future and enable you to respond quickly.
The emergencies condition isn’t appropriate to handle personal information in any other type of emergency, such as someone falling seriously ill at work. But there are other lawful bases that you can use depending on the situation, such as vital interests, legal obligation and legitimate interests.
Crime condition
The crime condition is for when you need to use personal information to prevent and report crimes and help prosecute offenders. This includes where you need to share personal information for crime-related purposes.
This condition includes using personal information for crimes such as scams, fraud and money laundering.
The crime condition isn’t always appropriate. For example, if you have statutory crime reporting obligations, the legal obligation lawful basis is more likely to be appropriate when you use personal information for that purpose.
If your purpose is covered by the crime condition, you must decide if using personal information is necessary for that purpose.
If the personal information you want to use constitutes criminal offence data (this includes suspicion or allegations of criminal activity), you must also identify a specific condition for processing in the DPA (unless you have official authority to use this type of personal information).
Safeguarding condition
The safeguarding condition is for when you want to use personal information to protect someone who’s at risk of harm (including sharing that information with other organisations).
Not all organisations that want to use personal information for safeguarding are able to use this condition. For example, public authorities (such as local authorities) generally use the public task lawful basis instead.
This condition defines safeguarding as protecting a "vulnerable individual" from neglect or physical, mental or emotional harm or protecting their physical, mental or emotional well-being.
A "vulnerable individual" covers children (ie anyone aged under 18) and ‘at risk’ adults.
For adults, ‘at risk’ means you must have reasonable cause to suspect that they need care or support and are either experiencing or are at risk of physical, mental or emotional harm. As a result, they’re unable to protect themselves against the neglect, harm or risk.
You must decide if your use of personal information is necessary to safeguard them. This doesn’t mean that your handling of personal information has to be absolutely essential for safeguarding, but you must ensure it is more than just useful.
If you’re handling special category data (such as health information) or criminal offence data for safeguarding purposes, you must comply with the appropriate additional requirements for these types of personal information.
If someone’s circumstances have changed, they may no longer meet the definition of a "vulnerable individual" (eg when a child reaches 18 years old). If you can’t continue to use recognised legitimate interest to safeguard that person, you must identify a different lawful basis.
Further reading – ICO guidance
What else do we need to consider?
Recognised legitimate interest is a lawful basis and not an exemption that disapplies other parts of data protection law.
You must still meet your other data protection obligations, including complying with the other data protection principles and enabling people’s rights.
You must be transparent, which includes telling people what you want to do with their personal information. As part of this, you must tell them you’re relying on recognised legitimate interest including which condition applies. You could provide this in your privacy information.
People have the right to object to you using their personal information if you’re relying on recognised legitimate interest.
If your purpose for using people’s personal information changes, you can only use it if what you plan to do is compatible with your original purpose. Annex 2 of the UK GDPR has a list of reuses that are compatible with the original purpose for processing and some of these are similar to the recognised legitimate interest conditions. If your new use for the personal information is for one of these purposes, you may find that recognised legitimate interest is the most appropriate lawful basis.
Where can we get more information?
If you’ve read this brief guidance and want to find out more, see our detailed guidance on recognised legitimate interest.
Checklists
These checklists provide an overview to help you think about what to consider if you want to use recognised legitimate interest. Work your way through the first checklist. Then use the one that’s appropriate for the recognised legitimate interest condition that covers your purpose.
Recognised legitimate interest in general
- ☐ We’ve checked that our purpose for using personal information matches one of the pre-approved purposes listed in the recognised legitimate interest conditions.
- ☐ We’re satisfied that our use of personal information is necessary and is a proportionate way for us to achieve our purpose.
- ☐ We’ve checked that no other lawful basis is more appropriate to use in our situation.
- ☐ If we think more than one recognised legitimate interest condition covers our use of personal information, we’ve documented all of them.
- ☐ We include information about recognised legitimate interest in our privacy notice, including which condition we’re using.
- ☐ If we use children’s information for one of the pre-approved purposes, we take extra care to protect their interests.
- ☐ If we use special category data for one of the pre-approved purposes, we’ve also identified and documented a special category data condition for handling this information.
- ☐ If we use criminal offence data for one of the pre-approved purposes, we’ve also identified and documented a DPA condition for handling this information.
- ☐ We understand that relying on recognised legitimate interest is only one part of our data protection responsibilities and we ensure that we meet all our other obligations.
Public task disclosure response condition
- ☐ We’ve received a written request from another organisation asking us to share personal information with them.
- ☐ We’ve checked that the organisation’s request tells us they need this information for their public tasks or official functions which are laid down in UK law.
- ☐ If the organisation’s request isn’t clear or we’re not sure about something, we ask the organisation for more information.
- ☐ If sharing this information means we’re using it for a new purpose, we’re satisfied we’re complying with the purpose limitation principle.
- ☐ We’re satisfied that our sharing of the specific personal information with the other organisation is necessary to answer their request and that we’ve not shared excessive information.
- ☐ We understand that sharing the information we’ve been asked for is voluntary.
National security, public security and defence condition
- ☐ We’re satisfied that our use of personal information is for either safeguarding national security, protecting public security or defence purposes.
- ☐ We can demonstrate that our use of personal information is a necessary and proportionate way for us to achieve our security or defence objective.
Emergencies condition
- ☐ We believe that the event or situation we’re dealing with threatens serious damage to the welfare of people, the environment or the security of the UK.
- ☐ We can demonstrate that our use of personal information to respond to this event or situation is necessary and proportionate.
- ☐ We include data protection in our contingency planning for emergency events.
Crime condition
- ☐ We’re satisfied that our use of personal information will help detect, investigate or prevent crime (including capturing or prosecuting offenders).
- ☐ We can demonstrate that our use of personal information is a necessary and proportionate way for us to achieve our crime-related purpose.
- ☐ We’ve identified and documented a DPA condition for handling criminal offence data (where required).
Safeguarding condition
- ☐ We’ve checked that we don’t already have a public task or legal obligation to use personal information for safeguarding.
- ☐ We’ve checked that what we want to do with the personal information counts as safeguarding under this condition.
- ☐ We’re satisfied that the person we want to safeguard is a child or is an ‘at risk adult’ (as described by the UK GDPR).
- ☐ We’re satisfied that the adult needs care and support and is experiencing or is at risk of neglect or harm and as a result can’t protect themselves against this harm.
- ☐ We’ve documented our assessment of why we believe the adult is ‘at risk’.
- ☐ We keep our use of the safeguarding condition under review in case anything changes (eg when a child turns 18 they are no longer automatically classed as ‘vulnerable’).
- ☐ We can demonstrate that our use of personal information is a necessary and proportionate way for us to safeguard that person.