The Little Book of Data Protection Nuggets





















































Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.
As a result of the Data (Use and Access) Act 2025 a seventh lawful basis for processing is being added to the UK GDPR. So, how does a recognised legitimate interest differ from a legitimate interest, and how does the ICO tell us this new lawful basis will work in practice?
The existing lawful basis of legitimate interests may be appropriate depending on the purposes for which we’re collecting and using personal data. It’s considered the most flexible lawful basis, but the onus is on us to make sure our organisation’s interests are balanced with the interests, rights and freedoms of individuals. And while not strictly speaking a legal requirement to document this ‘balancing test’, the ICO stresses it would be difficult to meet our accountability obligations without a record of a Legitimate Interests Assessment (LIA).
There are now five new conditions which are set in law as recognised legitimate interests, and while we still need to determine necessity we no longer need to conduct a balancing test.
The ICO’s draft recognised legitimate interests guidance sets out these pre-approved purposes for using personal data. This draft is open to consultation, so may be subject to some amendments. Additional purposes may be added to this list in due course.
Sharing personal information with another organisation that has requested it from you because they need it for their public task or official functions. This condition will only apply if you can meet the following requirements:
For more detail see ICO draft guidance: Public Tasks Condition
To safeguard national security, protect public security or for defence reasons. To use this condition, you must only intend to use personal information for these purposes and be able to demonstrate this use is necessary. The term ‘defence’ should be read as national defence, for example the protection, security and capability of the armed forces, and the civilian staff that support them.
See ICO draft guidance on this condition.
To respond to, or deal with, an emergency situation. This covers situations which threaten serious damage to the environment or people’s welfare, or pose a serious threat to UK security.
See ICO draft guidance: Emergencies Condition
To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. The scope of this condition includes economic crimes such as money laundering and scams. The ICO makes it clear if you’re handling criminal offence data you will still need to meet additional requirements under Article 10, UK GDPR.
See ICO draft guidance; Crime Condition
To protect the physical, mental or emotional well-being of people who need extra support or protect them from harm or neglect. To rely on this condition you must:
Key points to bear in mind…
Relying on recognised legitimate interests may mean there’s no longer a need to conduct an LIA, but the ICO stresses this doesn’t mean there are no restrictions, and you’ll still need to comply with all other requirements under data protection law.
And to be clear, there’s no obligation to switch your lawful basis. If you’re currently rely on legitimate interests, have balanced this and are comfortable with it, you can keep things just as they are.
If you do choose to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice.
By June 2026 you’ll be legally required to have a procedure in place to handle data protection complaints. This was one of the few new obligations ushered in by the Data (Use and Access) Act 2025.
The ICO has published draft guidance on how to comply. While this is open to consultation until mid-October and may be subject to some amendments, it gives some useful pointers on the steps to take.
The aim of this change is to give anyone who is unhappy with how your organisation has handled their personal information a clear method for raising a complaint. For example, they could have a complaint about;
I’m sure some of you reading this will have received a letter from the ICO in the past asking for a complaint they’ve received to be resolved by you directly with the individual. Essentially this approach is changing. Moving forward, in the majority of cases when the ICO receives a complaint, the individual will be asked to go through your complaints procedure first.
A little warning. If you don’t have a clear procedure in place for data protection related complaints, the ICO may spot this pretty quickly should you come up on their radar.
Organisations are legally required to fulfil the following:
People must have a way of being able to raise a complaint directly with you. While the law doesn’t set out precisely how this must be done, the ICO gives some examples of different ways this could be achieved:
Many organisations particularly those in the public sector will already have a complaints procedure which could be adapted for this purpose. For those which don’t, the ICO expects you to write one and publish your procedure on your website, or provide it to people at the earliest opportunity. This would be expected to cover:
In our opinion it would seem fitting to add the key points of your complaints procedure to your external privacy notice, and replicate this in any other relevant audience specific privacy notices.
If evidence or additional information is needed, such as reference numbers or proof of ID, this should be asked for at the earliest opportunity. It would be helpful to mention this in your published procedure, for example ‘we may need to ask for proof of ID’.
As with privacy rights requests, an individual may make a complaint on someone else’s behalf. You’ll therefore need to make sure they are authorised to do so, for example by seeking power of attorney or a signed letter of authority. The ICO is clear if you have no evidence a third party is authorised to act on someone’s behalf you aren’t required to investigate a complaint, but should respond explaining this.
