Legitimate interest assessments

Legitimate interest is one of the six lawful grounds for the processing (eg obtaining or recording) of personal data (eg names, addresses and information about racial or ethnic origin). An organisation can rely on the legitimate interest ground where the processing is necessary for the legitimate interest of the organisation (also known as the ‘data controller’) or a third party, as long as the processing does not override the fundamental interest, rights and freedoms of the data subject (ie the individual the data relates to).

Legitimate interests can include commercial interests, individual interests or broader societal benefits. For example, data processing may be in the legitimate interest of an organisation for network and information security or the prevention of fraud. Read Processing personal data for more information.

Being ‘necessary’

Being ‘necessary’ means that the processing must be carried out in a targeted and proportionate way. If there is another reasonable and less intrusive way of achieving the same result, the legitimate interest ground will not be appropriate.

Fundamental interest, rights and freedoms

When determining whether the processing overrides the fundamental interest, rights and freedoms of data subjects, organisations should focus on the potential impact on data subjects, including physical, financial or any other impacts (eg social disadvantages).

While the legitimate interest ground is the most flexible lawful basis for processing, it won’t always be the most appropriate. Generally, legitimate interest is likely to be most appropriate when: 

• the processing, while not required by law, is of clear benefit to the organisation or others 

• the processing has a limited privacy impact on the data subject

• the personal data is being used in a way that the data subject would reasonably expect, and

• the organisation cannot (or does not want to) give the data subject full upfront control (ie consent) or bother them with disruptive consent requests when they are unlikely to object to the processing

Organisations may also be able to rely on the legitimate interests ground if they have a compelling reason for the processing. This is especially the case where the data processing is more intrusive. However, organisations will have to be able to justify the impact on data subjects.

While the legitimate interest ground can be relied on when children’s data is being processed, organisations will need to take extra care to ensure that their interests are protected. For more information, see the Information Commissioner’s Office (ICO) guidance.

Organisations should generally avoid relying on legitimate interest if they are using personal data in a way that data subjects would not understand and not reasonably expect, or if data subjects would object to the processing if it was explained to them. Processing on the legitimate interest ground should also be avoided where the processing could cause harm unless a compelling reason which justified the impact exists. 

Public authorities cannot rely on the legitimate interest for any processing in connection with the performance of their tasks as a public authority.

For more information, see the ICO’s guidance.

Whenever an organisation wishes to process personal data in reliance on the legitimate interest ground, it will need to carry out a Legitimate interest assessment (LIA). An LIA is used to identify:

• what that legitimate interest of the processing is

• the benefits of processing the personal data in that way

• if such processing is necessary

Where personal data is to be processed on the ground of legitimate interest, an LIA needs to be carried out before any data is processed.

While there is no set process for LIAs, they generally follow a three-part test:

• the purpose test - identifying the legitimate interest 

• the necessity test - considering whether the processing is necessary

• the balancing test - considering individuals’ interests and balancing them against the organisation’s interest

This involves organisations identifying their purpose for processing and deciding whether it counts as a legitimate interest. Organisations should consider:

• why they want to process the data

• what benefits are expected from the processing (including benefits for the organisation, any third parties and the wider public) and how important those benefits are

• the impact if the processing couldn’t go-ahead

• the intended outcome for individuals

• whether any specific data protection rules (eg profiling requirements) and other relevant laws (eg specific e-privacy legislation) are complied with

• whether industry guidelines and/or codes of practice are complied with

• if any ethical issues exist in relation to the processing

If data is processed for any of the following purposes, the UK General Data Protection Regulations (GDPR) sets out that a legitimate interest exists:

• the prevention of fraud (provided that it is strictly necessary)

•  network and information security (provided that it is strictly necessary)

• indicating possible criminal acts or threats to public security

Under the GDPR the legitimate interest ground will further likely apply:

• if the organisation is processing employee or client data

• for direct marketing purposes

• for intra-group administrative transfers

Where possible, the purpose should be as specific as possible. Having a clearly defined purpose will make carrying out the rest of the assessment (and especially the necessity test) easier. For more information and a worked example, read the ICO’s guidance.

