Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Dashboard Member settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Start a business new Sign documents Get guidance About us Pricing
Sign up Sign in
Help
Help Contact us

Substantial public interest for DPIAs

13 min read

Last reviewed or updated 13/01/2026

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

Make your Data protection impact assessment (DPIA)

Get started

What are DPIAs?

A Data protection impact assessment (DPIA) is a process designed to help organisations identify and minimise the data protection risks of a project. When the processing of personal data is likely to result in a high risk to individuals, a DPIA needs to be completed.

The processing of special category 'sensitive' personal data (often simply referred to as ‘special category personal data’ or ‘sensitive personal data’) is given greater protection than other types of personal data. This means that a further condition for processing needs to be met and recorded in a DPIA. 

For more information, read Processing high-risk personal data and DPIAs and Compliance for DPIAs.

What is substantial public interest?

Infographic defining what substantial public interest for data processing is Substantial public interest is one of the further conditions for the processing of special category personal data. To meet this condition, processing must be necessary for reasons of substantial public interest

Being of ‘substantial public interest’ means that the public interest needs to be real and of substance. Read Compliance for DPIAs for more information. 

Being ‘necessary’ doesn’t mean that the processing has to be absolutely essential, but it must be more than useful or habitual. It must also be a reasonable and proportionate way of achieving the purpose, and the organisation must not use more data than it needs.

For an organisation to be able to rely on the condition of substantial public interest, an ‘associated condition’ also needs to be met.

Infographic highlighting the 3 main steps needed to be able to rely on substantial public interest when processing personal data

What are the associated conditions for substantial public interest?

If the substantial public interest condition is relied upon, the organisation processing the data will also need to meet at least one of the 23 associated conditions set out in Schedule 1 of the Data Protection Act 2018. These associated conditions are:

1. Statutory and government purposes

The processing is necessary for reasons of substantial public interest and for the exercise of a function:

  • given to a person by an enactment or rule of law, or 

  • of the Crown, a Minister of the Crown, or a government department

2. Administration of justice and parliamentary purposes

The processing is necessary for:

  • the administration of justice, or

  • the exercise of a function of either House of Parliament

3. Equality of opportunity or treatment

This is where the processing is of a specified category of personal data that identifies groups of people in relation to that data, and includes personal data:

  • revealing racial/ethnic origin (ie it identifies groups of people of different racial or ethnic origins)

  • revealing religious/philosophical beliefs (ie it identifies groups of people holding different religious or philosophical beliefs)

  • concerning health (ie it identifies groups of people with different states of physical or mental health)

  • concerning an individual’s sexual orientation (ie it identifies groups of people of different sexual orientations)

The processing must also be necessary to identify or review the existence/absence of equality of opportunity or treatment between groups of people specified above, to enable such equality to be promoted/maintained.

4. Racial and ethnic diversity at senior levels

The processing is of personal data revealing racial/ethnic origin and:

  • is carried out to identify individuals intended to hold senior positions in organisations (either a specific organisation, a type of organisation, or organisations generally)

  • is necessary to promote/maintain diversity in the racial and ethnic origins of individuals holding senior positions in organisations, and

  • can reasonably be carried out without the consent of the data subject (ie the individual to whom the data relates). This is the case if:

    • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

    • the organisation is not aware of the data subject withholding consent

Senior positions in an organisation include positions as:

  • directors, secretaries, or similar corporate officers

  • members of limited liability partnerships

  • partners in partnerships, limited partnerships, or other entities of a similar character formed outside the UK

  • individuals involved in senior management of an organisation (ie individuals who play a significant role in making decisions about how the organisation’s activities are to be managed or in the actual managing of those activities)

5. Preventing or detecting unlawful acts

The processing is:

  • necessary for the purposes of the prevention or detection of an unlawful act

  • carried out without the data subject’s consent in order not to prejudice those purposes, and

  • necessary for reasons of substantial public interest

6. Protecting the public

The processing is necessary for the exercise of a protective function. This is an action intended to protect members of the public against:

  • dishonesty, malpractice, or other seriously improper conduct

  • unfitness or incompetence

  • mismanagement in the administration of a body or association, or 

  • failures in services provided by a body or association

The processing must also be carried out without the data subject’s consent in order not to prejudice the exercise of that function and must be necessary for reasons of substantial public interest.

7. Regulatory requirements

The processing is necessary for reasons of substantial public interest and necessary to comply with (or assist others to comply with) a regulatory requirement involving a person taking steps to establish whether another person has:

  • committed an unlawful act, or

  • been involved in dishonesty, malpractice, or other seriously improper conduct

In these circumstances, the organisation cannot reasonably be expected to obtain the consent of the data subject to the processing.

