The ICO has recently published new and welcome guidance on legitimate interests as a basis for processing personal data.
The concept of legitimate interests is a familiar concept under the Data Protection Act. It is one of the six law bases for processing personal data.
The Guidance states that legitimate interests is the most flexible lawful basis, but that organisations cannot assume that it will always be appropriate for all processing. It goes on to state that legitimate interests is most likely to be an appropriate basis where data is used in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply where organisations can show there is an even more compelling benefit to the processing and the impact is justified. The guidance states that you can now consider the legitimate interest of any third party, including wider benefits to society.
The guidance suggests that organisations should avoid using legitimate interests if personal data is being used in ways people do not understand and would not reasonably expect. Public authorities also cannot rely on legitimate interests for any processing used to perform tasks it undertakes as a public authority.
The legitimate interest assessment (LIA)
The guidance sets out in detail a three part test it recommends is used to assess whether legitimate interests will apply and document the outcome. This is known as a legitimate interest assessment (LIA).
It is set out in further detail in the guidance but it can be summarised as follows:
- Firstly, identify the legitimate interest. Considerations should include why you want to process the data, who benefits, if there are any wider public benefits
- Secondly, show that the processing is necessary to achieve this legitimate interest. Organisations should consider if the processing furthers that interest, if it is reasonable and whether another less intrusive way would achieve the same result.
- Thirdly, undertake a balancing test, balancing the legitimate interests against the individual’s interest, rights and freedoms. The guidance sets out a number of suggested considerations for organisations including the nature of the relationship with the individual, the impact of the processing and whether children’s data is being processed.
Organisations processing data and relying on legitimate interests should review the guidance carefully and ensure the necessary policies are procedures are in place prior to the GDPR implementation data of 25 May 2018.