If the purpose test cannot be met, an organisation cannot rely on legitimate interests as a lawful basis for processing.

This involves considering if the processing is actually necessary for the specific purpose identified in the purpose test. Organisations should consider if:

• the processing will actually help them achieve their purpose

• the processing is proportionate to that purpose

• the purpose could be achieved without processing the data (or by processing less data)

• the purpose could be achieved by processing in another less intrusive or more obvious way

If other less intrusive alternatives to processing the data exist, the LIA needs to clearly set out why these are not reasonable alternatives. 

If, while completing an LIA, it becomes difficult to explain how the processing helps achieve the specified purpose, or if many alternative methods exist which aren’t the organisation’s chosen business model, the purpose may need to be further specified.

For more information and a worked example, read the ICO’s guidance.

This involves the organisation considering the interests, fundamental rights and freedoms of the data subject and balancing them against their own interest. In other words, the organisation needs to determine whether data subject rights override the legitimate interests it has identified. This will involve considering:

• the nature of the personal data to be processed

• the reasonable expectations of the data subject

• the likely impact of the processing on the data subject and if any safeguards can be implemented to reduce any negative impacts

Nature of the data

Organisations should consider the sensitivity of the personal data, specifically:

• if the personal data is special category sensitive personal data (eg information about physical/mental health) or criminal offence data (eg information about criminal activity) - which are awarded greater protection under the law

• if the data is likely to be considered particularly private (eg financial data)

• if the personal data relates to children or other vulnerable individuals

• if the data is about people in their personal or professional capacity

The more sensitive (or private) personal data is, the more likely it is that the processing will be intrusive or create a significant risk to the data subject’s rights and freedoms (eg putting someone at risk of unlawful discrimination). Where this is the case, organisations will need to have a compelling justification for using the data and will need to take special care to have adequate safeguards in place.

If the personal data is considered less sensitive or private (eg because it concerns data subjects in their work capacity) then the impact may be less. However, organisations will still need to consider its likely impact.

Reasonable expectations

Organisations should consider what data subjects will reasonably expect them to use their personal data in this way, considering all relevant factors, including:

• if there is an existing relationship with the data subject (legitimate interests is more likely to apply where there is a ‘relevant and appropriate relationship’, for example, because the data subject is a client or employee. If there isn’t a pre-existing relationship, it can be harder to demonstrate that the processing can be reasonably expected)

• how the data subject’s data has been used in the past (if data has been used in a similar or the same way, the processing is more likely to be reasonably expected)

• whether the data was collected directly from the data subject and, if so, what they were told at the time (eg information may have been provided in a privacy notice)

• whether the data was obtained from a third party (eg  which collects data via a mobile application and uploads it to its servers) and, if so, what they told the data subjects about the reuse of the data by others (depending on what data subjects were told, they may be less likely to reasonably expect this type of further processing)

• when the data was collected and if there have been any changes (eg to technology or other context) that may affect current expectations 

• if the organisations intended purpose is obvious or widely understood (the more obvious/widely understood the intended purpose, the more likely that the processing is reasonably expected)

• if the organisation is planning to do something new or innovative (new or innovative use of personal data may be less reasonably expected)

• if actual evidence about expectations exists (eg from market research or studies)

• any fact-specific factors that indicate that data subjects may or may not reasonably expect the processing

Organisations do not have to show that every individual would expect their data to be used in this way, but that a reasonable person would expect their data to be used in this way in light of the specific circumstances.

Organisations may consider carrying out consultations, focus groups or market research if the processing’s purpose and method are not immediately obvious, and people may have a range of reasonable expectations regarding the processing. This will help demonstrate expectations and support the organisation’s position. Organisations may, as part of their determination, also wish to rely on any pre-existing studies regarding reasonable expectations in such a context.

Safeguards

Organisations need to consider the potential impact on data subjects and any damages the processing may cause. As a first step, organisations should consider if the processing is inherently likely to result in a high risk to individuals’ rights and freedoms (eg processing of biometric data like fingerprint data/facial images). If this is the case, a Data protection impact assessment (DPIA) will need to be carried out. For more information on this, read Data protection impact assessments. Consider following the ICO’s DPIA screening checklist to determine whether a DPIA is needed.

