Pre-Approved: ICO Publishes Guidance on "Recognised Legitimate Interests”

In March 2026, the UK Information Commissioner (ICO) published guidance on the new lawful basis for processing personal data introduced by the Data (Use and Access) Act 2025 (DUAA): the recognised legitimate interest (RLI) lawful basis. Controllers may now rely upon one of five pre-approved conditions, each focused on specific public-interest justifications, for personal data processing.

When relying on the pre-approved RLI bases to justify the processing of personal data, data controllers are not required to conduct a legitimate interests assessment, (LIA), the traditional three-part “balancing test” to determine whether the RLI is outweighed by a data subject’s rights, freedoms, or interests. However, controllers must still confirm whether what they want to do is necessary and comply with all other relevant provisions of the UK GDPR.

The RLI lawful basis is distinct from the traditional legitimate interest lawful basis. It simplifies data processing by pre-approving certain specified conditions as legitimate interests. This simplification narrows the grounds on which data subjects may challenge personal data processing, given that the balancing test, a key mechanism for rights-based scrutiny, is not required before this lawful basis can be relied upon. However, controllers must remain transparent about how and when they rely on the RLI basis when processing individuals' data.

The omission of the requirement to carry out an LIA is consistent with the broader policy objectives of the DUAA, which seeks to reduce the compliance burden for organisations in various areas whilst maintaining robust data protection standards.

Reliance on a Recognised Legitimate Interest Condition:

To rely on any of the five conditions identified in the RLI lawful basis, controllers must be able to demonstrate that their processing of personal data is both necessary and proportionate. It is important to note that necessity is an objective test — it is not satisfied simply because a controller has chosen to operate in a particular way. If the same purpose can be achieved through less intrusive means or by processing less data, the condition will not apply. As noted above, reliance on the RLI basis does not negate the need to comply with other relevant obligations under UK GDPR.

It should also be noted that controllers who rely solely on automated decision-making, and public authorities performing public tasks or official functions, cannot rely on the RLI lawful basis to justify personal data processing.

The ICO guidance notes that any of the RLI conditions may be suitable for use with the personal data of children, but extra precautions must be taken to protect their interests. 

The guidance also makes clear that the RLI lawful basis may also be relied upon in respect of special category personal data and criminal offence data, provided that the purpose of processing is necessary for one of its five conditions, although it should be noted that the additional rules for processing those categories of personal data must also be adhered to.

We set out below a summary of each of the five recognised legitimate interest conditions.

1. Public Task Disclosure Response Condition

This condition allows data to be shared with another organisation that has requested it from the disclosing organisation because the requesting organisation needs it for its public tasks or official functions. The guidance observes, however that, if a controller is legally obliged to share personal data with another organisation, the appropriate lawful basis is legal obligation and not RLI.

To rely upon this condition, a controller must have received a request from another organisation that clearly states that it requires the relevant personal data for its public tasks or official functions under UK law or “relevant international law.”

The disclosing organisation may only share what is proportionate and strictly necessary to fulfil the request and must also ensure that the relevant personal data is handled securely.

Where personal data is being shared for a purpose other than that for which it was originally collected, the controller must assess whether the new purpose is compatible with the original purpose.

This condition only covers the sharing of personal information between the disclosing organisation and the requesting organisation. If a request involves anything beyond that, for example, deleting or altering personal data, then this condition will no longer apply. Any other processing must still comply with the UK GDPR, including having a valid lawful basis and processing the relevant data fairly and transparently.

Responding to such requests is voluntary. The condition does not give the requesting organisation a right of access to the data, nor does it oblige the disclosing organisation to disclose the relevant personal data.

2. National Security, Public Security and Defence Condition

Organisations may rely on this condition where the processing is necessary to safeguard national security, to protect public security, or for defence reasons. Use of personal data must be demonstrably necessary to support one of the relevant purposes.

If an organisation is already handling personal information for security or defence purposes, it may not need to rely on the RLI lawful basis, as it may be able to rely on alternative lawful bases, such as public task or legal obligation under the UK GDPR, or it may be subject to different parts of data protection law.

Competent authorities and intelligence services will tend to fall under the Data Protection Act 2018 (DPA) (Part 3 and Part 4) and will not need to rely on the RLI lawful basis.

3. Emergencies Condition

Data controllers may be able to rely on this condition if the processing is necessary for the purposes of responding in short order to particular kinds of emergencies. 

