DUA Act and Legitimate Interests
The Data Use and Access Act (DUAA) introduces changes to the concept of legitimate interests under UK GDPR. Once provisions take effect there will be a seventh lawful basis of recognised legitimate interests and legal clarity on activities which may be considered a legitimate interest.
Recognised Legitimate Interests
The DUAA amends Article 6 of GDPR to expand the six lawful bases for processing to seven, to include recognised legitimate interests. While a necessity test will still be required, for the following recognised legitimate interests there will no longer be a requirement for an additional balancing test (Legitimate Interests Assessment):
■ Disclosures to public bodies, or bodies carrying out public tasks where the requesting body has confirmed it needs the information to carry out its public task.
This means private and third sector organisations which work in partnership with public bodies will just need confirmation the public body needs the information to carryout out its public task. This is likely to give more confidence to organisations (such as housing associations and charities) when sharing information with public sector partners.
Data Sharing Agreements, Records of Processing Activities (RoPAs) and privacy notices may need to be updated to reference recognised legitimate interests as the lawful basis where appropriate. Staff training may also need updating.
■ Safeguarding vulnerable individuals – this allows for the use of personal data for safeguarding purposes. There are also definitions given for the public interest condition of “safeguarding vulnerable individuals”, which the ICO has written more about here.
■ Crime – this allows use of personal information where necessary for the purposes of detecting, investigating or preventing a crime; or apprehending or prosecuting offenders.
■ National security, public security and defence – this allows the use personal information where necessary for purposes of safeguarding national security, protecting public security or defence.
■ Emergencies – this allows use personal information where necessary when responding to an emergency. An emergency is defined by the Civil Contingencies Act 2004 and means an event or situation with threatens serious damage to human welfare or the environment, or war or terrorism which threatens serious damage to the security of the UK.
The ICO is planning to publish guidance on recognised legitimate interests over Winter 2025/26. For a timeline of when we can anticipate other DUAA related guidance from the ICO see DUAA – Next Steps.
Types of processing that may be considered a legitimate interest
There are some examples of activities which may be considered a legitimate interest in the recitals of UK GDPR. As such they provided an interpretation of the law but were not legally binding. DUAA moves the following examples of legitimate interests from the recitals into the body of the law:
■ direct marketing
■ intra-group sharing of data for internal administrative purposes, and
■ processing to ensure network and information security.
This may give organisations more confidence when relying on the lawful basis of legitimate interests however, unlike recognised legitimate interests, the above will still be subject to a Legitimate Interests Assessment.
The core rules under the Privacy & Electronic Communications Regulations (PECR) are not changing – unless you’re a charity wishing to benefit from the ‘soft opt-in’. For direct marketing activities, legitimate interests will still only be an option for specific marketing activities which don’t require specific and informed consent under PECR.
An update to both the ICO’s Legitimate Interests Guidance and PECR guidance is expected in Winter 2025/26.