What else do we need to consider?
In detail
- What other data protection obligations apply?
- What do we need to tell people?
- Can people object if we use recognised legitimate interest?
- What happens if our purpose changes?
What other data protection obligations apply?
Recognised legitimate interest is a lawful basis and not an exemption. It doesn’t disapply other provisions of data protection law. If you can satisfy the requirements of one of its conditions, you’re complying with the requirement to have a lawful basis that is part of the lawfulness principle of the UK GDPR.
But even if you can do this, you must also meet your other obligations under data protection law. For example, complying with the other data protection principles (including being accountable) and enabling people’s rights.
However, the right to data portability doesn’t apply if you’re relying on recognised legitimate interest. This means you’re not required to comply with a portability request from people whose personal information you’re handling under this basis. But if you’re relying on a different lawful basis to process that same information for another purpose, this right may apply.
You should still consider whether what you want to do with the personal information is likely to result in a high risk to people’s rights and freedoms. If so, you must do a DPIA.
Further reading – ICO guidance
UK GDPR guidance and resources
Guide to the data protection exemptions
What do we need to tell people?
Transparency is a key principle of data protection law. People have the right to be informed about the use of their personal information. The UK GDPR specifies what information you must provide to people as a minimum (eg in your privacy information).
In order to comply with the right to be informed, you must tell people:
- which lawful basis you’re relying on to handle their personal information; and
- what your purpose is for processing their information (unless an exemption applies).
Because the recognised legitimate interest conditions are purposes for processing, you must say which condition you’re using, as well as stating that your lawful basis is recognised legitimate interest. For example, you could provide this information in the privacy information you give to people.
In some circumstances, you won’t know in advance that you need to use personal information for a purpose covered by the recognised legitimate interest conditions. For example, you may find you need to share information in response to an emergency where circumstances are changing quickly, and your usual privacy information doesn’t mention recognised legitimate interest or the condition you’re using.
You could consider having separate privacy information prepared in advance and ready for a situation where you need to rely on recognised legitimate interest.
In some limited cases, you might be able to rely on one of the exemptions to the right to be informed. This means you don’t need to provide people with privacy information. Some of these exemptions are built into this right and others are in the DPA (eg there are DPA exemptions covering purposes such as national security and crime).
Further reading – ICO guidance
Can people object if we use recognised legitimate interest?
People have the right under the UK GDPR to object to the use of their personal information. This right applies if you’re relying on the recognised legitimate interest basis to handle their information.
However, the right is not absolute if you’re relying on this lawful basis. So there may be occasions when you don’t have to stop your processing.
If you receive an objection from someone whose information you’re using, you must stop unless you can show you have compelling legitimate grounds that override the person’s interests, rights and freedoms. Compelling legitimate grounds is more than just repeating that you have a recognised legitimate interest to use that personal information. You must have a stronger justification to keep using their personal information.
Further reading – ICO guidance
What happens if our purpose changes?
If your purpose for using the personal information changes, you can only use it if your new purpose is compatible with your original purpose. The UK GDPR lists the circumstances where you can treat the processing as compatible. You must be able to satisfy the UK GDPR’s purpose limitation requirements before you start using the personal information for the new purpose.
Annex 2 of the UK GDPR also contains a list of reuse purposes that are compatible with the original purpose for processing. Some of these purposes are the same or similar to the recognised legitimate interest conditions and cover reuse of personal information for:
- crime;
- safeguarding;
- emergencies;
- public security; and
- sharing it with another organisation that has requested it from you because they need it for their public tasks or official functions.
As well as ensuring your new purpose is compatible, you must identify a lawful basis. Therefore, if your new use for the personal information is for one of the above purposes, you may find that recognised legitimate interest is the most appropriate lawful basis. However, if none of the recognised legitimate interest conditions fit your new purpose, you must choose a different lawful basis.
Further reading – ICO guidance