Controllers must decide if using individuals’ personal data is necessary for the purposes of responding to an emergency situation.

To rely on this condition, the situation that the relevant organisation is responding to must meet the definition of an emergency as set out in the Civil Contingencies Act 2004. Relevant emergencies include: (i) events that either threaten serious damage to people’s welfare or the environment in the UK, such as a pandemic or severe weather event; or (ii) acts of war or terrorism that threaten serious damage to the security of the UK.

This condition cannot be relied on in the context of small-scale emergencies, such as an employee falling seriously ill at work (other lawful bases for processing personal data in such circumstances can be relied upon, e.g., vital interests).

Organisations relying on this condition must be clear on the location of the emergency, as they can only rely on the condition in respect of the personal data of people located in the affected area.

Organisations should also consider what lawful basis for processing they will rely on for continued processing of personal data once the emergency period has ended. For example, an organisation may need to rely upon the legitimate interests lawful basis for processing if there is a longer-term need to process the relevant personal data.

4. Crime Condition

Controllers may utilise this condition when the processing of personal data is necessary for the purpose of detecting, investigating, or preventing crime, or apprehending or prosecuting offenders. It can be used where controllers need to share personal data for crime-related purposes (for example, money laundering and fraud).

The use of personal data must directly assist in detecting, investigating, or preventing crime, and must be necessary for and proportionate to that aim.

Where a controller wishes to use criminal offence data, it must also ensure that it has identified and documented an appropriate additional condition for processing under Schedule 1 to the DPA (subject to certain exceptions).

Organisations may not always be able to rely on this condition (e.g., if an organisation already has statutory crime reporting obligations, it may be more appropriate to rely upon the legal obligation lawful basis).

5. Safeguarding Condition

This condition may be relied upon when the processing is necessary for the purposes of safeguarding a vulnerable individual (in other words, to protect individuals at risk of harm, including neglect or physical, emotional, or mental harm, or to protect their physical, emotional, or mental well-being).

To qualify as a “vulnerable individual,” the relevant data subject must either be under 18 years of age or an “at-risk” adult who needs care or support and is experiencing, or is at risk of, physical, mental, or emotional harm, and is therefore unable to protect themselves against the neglect, harm, or risk. The protection of vulnerable individuals also extends to groups who share a common characteristic.

The controller must demonstrate that its use of the relevant personal data is necessary for the purpose and proportionate. The necessity test does not require the processing to be absolutely essential, but it must be more than merely useful or convenient. It is important to continually assess the condition of the relevant data subjects and the processing of personal data under the condition, as circumstances may change.

Controllers must also comply with the relevant additional obligations in respect of special category and criminal offence data.

Commentary:

The introduction of the RLI lawful basis under the UK GDPR contrasts with the contextual balancing approach adopted under the EU GDPR. Under the EU GDPR, controllers are required to individually assess and document the balance between their interests and data subjects' rights on a case-by-case basis when relying upon the original legitimate interests lawful basis for processing. The introduction of the RLI conditions constitutes the UK’s strongest indication to date that it intends to move away from the balancing approach of the EU in favour of reducing the administrative burden on businesses that are subject to the UK GDPR.

Multinational organisations operating across both the UK and the EU must remain compliant with both frameworks, ensuring they continue to apply the balancing test under the EU GDPR. Organisations should also be cautious not to treat the RLI lawful basis as a default or preferable basis. Reliance on the RLI lawful basis is only appropriate where one of the five specific conditions is genuinely met.

Next Steps for Organisations:

Controllers should consider the following:

• If an organisation intends to rely on the RLI lawful basis, it must determine which of the five relevant conditions is being relied on before processing begins and update its privacy policies to ensure transparency in this regard.
• Organisations cannot rely on either the legitimate interests or the RLI lawful basis if there is another reasonable and less intrusive way to achieve the same result and should confirm the position to determine whether this is the case.
• Where personal data processing relies on the RLI lawful basis, organisations must ensure that all data subjects remain aware of their right to object to processing of their data. Organisations should update their internal guidelines and policies to reflect how personal data can be used under the RLI lawful basis.
• Controllers should document whenever one of the five RLI conditions is relied on. Even though no formal LIA is needed, it is best practice to record details of the context and why the decision was made for transparency and accountability purposes.

Crowell would like to thank Phoebe Kinsman for her contribution to this alert.