Recognised legitimate interest: requesting personal information for your public tasks or official functions

At a glance

• If you’re an organisation that has a public task or official function, such as a public authority, sometimes you may need to ask other organisations to share personal information with you.
• If you already use your statutory powers to obtain the personal information you need, you should continue to do this.
• However, if this situation doesn’t apply, you can ask the organisation to voluntarily share personal information with you.
• If you need the personal information for your public tasks or official functions that come from the law, tell the organisation this when you request the information.
• The UK GDPR helps facilitate this data sharing by providing a lawful basis that the organisation you make a request to can choose to rely on to share the personal information. If you make such a request, they may rely on the ‘recognised legitimate interest’ lawful basis and specifically its condition for a ‘public task disclosure response’.
• You should plan how you’ll comply with your data protection obligations before you make such a request. This is because once you get the personal information, you’re responsible for making sure how you use it complies with data protection law.
• Check that your public task or official function covers the type of personal information you seek. Also, check the information is necessary for, and proportionate to, the task or function you’ve identified.
• Put your request in writing and make sure you state you need the information for your public tasks or official functions that are laid down in law. And, if appropriate, state that you need the personal information to safeguard a public interest objective listed in article 23 of the UK GDPR.
• Requesting personal information that you need for your tasks or functions doesn’t give you a right of access to people’s information. The organisation that holds the information can choose not to share it with you.

In brief

• Who is this guidance for?
• What’s the purpose of this guidance?
• What is recognised legitimate interest?
• Who can make a request for personal information needed for their tasks or functions?
• When can we make a request for personal information that we need for our tasks or functions?
• Is it important to plan ahead before making our request?
• How do we make a request?
• Are organisations required to share personal information with us?
• Checklist

Who is this guidance for?

This guidance is aimed at organisations that have tasks in the public interest or official functions that come from the law. For example, a public authority (eg a local authority, an NHS trust).

This guidance is most relevant to public authorities, but it can apply to any organisation that performs these tasks or functions.

What’s the purpose of this guidance?

Sometimes you may want to ask another organisation to share personal information with you that you need for your public tasks or official functions.

The UK GDPR facilitates this data sharing by providing lawful bases that an organisation can rely on if you make a request to them.

If an organisation is legally required to share the personal information with you, it’s likely they will rely on the ‘legal obligation’ lawful basis to do so.

But if they aren’t under a legal obligation, they can still decide to share the information with you. In these cases, they may rely on the ‘recognised legitimate interest’ lawful basis.

This guidance will help you to understand:

• the role that recognised legitimate interest may play when you request personal information from another organisation; and
• the approach you should take to request the personal information you need for your tasks or functions.

What is recognised legitimate interest?

Recognised legitimate interest is one of the seven lawful bases for handling personal information in the UK GDPR. You and the organisations you deal with must have a lawful basis in order to handle personal information, including for data sharing purposes.

As a public authority, you can’t rely on the recognised legitimate interest basis when you handle personal information to perform your public tasks or official functions. But, depending on the circumstances, if you want to handle personal information outside your tasks or functions, you may be able to rely on it. However, in most cases it will be organisations that are not public authorities who use this lawful basis.

A ‘recognised legitimate interest’ is a specified purpose for handling personal information that is in the public interest. These pre-approved purposes are set out in five recognised legitimate interest conditions. One of them covers sharing personal information when it is needed for another organisation’s public task or official function. The UK GDPR calls this condition ‘Disclosure for purposes of processing described in Article 6(1)(e)’ but for ease we refer to this as the ‘public task disclosure response’ condition (although this isn’t a term used in the UK GDPR).

This condition acknowledges the importance of facilitating data sharing with those that need the personal information for their public tasks and official functions. It may be relevant to the organisation that you request personal information from when you need it for your public tasks or functions.

Annex 1 of the UK GDPR says:

1. This condition is met where -

(a) the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and

(b) the request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).

Article 6(1)(e) is the public task lawful basis and article 6(3) advises that such tasks or functions must come from UK law or “relevant international law” (as listed in the DPA). UK law includes laws made by a devolved Parliament or Assembly.

Who can make a request for personal information needed for their tasks or functions?

Depending on the circumstances, you can make such a request for disclosure if you’re an organisation that has public tasks or official functions as ‘described’ in the public task lawful basis (eg a public authority).

The public task basis covers handling personal information necessary:

• for the performance of a task carried out in the public interest that is laid down by law; or
• in the exercise of official authority (eg a public body’s tasks, functions, duties or powers) that is laid down by law.

For example, it covers uses that are necessary for administering justice and exercising statutory functions and government powers. This is most relevant to public authorities, but other types of organisations may also have these tasks and functions.

The relevant task, function or authority must be laid down by UK law or “relevant international law” (eg a statutory function). But it doesn’t have to be an explicit statutory provision as long as the application of the law is clear and foreseeable. This includes established common law tasks.

The public task disclosure response condition refers to requests for personal information as ‘described’ by the public task lawful basis where that task comes from UK law. This means you can make a request for personal information that you want to use for purposes not covered by the UK GDPR, such as under part 3 (law enforcement) or part 4 (intelligence services) of the Data Protection Act 2018 (DPA).

