Consultation on our draft recognised legitimate interest guidance – summary of responses
Introduction
In August 2025 we launched a public consultation seeking your views on our draft guidance about recognised legitimate interest.
Recognised legitimate interest is the new lawful basis which was added to the UK GDPR by the Data (Use and Access) Act 2025 (DUAA).
The consultation ran until 30 October 2025. This page summarises the key themes emerging from the consultation responses.
About the consultation
We received 57 responses and we thank everyone who took the time to comment and share their views. The table below shows the category of respondents (as selected by them):
| Category of respondent | Responses |
|---|---|
| An organisation | 40 |
| An academic or researcher | 0 |
| An individual acting in a professional capacity | 10 |
| An individual acting in a private capacity (eg someone providing their views as a member of the public) | 7 |
The majority of organisations confirmed they had previously handled people’s information for one or more of the purposes covered by the recognised legitimate interest conditions. The most common of these purposes was safeguarding, followed closely by crime.
In general, the responses to the consultation were positive. Most respondents told us they feel confident about using recognised legitimate interest after reading the draft guidance. This was especially true for larger organisations.
This summary explains the key themes of the consultation feedback and changes we’ve made as a result.
Key themes
Shorthand name for the condition called “Disclosure for purposes of processing described in Article 6(1)(e)”
We asked respondents if they felt our suggested shorthand name for this recognised legitimate interest condition was better than the name in the UK GDPR. A majority agreed that our suggested name of ‘public task disclosure request’ was better than the original.
We also asked respondents to suggest alternative shorthand names for this condition. We received several suggestions including ‘recognised public task disclosure’, ‘authorised public interest disclosure’ and ‘official function disclosure condition’.
ICO response
We appreciate that most respondents preferred our shorthand suggestion over the name given in the law to this condition. But we felt that one of the shorthand names suggested by a respondent was even clearer.
This suggestion was ‘public task disclosure response’. We believe this shorthand name better reflects what this condition is about, ie responding to a request from an organisation who needs the personal information for their tasks or functions (eg a public authority). It also makes it clearer that this recognised legitimate interest condition is for the organisation receiving the request to use if they feel it’s appropriate. It is for their response, not for sending of the request.
We’ve therefore decided to use this suggestion in our published guidance. We appreciate that the change in shorthand name from ‘public task disclosure request’ to ‘public task disclosure response’ may cause some confusion in the short term. But we believe that it provides greater clarity in the long term.
Ease of finding information and clarity
The majority of respondents said they could find the information they needed in the guidance. Around half said the guidance was clear, but just over a quarter felt it could be improved. Several responses suggested changing how the information is presented by making greater use of flowcharts, checklists, bulleted lists and simpler language.
Nearly two thirds of respondents said that guidance was clear on the differences between recognised legitimate interest and legitimate interests. But some were concerned that the similarity between the names of these two lawful bases might cause confusion.
ICO response
We are pleased that most respondents felt the guidance was structured so they can easily find the information they need.
The guidance is intended to be an in-depth product that goes into more detail. Therefore, to make this clearer we’ve added wording into the ‘About this guidance’ section to explain that it’s aimed at data protection officers (DPOs) and those with specific data protection responsibilities at larger organisations. However, we’ve used more bulleted lists and simpler language throughout where possible so that the guidance is clearer for all users.
In addition to this detailed guidance, we have produced an ‘in brief’ version for those who want a quicker, simpler overview of recognised legitimate interest. This includes practical checklists. We will also publish separate products aimed at meeting the needs of small organisations in due course.
We understand that the similarity of the names ‘recognised legitimate interest’ and ‘legitimate interests’ has potential to cause confusion. The guidance sets out the differences between them and we are pleased that most respondents thought this distinction was clear.
Level of detail in the guidance
We asked respondents if the draft guidance provided the right level of detail to understand when the recognised legitimate interest conditions may apply. Most respondents said it provided the right level of detail. But some felt that it wasn’t clear enough.
Some respondents were unclear if they could rely on recognised legitimate interest as their lawful basis if other lawful bases were also available to them (eg legal obligation or public task). Others questioned whether all the conditions might apply to sharing personal information or if data sharing was only allowed under the public task disclosure response condition.
Other respondents were unsure what to do if more than one recognised legitimate interest condition might apply to their use of personal information and how to document their decision about this.
Several respondents focussed their attention more on the public task disclosure response condition. We received comments which showed confusion about whether the organisation making a request or the one responding to it can rely on recognised legitimate interest. Some responses asked for more details about how using this condition interacts with the duty of confidentiality. Others felt that our guidance suggested organisations with statutory information gathering powers had to rely on those powers rather than seeking voluntary disclosure from another organisation.
ICO response
While we are glad that the guidance contained the right level of detail for many respondents, we appreciate that we can improve on this.
As a result of the feedback, we have:
- improved the consistency of our messaging by adding more details for each condition to explain why recognised legitimate interest won’t be appropriate for use in every situation;
- set out more clearly when another lawful basis might be more appropriate (eg vital interests, public task or legal obligation);
- revised the section ‘Can more than one recognised legitimate interest condition apply at the same time?’ so that it explains more clearly what to do in these circumstances;
- made clearer that any of the conditions may be suitable for sharing personal information; and
- emphasised that relying on recognised legitimate interest doesn’t exempt organisations from complying with the duty of confidentiality or other laws, where applicable.
Regarding to the public task disclosure response condition, we have:
- made it clearer that the public task disclosure response condition is for the organisation receiving a request to use (the change in shorthand name should also help avoid confusion);
- amended where we talk about statutory powers as we did not intend public authorities to assume they always need to use their formal powers to request personal information from another organisation; and
- clarified that requests for personal information from public bodies may sometimes be covered by a different recognised legitimate interest condition.
Clarifications and other issues
We received some helpful suggestions for minor clarifications or additions to different parts of the guidance. These include:
- referring to exemptions where these are similar to the recognised legitimate interest conditions;
- for the emergency condition, explaining whether to rely on legal obligation or recognised legitimate interest;
- more details about meeting accountability requirements; and
- applying the purpose limitation requirements as amended by DUAA.
ICO response
We have made some changes to the guidance to reflect these suggestions.
- We’ve added references as appropriate to some of the exemptions available under data protection law.
- We’ve expanded the discussion in the ‘emergencies condition’ section about relying on an existing legal obligation.
- We’ve provided more detail about accountability when the guidance discusses the need to meet the other data protection principles.
- We’ve produced new guidance on compatibility and reuse of personal information which explains the changes made by DUAA to the purpose limitation principle.
- We’ve also updated the section of the recognised legitimate interest guidance which discusses the public task disclosure response condition to include details of the compatibility condition which complements it. This is so that the organisation requesting personal information for its tasks or functions knows it needs to include the appropriate compatibility information in its written request.
Based on the consultation responses as a whole, we think that the guidance strikes the right balance at the moment. But we’ll keep things under review and update as needed.
Publication
The final version of the recognised legitimate interest guidance was published on 23 March 2026.