8. Journalism, academia, art, and literature

The processing:

  • consists of the disclosure of personal data for journalistic, academic, artistic, or literary purposes

  • is carried out in connection with any of the following (whether alleged or established):

    • a person's commission of an unlawful act

    • a person’s dishonesty, malpractice, or other seriously improper conduct

    • a person’s unfitness or incompetence

    • mismanagement in the administration of a body or association

    • a failure in services provided by a body or association

  • is necessary for reasons of substantial public interest

  • is carried out with a view to the publication of the personal data by any person, and

  • the organisation reasonably believes that the publication of the personal data is in the public interest

9. Preventing fraud

The processing is necessary to prevent fraud or a particular kind of fraud, and:

  • the personal data is disclosed by a member of an anti-fraud organisation

  • the personal data is disclosed in accordance with arrangements made by an anti-fraud organisation, or

  • the personal data is processed after being disclosed by a member of or in accordance with arrangements made by an anti-fraud organisation

An anti-fraud organisation is any body corporate, unincorporated association, or other person that enables or facilitates any sharing of information to prevent fraud or a particular kind of fraud, or which has the prevention of fraud or any kind of fraud as its purpose (or one of its purposes).

10. Suspicion of terrorist financing or money laundering

Where the processing is necessary to make a disclosure in good faith under the:

  • Terrorism Act 2000 - this is disclosure between certain entities within the regulated sector in relation to suspicion of commission of a terrorist financing offence or to identifying terrorist property

  • Proceeds of Crime Act 2002 - this is disclosure within the regulated sector in relation to suspicions of money laundering

11. Support for individuals with a particular disability or medical condition

The processing: 

  • is carried out by a not-for-profit body providing support to individuals with a disability or medical condition

  • is of a type of personal data that:

    • reveals racial/ethnic origin

    • reveals genetic data

    • reveals biometric data

    • concerns health, or

    • concerns an individual’s sex life or sexual orientation

  • is necessary to:

    • raise awareness of the disability or medical condition, or

    • provide support to (or enable individuals to provide support to) individuals who: 

      • have the disability/condition mentioned 

      • had that disability or condition, or 

      • have a significant risk of developing that disability or condition

  • is necessary for reasons of substantial public interest, and 

  • can reasonably be carried out without the consent of the data subject. This is the case if:

    • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

    • the organisation is not aware of the data subject withholding consent

12. Counselling

The processing is:

  • necessary to provide confidential counselling, advice, or support, or another similar confidential service

  • necessary for reason of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons:

    • in the circumstances, the data subject cannot consent to the processing

    • in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing, or

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the provision of the confidential (counselling) service

13. Safeguarding of children and individuals at risk

The processing is:

  • necessary to protect:

    • an individual from neglect or physical, mental, or emotional harm, or

    • the physical, menta,l or emotional wellbeing of an individual

  • related to an individual under 18 or over 18 and at-risk (eg because they have care/support needs or are experiencing neglect)

  • necessary for reasons of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons:

    • in the circumstances, the data subject cannot consent to the processing

    • in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing, or

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

14. Safeguarding of economic wellbeing of certain individuals

The processing is:

  • necessary to protect the economic wellbeing of an individual at economic risk who is over 18 (ie anyone less able to protect their economic wellbeing by reason of physical or mental injury, illness, or disability)

  • of personal data concerning health

  • necessary for reasons of substantial public interest, and

  • carried out without the consent of the data subject for one of the following reasons: 

    • in the circumstances, the data subject cannot consent to the processing

    • in the circumstances, the organisation cannot reasonably be expected to obtain the data subject’s consent to the processing, or

    • the processing must be carried out without the data subject’s consent because obtaining such consent would prejudice the protection of the individual

15. Insurance

The processing is:

  • necessary for an insurance purpose, which may include:

    • advising on, arranging, underwriting, or administering an insurance contract (ie a general- or long-term insurance contract)

    • administering an insurance claim

    • exercising a right (or complying with an obligation) arising in connection with an insurance contract

  • of personal data revealing racial or ethnic origin, religious or philosophical beliefs, genetic data, health data, or trade union membership, and

  • necessary for reasons of substantial public interest

Where: 

  • the processing isn’t carried out for the purposes of measures or decisions with respect to the data subject, and

  • the data subject doesn’t have and isn’t expected to acquire:

    • rights against (or obligations in relation to) a person insured under an insurance contract to which the insurance purpose above apply, or

    • other rights or obligations in connection with such a contract

The processing doesn’t meet the conditions for processing for insurance purposes unless, in addition to meeting the conditions for insurance processing, it can reasonably be carried out without the consent of the data subject. This is the case if:

  • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

  • the organisation is not aware of the data subject withholding consent

16. Occupational pension

If the processing:

  • is necessary to make a determination in connection with eligibility for (or benefits payable under) an occupational pension scheme

  • is of data concerning health, relating to the data subject who is the parent, grandparent, great-grandparent, or sibling of a member of the scheme, and

  • can reasonably be carried out without the consent of the data subject. This is the case if:

    • the organisation cannot reasonably be expected to obtain the consent of the data subject, and

    • the organisation is not aware of the data subject withholding consent

17. Political parties

The processing is:

  • of personal data revealing political opinions

  • carried out by a person/organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and

  • necessary for the purposes of the person’s or organisation’s political activities (including campaigning, fundraising, political surveys, and casework)

