When can we use recognised legitimate interest?

In detail

• Why is it important to be clear what our purpose is?
• Can more than one recognised legitimate interest condition apply at the same time?
• Can public authorities use recognised legitimate interest?
• Can we use recognised legitimate interest for children’s information?
• Can we use recognised legitimate interest for special category data?
• Can we use recognised legitimate interest for criminal offence data?
• Can we use recognised legitimate interest to share people’s information?
• Can we use recognised legitimate interest for automated decision-making?

Why is it important to be clear what our purpose is?

You must incorporate data protection considerations when deciding how you use personal information. One aspect of this is planning what you want to do with people’s personal information before you collect it.

If you intend to rely on the recognised legitimate interest lawful basis, you must be clear about your purpose. This is because you can only use this basis for the pre-approved purposes listed in its five conditions.

Can more than one recognised legitimate interest condition apply at the same time?

Yes. In many circumstances, it is obvious that only one of the conditions is relevant. But it is possible that more than one might apply to a particular situation or activity. For example, using people’s information to safeguard national security may overlap with using it for crime prevention.

No condition is better, safer or more important than the others.

If you believe more than one recognised legitimate interest condition applies to your use of the personal information, you should identify and document all of them. Remember, you must ensure you meet all the requirements of each condition you identify. If your situation changes and one of the conditions is no longer relevant, you can continue to rely on recognised legitimate interest as your lawful basis so long as your purpose is still necessary for the other condition.

Remember, whichever condition or combination of conditions you choose, you must still meet all your other obligations under data protection law. (For more information, see What else do we need to consider?.)

Can public authorities use recognised legitimate interest?

Yes, but only in some instances. If you’re a public authority, you can’t rely on recognised legitimate interest to use personal information when performing your tasks or official functions. Other, more appropriate lawful bases are available, such as public task.

If you’re not acting in the performance of your tasks as a public authority, you could use the recognised legitimate interest basis, if it’s suitable for your purpose.

Can we use recognised legitimate interest for children’s information?

Yes, depending on the circumstances.

Any of the recognised legitimate interest conditions may be suitable to use with children’s information. The only condition that specifically mentions children is safeguarding. This is because a child automatically counts as a "vulnerable individual" for the safeguarding condition unlike adults where there are additional criteria for you to meet. (For more information, see the Safeguarding condition.)

But remember children merit specific protection when you use their personal information because they may lack understanding of the risks involved. They may also be less aware of their rights under data protection law than adults.

Can we use recognised legitimate interest for special category data?

When you want to handle special category data (such as information about someone’s health or revealing their racial or ethnic origin), you must:

• have a lawful basis under article 6; and
• a condition for processing under article 9 of the UK GDPR.

You can use recognised legitimate interest as your lawful basis if your purpose is necessary for one of its five conditions. But even if you can use recognised legitimate interest, you must still meet one of the special category conditions together with an associated DPA schedule 1 condition (where required) before you start your activity.

If you can’t meet a condition for using special category data, it isn’t lawful for you to use this personal information even if your purpose satisfies the recognised legitimate interest lawful basis.

Article 9 doesn’t provide a condition for using special category data that is equivalent to the recognised legitimate interest basis. But there are article 9 conditions you may be able to rely on, depending on the circumstances.

For example, you may be able to use the article 9 condition for substantial public interest, if one of the substantial public interest conditions in the DPA applies. These include using special category data for purposes such as safeguarding, and preventing, investigating or detecting unlawful acts.

As special category data is more sensitive, there are greater risks to people’s interests and rights or freedoms. Therefore, you should also consider if you need to carry out a data protection impact assessment (DPIA) or adapt an existing one (if your purpose for handling personal information has stayed the same).

Can we use recognised legitimate interest for criminal offence data?

The UK GDPR gives extra protection to personal information relating to criminal convictions and offences or related security measures. We refer to this as criminal offence data.

You can use recognised legitimate interest as a lawful basis for handling criminal offence data if the purpose is necessary for one of its five conditions.

However, not all organisations that handle criminal offence data can use recognised legitimate interest. For example, you can’t use it if you’re a competent authority under the DPA handling personal information for law enforcement purposes, or a public authority and you need to handle criminal offence data as part of your tasks. (For more information, see Can public authorities use recognised legitimate interest?.)

If you’re handling criminal offence data, you must:

• have a lawful basis under article 6; and
• meet the requirements of article 10.

Article 10 restricts the handling of criminal offence data to circumstances where it is either:

• under the control of official authority: or
• its use is authorised by UK law or relevant international law (as specified by the DPA).

If you can’t demonstrate you’re using criminal offence data ‘under the control of official authority’, you must identify a schedule 1 condition from the DPA.

Schedule 1 contains a condition for handling personal information where "necessary for the purposes of the prevention, investigation or detection of an unlawful act". This wording is very similar to the crime condition of recognised legitimate interest. So if you can meet the requirements of the crime condition, it’s likely you can also meet the criteria of this schedule 1 condition and satisfy the requirements of article 10.

Can we use recognised legitimate interest to share people’s information?

Yes. You may be able to use recognised legitimate interest as your lawful basis to share people’s information with other organisations, if you can meet the requirements of one of its five conditions. You can potentially use any of the conditions for data sharing.

Remember that as well as having a lawful basis, you must consider if your data sharing is lawful in the general sense. This includes complying with any legal or regulatory requirements, such as the common law duty of confidentiality. This duty doesn’t conflict with data protection law. But if it applies, you must consider it alongside data protection and take it into account if you’re thinking about sharing people’s information.

Can we use recognised legitimate interest for automated decision-making?

No. The UK GDPR says you can’t use recognised legitimate interest as your lawful basis if you want to take significant decisions about someone based solely on automated processing. This includes processing that is entirely or partially carried out using recognised legitimate interest.

If you want to take significant decisions based solely on automated decision-making, you must use another lawful basis and ensure you comply with the UK GDPR for this type of processing.