The law doesn’t prescribe how an acknowledgement should be provided but the ICO gives the following examples:
The 30 days in which you must acknowledge a complaint starts the day after you receive the complaint, regardless of whether you received this on a weekend or bank holiday. If the last day to acknowledge falls on a weekend or bank holiday you have until the next working day.
The ICO says you must have arrangements in place to acknowledge and continue handling complaints, regardless of whether key people are off sick or if your organisation is closed. An important point for organisations such as schools or colleges which may close for a period of time.
You must investigate the complaint without undue delay. If it’s not clear what the complaint is about, you should ask for more detail as quickly as possible.
It may also be useful to ask people to let you now the outcome they’re seeking, and if you choose to use a complaints form, this point could be built-in.
You’ll need to gather the information necessary to respond to the complaint and the ICO tells us this might include taking actions such as;
There’s a duty to keep people updated on the progress of your investigation. If it’s likely an investigation is going to take some time, you’ll need to tell them you’re working to resolve the issue. You can always provide them with a date for when you expect to complete your investigation, and give them a point of contact if they have any questions.
Once the investigation is completed you must provide an outcome to the complainant without undue delay. The ICO says this means ‘as soon as possible’, and would expect your response to include the following:
If the individual is not satisfied with your outcome, you should tell them they have the right to complaint to the ICO, and it would be good practise to provide them with the regulator’s contact details.
If they then tell you they’re planning to complain to the ICO you don’t have to get in touch with the regulator yourself. The ICO will come to you if they need more information.
Crucially you must be able to justify why you handled a complaint in the way you did. Which neatly brings us on to…
It will be necessary to keep evidence of your approach to each complaint you receive and the ICO recommends keep a record of the following:
You may be asked to provide this evidence to the ICO, or other industry bodies.
In all of this don’t forget data retention, it would be a good idea to agree how long you’ll keep records of complaints.
We’d recommend taking the following actions:
For more detail please see the ICO’s draft complaints guidance for organisations.
It’s increasing common for online meetings and phone calls to be recorded and/or transcribed. A plethora of AI-enabled tools have popped up to make this very easy to do. Transcriptions can be really helpful to provide a written record, a short summary of the key points, or even to automate key actions. Often handy for those who can’t attend or for people with certain disabilities. Some apps can combine words with recorded video or audio content for reference.
However, while we rush to take advantage of these apps, we should be mindful of some privacy risks and be sure to have some measures and controls in place.
Are people in your organisation going ahead with a ‘free trial’ and using recording or transcription services which have not been properly vetted or approved? This could result in poor controls on the outputs and data leakage to third parties. People need to know what they’re permitted to do, and what is not company policy. The safest bet is to go with an Enterprise version, so you can make sure there’s sufficient control and oversight of its use.
Some apps are set to ‘on’ by default, so the settings may need editing to stop them automatically recording or transcribing when you don’t want them to.
It’s important to make sure everyone’s happy for the meeting to be recorded and/or transcribed. Good practice would be to let participants know in advance when there will be a recording and/or transcription made and ask them to let you know if they object. Also remind them at the start of the meeting, before you actually click ‘start’.
AI transcription tools can be extremely accurate, often better than humans. But even so, AI can still make mistakes. For example, AI can misinterpret certain nuances in the human voice or behaviours, or fail to grasp the context. This could affect the accuracy of the written output, or even its meaning. What we say isn’t always what we mean! Take different forms of humour, such as sarcasm, which might not come across well in raw text.
Human oversight is key – don’t assume everything you read is 100% accurate to the words or the context.
Do we really need both a video recording and a transcription? Depending on the nature of meetings, this could create a significant volume of personal data, or perhaps commercially sensitive data. One of the first things we should think about is deleting anything we don’t need at the earliest opportunity.
Have we set any restrictions on who the outputs are shared with an in what form? We should take particular care to prevent unauthorised disclosure of sensitive information – either of a personal, confidential or commercial nature.
Just because a meeting is of a sensitive nature, doesn’t necessarily mean it can’t be recorded or transcribed. We know of circumstances where both parties have been in agreement on this, for example in grievance proceedings meetings. However, in such cases all the other points above can become even more important – is it an approved app? is the output accurate? who should have access to it? And so on.
If recording and transcription tools are not set up and managed well, they may cause an unwelcome headache further down the line. Recordings and transcriptions may all be in scope if you receive a DSAR or erasure request. It’s therefore good to nail down, how long materials will be kept for, where they will be saved, and making sure they are searchable.
1. DPIA: Depending on your planned use and how sensitive the personal data captured is likely to be, consider if a DPIA is required (or advisable).