The processing does not meet the above conditions:

  • it is likely to cause substantial damage or substantial distress to a person, or

  • if:

    • the data subject (or one of the data subjects) gives notice in writing to the organisation requiring them not to process their personal data (and has not given notice in writing withdrawing that requirement)

    • the notice gave the organisation a reasonable period in which to stop processing such data, and

    • that notice period has ended

18. Elected representatives responding to requests

The processing is:

  • carried out: 

    • by an elected representative (eg a member of the House of Commons, the Mayor of London, or a police and crime commissioner) or a person acting with the authority of such a representative

    • in connection with the discharge of the elected representative’s functions, and

    • in response to a request by an individual that the elected representative take action on behalf of the individual, and

  • necessary for the purposes of (or in connection with) the action reasonably taken by the elected representative in response to that request

Where the request is made by someone other than the data subject, the above conditions are met only if the processing must be carried out without the data subject’s consent for one of the following reasons:

  • in the circumstances, the data subject cannot consent to the processing

  • in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • obtaining the data subject’s consent would prejudice the action taken by the elected representative, or

  • the processing is necessary for the interests of another individual, and the data subject has withheld consent unreasonably

19. Disclosure to elected representatives

This condition is met if the:

  • processing consists of the disclosure of personal data:

    • to an elected representative (eg a member of the House of Commons, the Mayor of London, or a police and crime commissioner) or a person acting with the authority of such a representative, and

    • in response to a communication to the organisation processing the data from the representative or someone acting on the representative’s behalf, which was made in response to a request from an individual

  • personal data is relevant to the communication’s subject matter, and

  • disclosure is necessary for responding to that communication

Where the request to the elected representative is made by someone other than the data subject, the above conditions are met only if the disclosure must be made without the data subject’s consent for one of the following reasons:

  • in the circumstances, the data subject cannot consent to the processing

  • in the circumstances, the elected representative cannot reasonably be expected to obtain the data subject’s consent to the processing

  • obtaining the data subject’s consent would prejudice the action taken by the elected representative, or

  • the processing is necessary in the interests of another individual, and the data subject has withheld consent unreasonably

20. Informing elected representatives about prisoners

This condition is met if the:

  • processing is of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales, or a member of the Scottish Parliament about the prisoner, and

  • member is under an obligation not to further disclose the personal data

21. Publication of legal judgments

The processing:

  • consists of the publication of a judgment (or other decision of a court or tribunal), or

  • is necessary for the purposes of publishing such a judgment (or decision)

22. Anti-doping in sport

The processing is necessary for the purposes of:

  • measures designed to eliminate doping (including measures to identify or prevent doping) which are undertaken by (or under the responsibility of) a body/association responsible for eliminating doping in a sport, at a sporting event, or in sport generally, or 

  • providing information about doping, or suspected doping, to such a body/association

23. Standards of behaviour in sport

The processing:

  • is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event

  • must be carried out without the data subject’s consent so as not to prejudice those purposes, or

  • is necessary for reasons of substantial public interest

‘Measures designed to protect the integrity of a sport or a sporting event’ means measures to protect a sport or sporting event against:

  • dishonesty, malpractice, or other seriously improper conduct, or

  • failure by someone participating in the sport or event (in any capacity) to comply with behaviour standards set by a body/association with responsibility for the sport or event

For more detailed information on these associated conditions, see the Information Commissioner’s Office’s (ICO’s) guidance on the substantial public interest conditions

Note that, for some of the above conditions, an Appropriate policy document (APD) must be in place at the time of processing. For more information, read Appropriate policy documents (APDs) for data protection.

 

If you have any questions or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws. 

Written and reviewed by experts
Written and reviewed by experts
This guide was created, edited, and reviewed by editorial staff who specialise in translating complex legal topics into plain language.

At Rocket Lawyer, we believe legal information should be both reliable and easy to understand—so you don't need a law degree to feel informed. We follow a rigorous editorial policy to ensure all our content is helpful, clear, and as accurate and up-to-date as possible.

About this page:

  • this guide was written and reviewed by Rocket Lawyer editorial staff
  • this guide was last reviewed or updated on 13 January 2026

Related Guides

Processing high-risk personal data and DPIAs

9 min read

Compliance for DPIAs

11 min read

Appropriate policy documents (APDs) for data protection

5 min read

Ask a lawyer

Get quick answers from lawyers, easily.
Characters remaining: 600
Rocket Lawyer Legal Pros

Try Rocket Lawyer FREE for 7 days

Get legal services you can trust at prices you can afford. As a member you can:

Create, customise, and share unlimited legal documents

RocketSign® your documents quickly and securely

Ask any legal question and get an answer from a lawyer

Have your documents reviewed by a Legal Pro

Get legal advice, drafting and dispute resolution HALF OFF* with Rocket Legal+

Your first business and trade mark registrations are FREE* with Rocket Legal+

Try it free for 7 days
*Learn more about Rocket Legal+

**Subject to terms and conditions.

Follow us