Data Protection Law
Legitimate interest is one of the lawful bases for processing personal data, under Article 6(1) UK GDPR. The other bases for processing personal data are: consent, performance of a contract, compliance with the law, protection of vital interests and performance in the public interest.
A legitimate interest may be the most useful lawful basis if the processing is not required by law but has a clear benefit to an organisation.
What is a legitimate interest?
The term is broad and flexible, but usually means that there must be a clear and specific benefit or outcome in mind. This includes benefits to the processor itself, such as commercial gain or marketing. Although any purpose could be relevant, its purpose must be legitimate – therefore immediately excludes anything unethical or unlawful.
In most situations, for a legitimate interest to be properly relied upon, the impact of the processing on the individual should be minimal. If there is a more significant impact, then a more compelling legitimate interest must be cited. Examples may include:
- preventing fraud;
- ensuring network and information security;
- preventing possible criminal acts; or
- preventing threats to public security.
It is for the organisation to justify that they have a legitimate interest in the processing, and that that interest does not override “the interests or fundamental rights and freedoms of the data subject”. The two competing interest(s) are weighed against each other by the organisation seeking to process the personal data. Where the balance is in favour of the legitimate interest, the processing is more likely to be held to be lawful, in the event that the processing is disputed or investigated by the ICO.
Legitimate Interest Assessment
The ICO has set out guidance for organisations to help them explore whether the basis of legitimate interest can be relied on. This guidance is in the form of a ‘Legitimate Interest Assessment’ (LIA). A LIA should be conducted before the organisation carries out any processing for which it intends to rely on the legitimate interest justification.
An LIA is comprised of three separate tests:
- the Purpose Test;
- the Necessity Test; and
- the Balancing Test.
Each test contains a list of questions that should all be answered, with the answer documented. The questions are aimed at a lawyer or compliance professional. The intention is for organisations to have to think carefully about whether a legitimate interest may be relied upon. If so, then the processing can go ahead. But it may be that the LIA throws up additional risks, or demonstrates that a legitimate interest cannot apply. Organisations may also use the LIA to identify these risks and put in place appropriate safeguards that will facilitate the lawful use of the legitimate interest justification.
Is a LIA necessary?
Although LIAs are not directly mentioned in UK GDPR (therefore not explicitly required), by carrying out a LIA an organisation will be able to demonstrate compliance with its accountability obligations in Articles 5(2) and 24 UK GDPR.
Conducting a Legitimate Interest Assessment
There is no specific way in which a LIA should be conducted, although organisations can and mostly do follow the ICO’s template.
As mentioned, there are three tests:
1. Purpose Test
This test must establish why data needs to be processed, and what will be achieved from such use of the data. The benefits of the processing must be clear and specific to satisfy the test. The purpose needs to be specific to avoid being unclear or naming general reasons.
Examples of questions include:
- who benefits from the processing? In what way?
- are there any wider public benefits to the processing?
- if so, how significant are those benefits?
- what would the impact be if you couldn’t process this information?
- would your use of the data be unethical or unlawful in any way?
2. Necessity Test
The necessity test attempts to ascertain that the processing is necessary for the purposes of the legitimate interest identified during the purpose test.
Note that this test does not mean that the process needs to be essential for the purpose, however it must be a proportionate way to achieve the purpose.
If there is an alternative way to achieve the purpose that (for example) does not process as much data, this alternate route may be taken. It must therefore be considered whether there are any other reasonable means to achieve the purpose without processing the data in this way.
If it is impossible to show that the processing genuinely helps the organisation to meet its legitimate interest, then the test is failed.
3. Balancing Test
The balancing test is the third test: where the interests, fundamental rights and freedoms of the individual must be considered. Once considered, these interests must be evaluated in terms of whether or not these override the organisation’s legitimate interest identified.
Organisations must consider questions such as:
- the nature of the personal data to be processed.
- the reasonable expectations of the individual.
- the predicted outcome of the processed data on the subject and whether any safeguards can be put in place to mitigate negative impacts.
- do the fundamental rights and freedoms of the individual override the legitimate interest?
- is any sensitive data being processed that falls under the special category of data?
- are you processing personal data related to children and minors?
What are reasonable expectations?
One of the considerations is the expectation of the data subject; in other words what the reasonable person would expect from using their data.
The following questions go to this issue:
- is there an existing relationship with the individual?
- how has their data been used in the past?
- what was the individual told about how their data would be used?
- are there any factors which mean they would not expect the processing?
Determining the outcome of the Legitimate Interest Assessment
All the tests under the LIA should produce pros and cons of going ahead with the processing.
It is important that this final stage of the LIA is considered as objectively as possible. However, it is also important to note that even if the processing may have a negative impact on the individual, this does not automatically mean that their interests always override an organisation’s.
The consequence of the LIA, and related ICO guidance, infers that if an organisation cannot satisfy one or more of the tests then the processing should not proceed. If the ICO subsequently investigated, an organisation would struggle to justify its processing or demonstrate that the legitimate interest relied upon were valid if it failed its own LIA.
Do I need to notify data subjects?
In your privacy policy, which is compulsory under the UK GDPR where personal data is being processed, an organisation must inform individuals whose data is being processed what its purpose is and what lawful basis it is relying on to do so.
If an organisation is relying on a legitimate interest as its lawful basis – it should tell the relevant data subjects what the relevant legitimate interest is. The ICO recommends, but does not require, that organisations publish their LIAs to ensure maximum transparency. Being transparent and communicative assists organisations who may seek to demonstrate that their processing is lawful.
If you have any questions on the above or data protection compliance more generally, please contact Neil Williamson or Colin Lambertus.