GDPR: New ICO Guidance on ‘Legitimate Interests’

When the GDPR comes into force on 25 May 2018, it is unlikely that you will be able to obtain valid consent from staff for processing their personal data.

This is because the GDPR introduces a more stringent requirement for consent, which has to be ‘freely given, specific, informed and unambiguous’. As a consequence, employers will need to rely on other lawful grounds for processing personal data of their staff.  

Lawful Basis for Processing 

The other relevant lawful grounds for processing personal data in the employment context are where the processing is: 

  • necessary for the performance of a contract to which the employee is party or in order to take steps at the request of a candidate prior to entering into a contract; 
  • necessary for compliance with a legal obligation to which the employer is subject; or
  • necessary for the purposes of the legitimate interests pursued by the employer or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the employee which require protection of personal data.  

The legitimate interests category is therefore a useful ‘catch-all’ basis for employers. However, until recently, there was little guidance from the UK Data Protection regulator, the ICO, on using legitimate interests as a basis for processing data under the GDPR.  

That was until 22 March 2018, when the ICO published detailed guidance on using legitimate interests as a basis for processing personal data. 

Employers need to be familiar with this guidance in order to ascertain whether they are able to rely on legitimate interests as a basis for processing personal data, and, if so, how to document this properly.  

Legitimate Interests Assessment 

The ICO guidance encourages organisations to undertake a three-part test if they intend to rely on the legitimate interest ground for processing data.  

This process is referred to by the ICO as a 'legitimate interests assessment' or ‘LIA’. The length of a LIA will vary depending on the context and circumstances surrounding the processing but it is intended to be a simple form of risk assessment. 

The three-part test, which must be satisfied before processing can be undertaken on this ground, involves employers considering and documenting the following: 

  1. Is there a legitimate interest behind the processing (purpose test)?  
  2. Is the processing necessary for that purpose (necessity test)?
  3. Is the legitimate interest overridden by the individual's interests, rights or freedoms (balancing test)?  

The balancing test is intended to be a ‘light-touch risk assessment to check that any risks to individuals' interests are proportionate’. The guidance states that as a minimum, employers should consider the nature of the data being processed, the reasonable expectations of the individual and the likely impact of the processing on the individual and whether any safeguards can be put in place to mitigate the negative impacts. 

Whilst there is no specific duty in the GDPR to undertake a LIA, the ICO views it as a matter of best practice for one to undertaken by organisations in order to meet their obligations under the GDPR accountability principle (i.e. the obligation to be able to demonstrate compliance with the GDPR). 

Comment 

Despite the flexibility of legitimate interests, we would not recommend it is used as the default basis for all processing by an employer. As the ICO guidance notes, relying on legitimate interests may result in more work for an employer in order to justify the application of it as a lawful basis for processing compared to the other bases.  

There is also more scope for disagreement (with an employee or regulator) in relation to the outcome of the balancing test, which could result in non-compliance with the GDPR. 

We are working with businesses to assist them in identifying the lawful basis for processing HR data, and conducting LIAs.  

Please get in touch with one of the team if you wish to discuss further.