2. Internal policy / guidelines for usage: Set guidelines on when and how recording and transcription services should and should not be used. Include expected standards such as telling people in advance, giving them an opportunity to object, rules on sharing, deletion etc
3. Access controls: Update your access controls to make sure only authorised individuals can access recordings and transcriptions.
4. Retention: Update your data retention policy/schedule to confirm retention periods. Clearly there may be exceptions to the rule, if there is information which needs to be kept longer.
5. DSARs: Update your DSAR procedure to reflect personal data captured in recordings and transcriptions may be within scope.
We often talk about the risks of holding onto personal data for too long. The need to make sure data is destroyed when it’s no longer required and how the impact of a data breach could be far worse if it involves personal records which shouldn’t have kept. But now we have a case where it’s the destruction of records which caused a data breach.
The Scottish charity Birthlink has been fined £18,000 by the ICO for destroying approximately 4,800 records, some of which were irreplaceable photographs and letters.
The findings make for sobering reading. A catalogue of errors; lack of accountability, lack of policies and procedures, no appropriate data protection training and a failure to report a data breach for more than two years.
Birthlink has maintained the Adoption Contact Register for Scotland since 1984. This is a service for adopted people or their relatives, and for birth parents or their relatives. It enables people to register their details with the hope of being ‘linked’ and potentially reunited.
Where a link is made, records are classified at “Linked Records”, and the personal data contained within such records can include sensitive documents such as:
■ Original birth certificates
■ Adoption Contact Register application form
■ Correspondence between Birthlink and service users
■ Other information relevant to the adoption
■ Irreplaceable items (e.g. handwritten letters from birth parents and birth families, photographs and other sensitive personal information)
These are physical documents relating to adopted people’s individual circumstances, which the charity held in filing cabinets.
In January 2021 Birthlink was running out of space in the filing cabinets the Linked Records were stored in, so assessed whether they could destroy them. After a board meeting it was agreed there were no barriers to the destruction of the records, that retention periods should apply and only replaceable records should be destroyed.
However, it’s evident from the enforcement notice this was very badly managed. Due to poor records management, bags of paperwork were destroyed without a full understanding of what the documents entailed. To make matters worse, despite concerns being raised at the time about shredding people’s photographs and letters, the destruction continued.
More than two years later and following an inspection by the Care Inspectorate, the Board became aware irreplaceable items had in fact been destroyed. It was only then the data breach was reported to the ICO.
And the woeful tale continues. Poor record keeping means not only will the extent of what was destroyed never be fully known, Birthlink have also been left unable to identify people affected by the breach.
Routinely in an article like this I’d write a bit about the key findings, but in this case I think they speak for themselves. You’ll not be surprised to learn Birthlink says there was limited knowledge of their data protection obligations at the time this breach took place.
Sally Anne Poole, Head of Investigations at ICO, said:
“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do however welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.
“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”
It’s too easy to see the mistakes here, and easy to pour scorn on Birthlink. However, all organisations will recognise taking a robust approach to data retention can be challenging to deliver in practice.
Many organisations face a careful balance between destroying personal data they have no justification for holding on to, and making sure they continue to retain records they still need to keep. Robust records management procedures, secure storage and archiving, clear data retention periods, and clear authorisation when the time comes for destruction are crucial – especially when handling sensitive information.
Sometimes a specific law tells us how long certain records should be kept, or personal data needs to be retained to meet contractual obligations. Often we need to consider people’s reasonable expectations – would they expect us to be still holding on to their personal details or not?
In the case of Birthlink, the answer was almost undoubtedly, yes, people would have expected irreplaceable records to be retained, or perhaps returned to them, rather than destroyed.
I can’t stress enough to effectively tackle data retention it needs shared ownership – clear accountability with assigned roles and responsibilities across the organisation. Good data governance is the key.
If this has given you an unwelcome nudge to revisit your approach to retention, see our 3 Steps to decide your data retention periods and our detailed Data Retention Guide.
When will provisions under the Data Use and Access Act 2025 (DUAA) take effect and when we can anticipate guidance to be published by the Information Commissioner’s Office?
The DUAA received Royal Assent on 19th June but while limited provisions came into effect immediately, the majority will be phased in over the coming months up to June 2026, with some requiring secondary legislation to be passed.
To be crystal clear, the DUAA does not replace UK GDPR, the Data Protection Act 2018 or the Privacy and Electronic Communications Regulations (PECR). The Act brings in amendments to these core pieces of legislation, much in the same way PECR was amended in 2009 with the so-called ‘cookie law’.
With immediate effect: One provision which has come in with immediate effect is clarification that when responding to Data Subject Access Requests (the right of access) organisations only need to undertake a “reasonable and proportionate search”. This inserts a new Article 15(1A) into UK GDPR, and gives a statutory footing to existing case law and guidance from the ICO.
