Skip to main content
Home

When can we use recognised legitimate interest?

Contents

At a glance

  • Recognised legitimate interest is only available if what you want to do meets one of the pre-approved purposes listed in its conditions.
  • You can use recognised legitimate interest for handling different types of personal information depending on the circumstances (eg special category data). It may also be suitable for sharing personal information with other organisations, if you meet the requirements. 
  • If you’re a public authority, you can’t rely on recognised legitimate interest to perform your tasks or functions. 

In detail

Why is it important to be clear what our purpose is? 

You must incorporate data protection considerations when deciding how you use personal information. One aspect of this is planning what you want to do with people’s personal information before you collect it.

If you intend to rely on the recognised legitimate interest lawful basis, you must be clear about your purpose. This is because you can only use this basis for the pre-approved purposes listed in its five conditions. 

Can more than one recognised legitimate interest condition apply at the same time?

Yes. In many circumstances it is obvious that only one of the conditions is relevant. But it is possible that more than one might apply to a particular situation or activity. For example, using people’s information to safeguard national security may overlap with using it for crime prevention. 

No condition is better, safer or more important than the others. If you believe more than one recognised legitimate interest condition applies to your situation, you must identify and document all of them from the start. 

Remember, whichever condition or combination of conditions you choose, you still must meet all your other obligations under data protection law. (For more information, see What else do we need to consider?.) 

Further reading – ICO guidance

Can public authorities use recognised legitimate interest?

Yes, but only in certain circumstances. 

If you’re a public authority, you can’t rely on recognised legitimate interest if you want to use the personal information when performing your tasks. Other, more appropriate lawful bases are available (eg the public task lawful basis). 

If you’re not acting in the performance of your tasks as a public authority, you could use the recognised legitimate interest basis, if it’s suitable for your purpose.

Further reading – ICO guidance

Can we use recognised legitimate interest for children’s information? 

Yes, depending on the circumstances. 

Remember that children merit specific protection when you use their personal information because they may lack understanding of the risks involved. They may also be less aware than adults of their rights under data protection law. 

Any of the recognised legitimate interest conditions may be suitable to use with children’s information. If you’re seeking to use personal information to safeguard someone aged under 18, consider using the safeguarding condition because this includes a provision which applies specifically to children. (For more information, see the Safeguarding condition.) 

Further reading – ICO guidance

Can we use recognised legitimate interest for special category data? 

When you handle special category data (such as information about someone’s health or revealing their racial or ethnic origin), you must

  • have a lawful basis under article 6; and 
  • a condition for processing under article 9 of the UK GDPR.

You can use recognised legitimate interest as your lawful basis if your purpose is necessary for one of the five conditions. But even if you can use recognised legitimate interest, you must still meet one of the special category conditions together with an associated DPA schedule 1 condition (where required) before you start your activity.

If you can’t meet a condition for using special category data, it isn’t lawful for you to use this personal information even if your purpose satisfies the recognised legitimate interest lawful basis.

Article 9 doesn’t provide a condition for using special category data that is equivalent to the recognised legitimate interest basis. But there are article 9 conditions you may be able to rely on, depending on the circumstances.  

For example, you may be able to use the article 9 condition for substantial public interest, if one of the substantial public interest conditions in the DPA applies. These include using special category data for purposes such as safeguarding, and preventing, investigating or detecting unlawful acts.  

As special category data is more sensitive, there are greater risks to people’s interests and rights or freedoms. Therefore, you should also consider if you need to carry out a data protection impact assessment (DPIA) or adapt an existing one (if your purpose for handling personal information has stayed the same).

Further reading – ICO guidance

Can we use recognised legitimate interest for criminal offence data?  

The UK GDPR gives extra protection to personal information relating to criminal convictions and offences or related security measures. We refer to this as criminal offence data.

However, not all organisations that handle criminal offence data can use recognised legitimate interest. For example, you can’t use it if you’re a competent authority under the DPA or a public authority and you need to handle criminal offence data as part of your tasks. (For more information, see Can public authorities use recognised legitimate interest?.)

Where appropriate, you can use recognised legitimate interest as a lawful basis for criminal offence data if the purpose is necessary for one of the five conditions. If you’re handling criminal offence data, you must have a lawful basis under article 6 and meet the requirements of article 10. 

Article 10 restricts the handling of criminal offence data to circumstances where it is either under the control of official authority or its use is authorised by UK law. If you can’t demonstrate you are using criminal offence data ‘under the control of official authority’, you must identify a schedule 1 condition from the DPA.

Paragraph 10 of schedule 1 contains a condition that is worded in a very similar way to the crime condition. So if you can meet the requirements of the crime condition, it’s likely you can also meet the requirements of this schedule condition (and therefore article 10).

Further reading – ICO guidance

Can we use recognised legitimate interest to share people’s information?

Yes. You may be able to use recognised legitimate interest as your lawful basis to share people’s information with other organisations, if you can meet the requirements of one of its five conditions. Although you can potentially use any of the conditions in this way, you can only use the public task disclosure request condition for data sharing.

Remember that as well as having a lawful basis, you must consider if your data sharing is lawful in the general sense. This includes complying with any legal or regulatory requirements, such as the common law duty of confidentiality. This duty doesn’t conflict with data protection law. But if it applies, you must consider it alongside data protection and take it into account if you’re thinking about sharing people’s information.

Further reading – ICO guidance

Can we use recognised legitimate interest for automated decision-making?

No. The UK GDPR says you can’t use recognised legitimate interest as your lawful basis if you want to take significant decisions about someone based solely on automated processing. This includes processing that is entirely or partially carried out using recognised legitimate interest.

However, you can still use people’s information for automated decision-making. But you must comply with the UK GDPR on this type of processing and also ensure you have a valid lawful basis.

Further reading – ICO guidance