For example, in general the police handle people’s information under part 3 of the DPA rather than the UK GDPR. However, even though the UK GDPR won’t apply to these purposes, the use of people’s information by the police is as ‘described’ in article 6(1)(e) of the UK GDPR and it is laid down in UK law. This is because in most instances the police handle personal information under section 35(2)(b) of the DPA which refers to the use of the information being based on law and necessary for the performance of a task carried out by a competent authority. In addition, their powers come from UK laws such as the Police and Criminal Evidence Act 1984 and the Police Act 1996.

When can we make a request for personal information that we need for our tasks or functions?

If you have statutory information gathering powers which you use to require another organisation to share people’s information with you, you can continue to use these powers as normal. In this situation, the organisation will use the legal obligation lawful basis to share the information with you.

If you don’t have these powers, or you feel that it’s more appropriate to seek voluntary data sharing, you can consider making a request for disclosure of personal information you need for your public tasks or official functions.

But you can only make such a request to another organisation if you need the specific personal information for the purposes as ‘described’ in the UK GDPR public task lawful basis. You can’t make this type of request if you’re seeking the information for a purpose that is outside your tasks and functions. In this situation, the organisation won’t be able to rely on the recognised legitimate interest basis and this condition to share the information with you (although they may decide that another lawful basis, or another recognised legitimate interest condition, applies to the sharing).

Depending on your purpose for asking for personal information, the organisation may believe that a different recognised legitimate interest condition is more appropriate for them to use to share the information with you. The other conditions cover things like crime prevention or detection, safeguarding, national security, public security, or responding to emergency events. For example, if the police ask an organisation to share personal information they need for a criminal investigation, it’s likely that the crime condition will be more suitable for the organisation to use than the public task disclosure response condition.

Is it important to plan ahead before making our request?

Yes, you should plan ahead before you request the personal information. This is because once the requested personal information is in your possession, you’re responsible for it and you must ensure how you use it complies with the law.

For example, as part of your planning, you must consider how you will:

• take a data protection by design approach to ensure that you’re aware of any data protection implications of your request;
• comply with the data minimisation principle so you don’t ask for more personal information than you actually need for your task or function;
• be transparent with the people whose information you’re seeking – plan how you’ll comply with their right to be informed (unless an exemption applies), including how you’ll tell people about the source of their information; and
• deal with people’s existing objections to the use of their personal information as this may affect your request (depending on the circumstances).

We recognise that your planning may be more limited in certain situations (eg when your request is urgent).

How do we make a request?

You should check if your task or function covers the type of personal information you want to ask for in your request. If your tasks and functions don’t cover it, this may result in you handling the requested personal information unlawfully.

You should also check that the personal information you seek is actually necessary and proportionate for the task or function you’ve identified. This is because you’re responsible for the information once you’ve got it, so you must comply with the data protection principles. This includes data minimisation – you must ensure that the personal information you collect is adequate, relevant and not excessive for the purposes you need it for. You must not use your request as a way to get personal information just in case it might be useful in future.

You must tell the organisation in your request that you need the personal information for your public task or other power given to you under the law. However, the UK GDPR doesn’t require you to say what these tasks or powers are. But, depending on the circumstances, you could provide further details to make the process easier and help the organisation understand why you want the personal information. For example, explain why you need that information or say what these tasks or functions are.

If you want to ask an organisation to share personal information needed for your task or function, you should do the following:

• Put your request in writing

  The UK GDPR doesn’t specify the form of your request. But both you and the organisation receiving your request must be accountable and able to demonstrate compliance with data protection law. As part of this, you should have an effective audit trail of the personal information that is shared with you. Make sure that your request is in writing (eg email, post) and don’t make verbal requests.

• Be clear what personal information you seek

  You should explain what personal information you want from the organisation. If the scope of your request isn’t clear, the organisation may ask you for more details. To prevent confusion, avoid including other things alongside your request.

• Make it easy for the organisation to verify your request

  In many cases, the organisation will want to make sure your request is authentic. For example, they may want to clarify that your employee has authority to make the request and is doing so on your behalf.

• Be prepared to answer questions

  The organisation may have questions or want more details from you. Put yourself in their position – they’re responsible for protecting the information they hold so they will want to be confident that sharing it with you complies with the law. Don’t try to leverage any real or perceived power imbalance.

The organisation you make your request to is also required to comply with the UK GDPR’s purpose limitation principle. If sharing the personal information with you is a new purpose for the organisation, it must ensure this is compatible with its original purpose. One of the ways it can do this is to meet the requirements of a compatibility condition from annex 2 of the UK GDPR. There is a compatibility condition that complements the public task disclosure response condition but it adds an extra requirement for you to include in your request. For the organisation to use this compatibility condition, you must say in your request that you need the personal information because it’s necessary to safeguard an objective listed in article 23(1)(c) to (j) in the UK GDPR (these cover important public interest objectives).

Are organisations required to share personal information with us?

No. Making such a request for disclosure is a way to ask an organisation to voluntarily share personal information that you need for your public task or official function. This means the organisation can decide not to share the personal information.

Although the recognised legitimate interest lawful basis helps enable responsible data sharing in certain circumstances, it doesn’t give you a right to people’s information. You can’t compel the organisation to rely on this basis and share the information with you. It’s their choice to share the information in response to your request and they don’t need to justify themselves if they decide not to share.

Checklist