From 20th August 2025 the following amendments will come into force:
■ Information Commissioner can serve notices by email
This amends the Data Protection Act 2018 with a new section 141A permitting notices to be served by email. You may want to double check the email address the ICO has on file for your organisation on the register of fee payers, make sure this is regularly monitored and who/which team a notice should be immediately forwarded to.
■ Information Notices and ICO power to ask for documentation
This grants the ICO the power to require organisations to provide documents as well as information when responding to an Information Notice.
Other measures commencing on 20th August include requirements for the Government to prepare a progress update and report on copyright and AI.
From September/October: Commencement is expected of measures on digital verification services.
Around December: Commencement of main changes to data protection legislation.
At present we don’t have precise dates for when specific provisions such as the soft opt-in for charities, changes to the cookie rules and recognised legitimate interests will commence, but we’ll update this article as and when we hear more. For a top-level summary of the Act see DUAA 2025: 15 key changes ahead.
The ICO has published a timeline of when we can expect updated or new guidance covering the changes the DUAA ushers in.
Summer 2025
■ Data Subject Access Requests – update to detailed Right of Access guidance
■ Substantial public interests conditions – a new interactive tool
■ Cookies & similar technologies (Part 1) – update to ‘cookie guidance’ and renamed ‘guidance on storage and access technologies’.
Winter (2025/26)
■ Direct marketing and Privacy and Electronic Communications Regulations guidance – update to existing guidance
■ Complaints procedures – new guidance for organisations on how to handle data protection complaints
■ Lawful basis of recognised legitimate interests – new guidance
■ Legitimate interests – update to existing guidance
■ International data transfers guidance – update to existing guidance
■ Cookies & similar technologies (Part 2) – (‘guidance on storage and access technologies’).
■ The purpose limitation principle– updated and enhanced guidance
■ Anonymisation and pseudonymisation for research purposes – guidance
Spring 2026
■ Automated Decision Making (ADM) and Profiling – updated guidance
■ Research, archiving and statistics provision – updated guidance.
■ SME data essentials – guidance
More detail and other updates from the ICO can be found here: plans for new and updated guidance.
The ICO will also in due course be producing codes of practice on edtech and artificial intelligence.
There’s lots to watch out for and we’ll try our best to keep you up to date with developments as and when they happen.
The Data Use and Access Act (DUAA) introduces changes to the concept of legitimate interests under UK GDPR. Once provisions take effect there will be a seventh lawful basis of recognised legitimate interests and legal clarity on activities which may be considered a legitimate interest.
The DUAA amends Article 6 of GDPR to expand the six lawful bases for processing to seven, to include recognised legitimate interests. While a necessity test will still be required, for the following recognised legitimate interests there will no longer be a requirement for an additional balancing test (Legitimate Interests Assessment):
■ Disclosures to public bodies, or bodies carrying out public tasks where the requesting body has confirmed it needs the information to carry out its public task.
This means private and third sector organisations which work in partnership with public bodies will just need confirmation the public body needs the information to carryout out its public task. This is likely to give more confidence to organisations (such as housing associations and charities) when sharing information with public sector partners.
Data Sharing Agreements, Records of Processing Activities (RoPAs) and privacy notices may need to be updated to reference recognised legitimate interests as the lawful basis where appropriate. Staff training may also need updating.
■ Safeguarding vulnerable individuals – this allows for the use of personal data for safeguarding purposes. There are also definitions given for the public interest condition of “safeguarding vulnerable individuals”, which the ICO has written more about here.
■ Crime – this allows use of personal information where necessary for the purposes of detecting, investigating or preventing a crime; or apprehending or prosecuting offenders.
■ National security, public security and defence – this allows the use personal information where necessary for purposes of safeguarding national security, protecting public security or defence.
■ Emergencies – this allows use personal information where necessary when responding to an emergency. An emergency is defined by the Civil Contingencies Act 2004 and means an event or situation with threatens serious damage to human welfare or the environment, or war or terrorism which threatens serious damage to the security of the UK.
The ICO is planning to publish guidance on recognised legitimate interests over Winter 2025/26. For a timeline of when we can anticipate other DUAA related guidance from the ICO see DUAA – Next Steps.
There are some examples of activities which may be considered a legitimate interest in the recitals of UK GDPR. As such they provided an interpretation of the law but were not legally binding. DUAA moves the following examples of legitimate interests from the recitals into the body of the law:
■ direct marketing
■ intra-group sharing of data for internal administrative purposes, and
■ processing to ensure network and information security.
