A new legal basis for processing in the UK: Unpacking the ICO’s ‘recognized legitimate interests’ guidance

The UK Information Commissioner’s Office (ICO) has published draft guidance on upcoming changes to UK data protection law: A new concept of “recognized legitimate interests”. 

Here’s a look at what “recognized legitimate interests” is and how the ICO is interpreting this part of the Data (Use and Access) Act (DUAA).

1. What does ‘recognized legitimate interests’ mean? 
2. What are the five recognized legitimate interest conditions? 
3. Public task disclosure request 
4. National security, public security, and defense 
5. Emergencies 
6. Crime
7. Safeguarding

What does ‘recognized legitimate interests’ mean? 

“Recognized legitimate interests” (RLI) is a new legal basis for processing personal data under the UK General Data Protection Regulation (UK GDPR). 

RLI is similar to “legitimate interests”, with two main differences: 

• Legitimate interests is flexible and suitable for various purposes. RLI is only currently suitable for five specific activities. 
• Unlike legitimate interests, there is no need to conduct a “balancing test” before relying on RLI. 

The ICO’s guidance also notes some similarities between RLI and legitimate interests: 

• Neither basis is suitable for conducting automated decision-making within the scope of Article 22 UK GDPR. 
• In both cases, you must give the data subject the opportunity to object to the processing, and you must accept their objection unless you can demonstrate compelling interests to continue. 
• You can only process personal data on either basis where it is “necessary” to do so.

What are the five recognized legitimate interest conditions? 

Here are the five RLI conditions: 

1. Public task disclosure request 
2. National security, public security, and defense 
3. Emergencies 
4. Crime 
5. Safeguarding 

These conditions are the circumstances under which you may rely on RLI if necessary. 

Now we’ll look at how the ICO interprets each of the conditions

Public task disclosure request 

Under the “public task disclosure request” condition, you may share personal data with an organization that needs it to carry out its public tasks or official functions. 

For example, a public authority writes to your company requesting information about an employee’s work patterns. You need a legal basis to share this information, and “public task disclosure request” provides a condition to do so. 

As the ICO notes, “this condition is limited in scope, and it only applies to data sharing with organizations who have public tasks or official functions in UK law.” 

National security, public security, and defense 

The terms “national security, public security, and defense” are not defined in UK data protection law. The ICO says this condition is likely to be most useful in the following circumstances: 

• National security: “The security and well-being of the UK as whole, its population, its institutions and system of government.” 
• Public security: “The welfare and protection of the public at large. It’s likely to include the protection of life, institutions and organizations against public threats including crime, disasters and other risks to life, safety and wellbeing.” 
• Defense: “The combat effectiveness of the UK’s armed forces. It is also likely to cover the continued protection, security and capability of the armed forces, and the civilian staff that support them.” 

Emergencies 

This condition enables a controller to process personal data where necessary in an event or situation that meets the definition of an “emergency” in the Civil Contingencies Act 2004 (CCA 2004). 

As noted by the ICO, the CCA 2004 covers a wide range of situations, including: 

• War and terrorism that threatens serious damage to the security of the UK 
• An event or situation that threatens serious damage to people’s welfare in the UK 
• An event or situation that threatens serious damage to the UK environment.

Crime 

The “crime” condition enables a controller to process personal data where necessary for “detecting, investigating or preventing crime” or “apprehending or prosecuting offenders.” 

The ICO provides several relevant examples of situations in which the “crime” condition might apply: 

• Money laundering 
• Financing terrorists 
• Scams and fraud aimed at people or organizations 
• Fraud detection by insurers (e.g. using indicators to review claims) 
• CCTV monitoring for shoplifting in retail settings 

Safeguarding 

The “safeguarding” condition enables a controller to process personal data to protect vulnerable individuals, defined as children under 18 or adults “at risk”.  

This condition includes protection from neglect or harm and safeguarding well-being. The ICO notes that organizations must ensure the individual qualifies as vulnerable and that the processing is necessary.  

For example, a youth charity might use this condition to share concerns about a neglected child with the local authority. 

Maintaining strong data protection standards when relying on RLI 

The adoption of RLI is a significant change to UK data protection law and should make it easier for private-sector organizations to use personal data in certain conditions. 

But as the ICO notes, the RLI conditions are not exemptions from data protection law.