This involves the organisation considering the interests, fundamental rights and freedoms of the data subject and balancing them against their own interest. In other words, the organisation needs to determine whether data subject rights override the legitimate interests it has identified. This will involve considering:
-
the nature of the personal data to be processed
-
the reasonable expectations of the data subject
-
the likely impact of the processing on the data subject and if any safeguards can be implemented to reduce any negative impacts
Nature of the data
Organisations should consider the sensitivity of the personal data, specifically:
-
if the personal data is special category sensitive personal data (eg information about physical/mental health) or criminal offence data (eg information about criminal activity) - which are awarded greater protection under the law
-
if the data is likely to be considered particularly private (eg financial data)
-
if the personal data relates to children or other vulnerable individuals
-
if the data is about people in their personal or professional capacity
The more sensitive (or private) personal data is, the more likely it is that the processing will be intrusive or create a significant risk to the data subject’s rights and freedoms (eg putting someone at risk of unlawful discrimination). Where this is the case, organisations will need to have a compelling justification for using the data and will need to take special care to have adequate safeguards in place.
If the personal data is considered less sensitive or private (eg because it concerns data subjects in their work capacity) then the impact may be less. However, organisations will still need to consider its likely impact.
Reasonable expectations
Organisations should consider what data subjects will reasonably expect them to use their personal data in this way, considering all relevant factors, including:
-
if there is an existing relationship with the data subject (legitimate interests is more likely to apply where there is a ‘relevant and appropriate relationship’, for example, because the data subject is a client or employee. If there isn’t a pre-existing relationship, it can be harder to demonstrate that the processing can be reasonably expected)
-
how the data subject’s data has been used in the past (if data has been used in a similar or the same way, the processing is more likely to be reasonably expected)
-
whether the data was collected directly from the data subject and, if so, what they were told at the time (eg information may have been provided in a privacy notice)
-
whether the data was obtained from a third party (eg which collects data via a mobile application and uploads it to its servers) and, if so, what they told the data subjects about the reuse of the data by others (depending on what data subjects were told, they may be less likely to reasonably expect this type of further processing)
-
when the data was collected and if there have been any changes (eg to technology or other context) that may affect current expectations
-
if the organisations intended purpose is obvious or widely understood (the more obvious/widely understood the intended purpose, the more likely that the processing is reasonably expected)
-
if the organisation is planning to do something new or innovative (new or innovative use of personal data may be less reasonably expected)
-
if actual evidence about expectations exists (eg from market research or studies)
-
any fact-specific factors that indicate that data subjects may or may not reasonably expect the processing
Organisations do not have to show that every individual would expect their data to be used in this way, but that a reasonable person would expect their data to be used in this way in light of the specific circumstances.
Organisations may consider carrying out consultations, focus groups or market research if the processing’s purpose and method are not immediately obvious, and people may have a range of reasonable expectations regarding the processing. This will help demonstrate expectations and support the organisation’s position. Organisations may, as part of their determination, also wish to rely on any pre-existing studies regarding reasonable expectations in such a context.
Safeguards
Organisations need to consider the potential impact on data subjects and any damages the processing may cause. As a first step, organisations should consider if the processing is inherently likely to result in a high risk to individuals’ rights and freedoms (eg processing of biometric data like fingerprint data/facial images). If this is the case, a Data protection impact assessment (DPIA) will need to be carried out. For more information on this, read Data protection impact assessments. Consider following the ICO’s DPIA screening checklist to determine whether a DPIA is needed.
If the processing is not likely to result in a high risk, a risk assessment will still need to be carried out to consider whether the processing may cause any harm to the data subject’s interests, rights and freedoms. Organisations should consider whether the data processing could contribute to:
-
the inability to exercise rights (eg privacy rights)
-
the inability to access services/opportunities
-
the loss of control over the use of personal data
-
discrimination
-
identity theft/fraud
-
financial or physical harm
-
any other significant economic or social disadvantage (eg discrimination, loss of confidentiality or reputational damage)
Both the likelihood and severity of any possible harm should be considered.
The likelihood of possible harm can be remote (possible that it may occur but not likely), possible (it may happen or reoccur on a semi-regular basis) or probable (reoccurring on a regular basis).
The severity of the possible harm can be:
-
minimal - involving short-term minimal embarrassment to an individual, small amounts of personal data of the data subject and minimal disruption or inconvenience in the service delivery to the individual
-
significant - involving significant amounts of personal data being transferred outside of the organisation, leading to significant actual or potential detriment including emotional distress, as well as both physical and financial damage and/or safeguarding concerns
-
severe - involving significant amounts of personal data being transferred outside of the organisation leading to a proven detriment and/or high risk safeguarding concerns. Data subjects may encounter significant/ irreversible consequences that they may not overcome (eg financial jeopardy)
If a potential for a high risk is identified (due to a chance of severe harm or a probable likelihood of harm), the organisation will need a compelling legitimate interest to satisfy the balancing test (ie it will need to demonstrate that its legitimate interests can override a serious impact). Where a high risk is identified, a DPIA must be completed. Where there is a lower risk of harm, this needs to be weighed against the potential benefits of the processing.
Organisations should consider if any safeguards (eg collecting less data or providing an opt-out) could be implemented to reduce the risk. Implementing such safeguards may result in the data subject’s interests no longer overriding the organisation’s interests while bearing in mind that safeguards don’t necessarily justify the processing.
For more information and a worked example, read the ICO’s guidance.