This may give organisations more confidence when relying on the lawful basis of legitimate interests however, unlike recognised legitimate interests, the above will still be subject to a Legitimate Interests Assessment.
The core rules under the Privacy & Electronic Communications Regulations (PECR) are not changing – unless you’re a charity wishing to benefit from the ‘soft opt-in’. For direct marketing activities, legitimate interests will still only be an option for specific marketing activities which don’t require specific and informed consent under PECR.
An update to both the ICO’s Legitimate Interests Guidance and PECR guidance is expected in Winter 2025/26.
One of the fundamental data protection principles is that our handling of personal data must be ‘lawful, fair and transparent’. To be lawful, clearly, we shouldn’t do anything illegal in general terms. But what else does it mean to be lawful?
We’re given six lawful bases to choose from under UK/EU GDPR. For each purpose we use personal data for, we need to match it with an appropriate lawful basis.
For example a purpose might be:
We need to select the most appropriate lawful basis and meet its own specific requirements. Each basis is equally valid, but one may be more appropriate than others for any specific task. We’re legally obliged to set out the lawful bases we rely on in our privacy notices.
If none of them seem to work, you may want to question whether you should be doing what you’re planning to do.
(This is not intended to be exhaustive, do check the ICO’s Lawful Basis Guidance)
This lawful basis will be appropriate if you need to process an individual’s personal information to deliver a service to them. Or you need collect certain details to take necessary steps before entering into a contract or agreement.
Example 1: An individual purchases a product from you and you need to handle specific personal information about them in order to deliver that product, including when you acknowledge their order, provide essential information, and so on.
Example 2: Someone asks you to give them a quote for your services, and you need certain information about them in order to provide that quote.
Contract tips:
There may be circumstances where you are legally obliged to conduct certain activities, which will involve processing personal data. This could be to comply with common law or to undertake a statutory obligation.
Example 1: You are offering a job to someone outside the EU. You need to check they have a visa to work in the UK, as this is a legal obligation.
Example 2: Airlines and tour operator collect and process Advance Passenger Information (API) as this is a legal requirement for international air travel.
Legal obligation tips
You can collect, use or share personal data in emergency situations, to protect someone’s life.
Example: A colleague collapses at work, is unable to talk, and you need to tell a paramedic they have a medical condition. Common sense should prevail.
Vital interest tips
You can process personal data if necessary for public functions and powers that are set out in law, or to perform a specific task in the public interest.
Most often this basis will be relied upon by public authorities and bodies, but it can apply in the private sector where organisations exercise official authority, or carry out tasks in the public interest.
Public task tips
This is the most flexible lawful basis, but don’t just assume what you’re doing is legit. It’s most likely to be appropriate when you use people’s data in a way they’d reasonably expect. Where there is minimal impact on them, or where you have a compelling justification.
Legitimate interests must be balanced. You must balance the organisation’s interests against the interests, rights and freedoms of individuals. If your activities are beyond people’s reasonable expectations or would cause unjustified harm, their rights and interests are likely to override yours. Legitimate interests – when it isn’t legit
Legitimate Interests tips
Important note: In June 2025 the UK Data (Use and Access) Act introduced a new lawful basis for processing into the UK GDPR. This lawful basis of ‘recognised legitimate interests’ can be relied up by organisations for specific purposes without being required to conduct a balancing test (i.e. a Legitimate Interests Assessment). The list of recognised legitimate interests includes the following (and may be expanded):
■ Disclosures to public bodies, where it is asserted personal data is necessary to fulfil a public function.
■ Disclosures for national or public security or defence purposes, emergencies.
■ Disclosures for prevention or detection of a crime, and safeguarding vulnerable individuals.
This is when you choose to give individuals a clear choice to use their personal details for a specific purpose and they give their clear consent for you to go ahead. The law tells us consent must be a ‘freely given, specific, informed and unambiguous’ indication of someone’s wishes given by a ‘clear affirmative action’.
Consent is all about giving people a genuine choice and putting them in control. They must be able to withdraw their consent at any time, without a detrimental impact on them. Consent, getting it right.
Consent tips:
In summary, consider all the purposes you have for processing personal data. Assign a lawful basis to each purpose and check you’re meeting the specific requirements for each basis. Tell people in your privacy notice the lawful bases you rely on, and specifically explain your legitimate interests.
Finally, don’t forget, if you’re processing special category data (for example data revealing racial or ethnic origin, health data or biometric data) you’ll need a lawful basis, plus you’ll need to meet one of the conditions under UK GDPR Article 9. For criminal convictions data you’ll need a lawful basis, plus one of the conditions under UK GDPR Article 10.
Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.