If the processing is not likely to result in a high risk, a risk assessment will still need to be carried out to consider whether the processing may cause any harm to the data subject’s interests, rights and freedoms. Organisations should consider whether the data processing could contribute to:

• the inability to exercise rights (eg privacy rights)

• the inability to access services/opportunities

• the loss of control over the use of personal data

• discrimination

• identity theft/fraud

• financial or physical harm

• any other significant economic or social disadvantage (eg discrimination, loss of confidentiality or reputational damage)

Both the likelihood and severity of any possible harm should be considered. 

The likelihood of possible harm can be remote (possible that it may occur but not likely), possible (it may happen or reoccur on a semi-regular basis) or probable (reoccurring on a regular basis).

The severity of the possible harm can be: 

• minimal - involving short-term minimal embarrassment to an individual, small amounts of personal data of the data subject and minimal disruption or inconvenience in the service delivery to the individual

• significant - involving significant amounts of personal data being transferred outside of the organisation, leading to significant actual or potential detriment including emotional distress, as well as both physical and financial damage and/or safeguarding concerns

• severe - involving significant amounts of personal data being transferred outside of the organisation leading to a proven detriment and/or high risk safeguarding concerns. Data subjects may encounter significant/ irreversible consequences that they may not overcome (eg financial jeopardy)

If a potential for a high risk is identified (due to a chance of severe harm or a probable likelihood of harm), the organisation will need a compelling legitimate interest to satisfy the balancing test (ie it will need to demonstrate that its legitimate interests can override a serious impact). Where a high risk is identified, a DPIA must be completed. Where there is a lower risk of harm, this needs to be weighed against the potential benefits of the processing.

Organisations should consider if any safeguards (eg collecting less data or providing an opt-out) could be implemented to reduce the risk. Implementing such safeguards may result in the data subject’s interests no longer overriding the organisation’s interests while bearing in mind that safeguards don’t necessarily justify the processing.

For more information and a worked example, read the ICO’s guidance.

Organisations will need to consider and weigh up all factors (for and against the processing) identified in the LIA. They will then need to decide if their interests still take priority over the risks to any individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but organisations should be as objective as possible. Organisations must be confident that they can demonstrate that the benefit of processing justifies any risks they have identified. Where the risks are more significant or serious, a more compelling justification will be needed.

If it is very difficult to determine an outcome, and an organisation isn’t sure how best to proceed, finding another lawful basis for processing may be safest. This is because legitimate interest is not the most appropriate ground for any unexpected or high-risk processing.

For a worked example, read the ICO’s guidance.

Where an LIA has been completed, and the processing takes place on the ground of legitimate interest, the LIA must be kept under regular review. An LIA may need to be repeated if there are any significant changes (eg to the nature, scope, context or purposes of the data processing) that may affect the balance between the organisation’s interest and the risks to the individual.

While similarities between LIAs and DPIAs exist, an LIA is a simpler form of risk assessment designed for organisations to properly identify their purpose and consider its impact on individuals. An LIA is needed whenever data is to be processed on the legitimate interest ground, and there are requirements to detail content or process provided that the processing is justifiable. On the other hand, a DPIA is a more in-depth process, with specific requirements regarding content and process. DPIAs are required, irrespective of the lawful basis for processing, whenever the potential processing is likely to result in high risk. 

However, organisations should be aware that there is some overlap between LIAs and DPIAs. It is sensible to incorporate the DPIA screening checklist into the balancing test if data that is likely to result in high risk is being processed. This may help identify potential risks to individuals.

Further, LIAs may act as a trigger for DPIAs, where an LIA identifies the potential for high risks to individuals’ rights and freedoms. Where this is the case, a DPIA must be carried out. 

It’s important to note that organisations don’t necessarily have to carry out an LIA in addition to a DPIA. As a DPIA covers the same grounds as an LIA, but in greater detail, a DPIA can be used instead of an LIA to demonstrate precisely how the legitimate interest ground applies.

For more information on DPIAs, read Data protection impact assessments and Ask a lawyer if you have any questions or require assistance.