What does the Data (Use and Access) Act mean for you? Part One – Legitimate Interest changes

The Data (Use and Access) Act received Royal Assent this month so organisations can start preparing to implement the changes. This short series of articles looks at the effects of some of the most important changes, starting with the changes to the legitimate interests lawful basis for processing. 

A new kind of legitimate interest 

Organisations must be able to identify at least one lawful basis for processing, from a list set out in the General Data Protection Regulation.

Legitimate interests is one of the more flexible bases as it allows organisations to use personal data without collecting consent as long as individuals are informed about the processing, given the option to opt out and the processing passes a three-part Legitimate Interest Assessment (LIA) designed to determine whether a) there is a legitimate interest (Purpose) b) the processing is necessary for that legitimate interest (Necessity) and c) the benefits of the processing outweigh any risks to the rights and freedoms of the individual (Balancing). 

The Data (Use and Access) Act introduces a new, seventh, lawful basis for processing – Recognised Legitimate Interests (RLIs). This is a list of legitimate interests set out in Schedule 4 of the Act that means that the legitimate interest is identified (a), and do not require a Balancing Test to be completed (c). They do still need a Necessity Test (b) to be carried out and approved. 

The RLIs are: 

• Responding to requests from public bodies – the organisation will no longer need to carry out a necessity test but can rely on the public body’s assertion that it needs the data. 
• National security, public security and defence. 
• Responding to emergencies. 
• Detecting, investigating or preventing crime, or apprehending or prosecuting offenders – this includes the kinds of tasks most organisations carry out to prevent fraud and computer misuse, for example. 
• Safeguarding vulnerable individuals – this means protecting them from neglect or physical, mental or emotional harm, or protecting their physical, mental or emotional well being. Vulnerable individuals includes everyone under 18 and anyone over 18 and ‘at risk’, which means the organisation has reasonable cause to suspect they need care and support, are experiencing or at risk of neglect, or physical, mental or emotional harm, or are unable to protect themselves from those harms due to their needs. 

Organisations wanting to rely on RLIs should: 

• Review their documentation including Legitimate Interest Assessments, policies and procedures relating to legitimate interests and Records of Processing Activities (ROPA) and update them to allow for RLIs. 
• Identify the processing that could be carried out on the basis of an RLI and document the switch – for example, updating the ROPA, noting that future reviews of existing LIAs need only consider whether the processing is still necessary, and ensuring that a simplified template is used for new RLIs. 
• Some organisations may also wish to review any LIAs that have previously failed the Balancing Test to determine whether they are RLIs and the processing can now go ahead. 
• Provide training to relevant teams so they understand the changes, how they are implemented in your organisation and what they mean for their role. 

In addition, the following have been set out as examples of legitimate interests (but are not RLIs and so still need full Legitimate Interest Assessments to be carried out): 

• Direct marketing.
• Intra-group transfers for administrative purposes.
• Ensuring the security of network and information systems. 

This means that these kinds of processing have been formalised as legitimate interests and organisations should have more confidence in choosing legitimate interests as the most appropriate basis. 

Organisations should consider: 

• Providing training to marketing, operations and IT teams to ensure they are considering legitimate interests where available.
• Providing training and talking to records management teams to establish whether there are any data or database architecture issues preventing the organisation from using legitimate interests where available.