The Data (Use and Access) Act 2025 (DUAA) has introduced a new lawful basis for processing personal data under the UK GDPR: namely recognised legitimate interests (RLI). With the Information Commissioner’s Office (ICO) having now published its final guidance, organisations should be considering whether and in what circumstances this new basis may be relevant to their processing of personal information.
Although RLI sits alongside the familiar “legitimate interests” lawful basis (see ICO guidance here) it is distinct and much more limited in scope. RLI’s purpose is to provide greater legal certainty for specific types of processing that are considered to be in the public interest, rather than create a broad alternative for routine commercial data use. Organisations that currently rely on legitimate interests for activities that would now qualify as RLI are not required to change their lawful basis but may choose to do so where it provides greater certainty or simplifies governance.
What is recognised legitimate interest (RLI)?
RLI applies where processing is necessary for a specified public‑interest purpose that is expressly recognised in UK GDPR. As these purposes are pre‑approved in law, you do not need to balance individuals’ rights and freedoms (as this assessment has already been carried out). However, you must still ensure the processing is necessary for the relevant recognised legitimate interest and comply with all other UK GDPR requirements.
When can RLI be used?
The scope of RLI is deliberately narrow. It can only be relied on where processing is necessary for one or more of the below five purposes, therefore you will need to be clear about your purpose for processing:
- Public task disclosure request condition – this only applies to data sharing with organisations which have public tasks or official functions in UK law.
- National security, public security and defence condition – appropriate if you need to handle personal information to safeguard national security, protect public security or for defence purposes.
- Emergencies condition – appropriate if the situation meets the definition of an emergency as set out in the Civil Contingencies Act 2004 (e.g. which threatens serious damage to human welfare) and your use of the personal information is necessary to respond to that emergency.
- Crime condition – appropriate if you need to handle personal information to detect, investigate or prevent crime, including capturing or prosecuting offenders.
- Safeguarding condition – appropriate if you need to use personal information to safeguard a “vulnerable individual”.
Each of the above five conditions will have its own requirements. Reliance on any conditions is only possible where all of its requirements have been clearly met by a party. Where more than one condition applies you should record all of them; in relying on one of the RLI you will need to comply with additional applicable rules. Further, the guidance makes clear that you may not rely on an RLI where significant decisions about a person will be made solely by using automated processing.
Actions to take
RLI is now in force. Although it will not apply to most routine processing activities, organisations should be aware that it raises a number of questions that need to be considered in practice, including:
- Are there existing activities (for example, relating to fraud prevention or safeguarding) where you currently rely on legitimate interests which may now fall within a RLI condition? If so, does continuing to rely on legitimate interests remain appropriate, or would RLI provide greater clarity and/or reduce internal governance burden?
- Do your records of processing, internal policies and privacy notices clearly distinguish between legitimate interests and RLI? If you opt to rely on RLI, you may need to update your record of processing activities and any relevant privacy notice to reflect the changes.
- Are relevant teams aware of the limited scope of RLI and the risks of it being applied too broadly?
