Recognised legitimate interest

Relying on a recognised legitimate interest

Audience and Purpose

This guidance is for any member of University staff tasked with determining the legal basis for processing personal data who decides to use ‘recognised legitimate interest’.

You will need to use this guidance when:

  • Customising a privacy notice to ensure it complies with current data protection legislation.
  • Conducting a ‘data protection impact assessment’ (DPIA).
  • Otherwise collecting or receiving personal data for a new initiative.

Definitions

1. Processing in the recognised legitimate interest

If personal data is to be used for purposes that do not relate to the University’s core functions or public tasks, processing may also be possible if it is necessary for the recognised legitimate interest of the University.

Importantly, relying on recognised legitimate interest does not require a balancing test. 

2. What are the ‘recognised legitimate interests’?

a) Public task disclosure: Sharing personal data with another organisation that has requested the data because they need it for their public task or official function.

Example: A request from the police for personal data about a suspect in a serious crime. The police will NOT have to justify anymore that the reason for requesting the data is of sufficient seriousness.

Example: Edinburgh City Council requests information about a student regarding council tax payments.

In their request to share, the other organisation must clearly state that they need the particular information for their public tasks as laid down in the law. This means the University can then rely on that declaration and doesn’t need to know that the information the organisation requests is actually necessary to perform their task or function.

b) National security, public security and defence

  • National security – covering the security and wellbeing of the UK s a whole, its population, institutions and system of government
  • Public security – concerning the welfare and protection of the public at large, likely including the protection of life, institutions and organisations against public threats such as crime, disasters and other risks to life, safety and wellbeing.
  • Defence – including the combat effectiveness of the UK’s armed forces, the continued protection, security and capability of the armed forces and civilian staff that support them.

c) Emergencies: To respond to, or deal with, an emergency situation. This covers situations as defined in the Civil Contingencies Act 2004 (CCA 2004):

  • war and terrorism that threatens serious damage to the security of the UK
  • an event or situation that threatens serious damage to people’s welfare in the UK
  • an event or situation that threatens serious damage to the UK environment

In other words, it can’t be minor or trivial. It’s foreseeable the event will imminently cause significant or severe harm or destruction.

d) Crime: enables the University to use people’s information where it is necessary to prevent and report crimes, as well as to prosecute offenders (including suspected offenders).

To apply the crime condition, the University must:

  • intend to handle personal data to help
    • detect, investigate or prevent a crime; or
    • catch and prosecute an offender or suspect; and
  • ensure that using personal data is necessary for this purpose

Once the University has confirmed that the purpose for using personal data is one of those set out in the crime condition, the University must then decide whether use of the data is necessary to pursue that aim – more than just useful.

Example: Fraud prevention - where the processing is strictly necessary for the purpose of preventing fraud. This could include verifying that the registered address of the cardholder for a particular credit or debit card is the same as the cardholder’s normal place of residence or work.

e) Safeguarding: protecting a vulnerable individual from neglect or physical, mental or emotional harm or protecting the physical, mental or emotional wellbeing of a vulnerable individual. A vulnerable individual is either someone aged under 18 or an adult who meets the condition’s definition of ‘at risk’.

Protecting a vulnerable individual or their well-being includes both protecting one person and a group of people who share a common characteristic (eg. serious health conditions or care needs).

3. How to carry out the legitimate interest assessment

In order to rely on a recognised legitimate interest, the University has to perform a two stage assessment:

  1. identifying a legitimate interest,
  2. establishing that the processing is ‘necessary’ and

The legitimate interest can be one of the University or of a third party to whom the data may be disclosed, as long as the three stage test is passed.

Contact the DPO at dpo@ed.ac.uk and you will be assigned an assessment in the online tool via OneTrust. Once the assessment has been completed and approved by the DPO, and the decision has been reached that ‘necessary for the legitimate interest’ is indeed the appropriate legal basis for processing, a short summary of the reasoning behind the decision must be included in the privacy notice.

1. Identifying a legitimate interest:

The first stage is to identify the recognised legitimate interest – what is the purpose for processing the personal data and is it in the list for recognised legitimate interests?

2. Carrying out a Necessity Test

You will need to consider whether the processing of personal data is ‘necessary’ for achieving the objective(s). The adjective ‘necessary’ is not synonymous with ‘indispensable’ but neither is it as wide as ‘useful’ or ‘desirable’.

It may be easiest to simply ask, ‘Is there another way of achieving the identified interest?’ If there is no other way, then clearly the processing is necessary. It is, however, not enough to argue that processing is necessary simply because you have chosen to operate your business in a particular way. If there is another way but it would require disproportionate effort, then you may determine that the processing is still necessary. If there are multiple ways of achieving the objective, then a Data Protection Impact Assessment (DPIA) should be used to identify the least intrusive processing activity. Finally, if the processing is not necessary, then ‘recognised legitimate interest’ cannot be relied on as a legal basis for that processing activity.

The ‘necessary’ test 

This article was published on