What’s a recognised legitimate interest?

August 2025

ICO publishes draft guidance on a new lawful basis

As a result of the Data (Use and Access) Act 2025 a seventh lawful basis for processing is being added to the UK GDPR. So, how does a recognised legitimate interest differ from a legitimate interest, and how does the ICO tell us this new lawful basis will work in practice?

Legitimate Interests

The existing lawful basis of legitimate interests may be appropriate depending on the purposes for which we’re collecting and using personal data. It’s considered the most flexible lawful basis, but the onus is on us to make sure our organisation’s interests are balanced with the interests, rights and freedoms of individuals. And while not strictly speaking a legal requirement to document this ‘balancing test’, the ICO stresses it would be difficult to meet our accountability obligations without a record of a Legitimate Interests Assessment (LIA).

Recognised Legitimate Interests

There are now five new conditions which are set in law as recognised legitimate interests, and while we still need to determine necessity we no longer need to conduct a balancing test.

The ICO’s draft recognised legitimate interests guidance sets out these pre-approved purposes for using personal data. This draft is open to consultation, so may be subject to some amendments. Additional purposes may be added to this list in due course.

1. Public Tasks Disclosure Condition

Sharing personal information with another organisation that has requested it from you because they need it for their public task or official functions. This condition will only apply if you can meet the following requirements:

  • another organisation asks you to share or disclose personal information;
  • that organisation states in their request they need the particular information for their public tasks or official functions which are laid down in the law; and
  • your disclosure of the personal information is necessary to respond to their request.

For more detail see ICO draft guidance: Public Tasks Condition

2. National Security, Public Security and Defence Condition

To safeguard national security, protect public security or for defence reasons. To use this condition, you must only intend to use personal information for these purposes and be able to demonstrate this use is necessary. The term ‘defence’ should be read as national defence, for example the protection, security and capability of the armed forces, and the civilian staff that support them.

See ICO draft guidance on this condition.

3. Emergencies Condition

To respond to, or deal with, an emergency situation. This covers situations which threaten serious damage to the environment or people’s welfare, or pose a serious threat to UK security.

See ICO draft guidance: Emergencies Condition

4. Crime Condition

To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders. The scope of this condition includes economic crimes such as money laundering and scams. The ICO makes it clear if you’re handling criminal offence data you will still need to meet additional requirements under Article 10, UK GDPR.

See ICO draft guidance; Crime Condition

5. Safeguarding Condition

To protect the physical, mental or emotional well-being of people who need extra support or protect them from harm or neglect. To rely on this condition you must:

  • make sure what you’re planning to do with personal data falls within the definition of safeguarding
  • be satisfied the person you wish to safeguard is a child or an ‘at risk’ ‘adult
  • make sure the handling of personal information is necessary for this purpose

For more detail see ICO draft guidance on Safeguarding Condition.

Key points to bear in mind…

  • Public authorities can’t rely on recognised legitimate interests to perform their tasks or functions.
  • What you’re planning do to must meet one of the pre-approved conditions above.
  • You must be satisfied using personal information is necessary, taking into consideration the facts of each case and whether there’s another reasonable and less intrusive alternative.
  • More than one condition may and can apply to a particular situation or activity.
  • No condition is better or more important than the others.
  • The conditions can apply for different types of personal data including special category data. However, when relying on this lawful basis for special category data you’ll still also need to make sure you have a special category condition under Article 9 and meet any necessary requirements for that condition. You may also need to consider if conducting a Data Protection Impact Assessment is necessary or appropriate.

Relying on recognised legitimate interests may mean there’s no longer a need to conduct an LIA, but the ICO stresses this doesn’t mean there are no restrictions, and you’ll still need to comply with all other requirements under data protection law.

And to be clear, there’s no obligation to switch your lawful basis. If you’re currently rely on legitimate interests, have balanced this and are comfortable with it, you can keep things just as they are.

If you do choose to rely on recognised legitimate interests, remember you may need to update your Record of Processing Activities and any relevant privacy notice.

As a data protection consultant since 2015, Philippa advises and supports a broad range of clients, and delivers data protection training. She also regularly writes GDPR guides to support data protection teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.