The focus of the guidance is on using the ‘legitimate interests’ basis for processing personal data.
This guidance applies to UCL employees who are looking to process personal data, i.e. information relating to an identified or identifiable living person, and are looking for a lawful basis to do so.
Note that ‘processing’ means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data.
- Legal basis for the processing of personal data
Before processing any personal data, an appropriate legal basis must be identified.
Article 6(1) of the GDPR sets out the following six possible legal bases for processing personal data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
As a public authority, most of UCL’s processing will be undertaken using Article 6(1)(e) above, the ‘public task’ condition. This applies when the processing is necessary for UCL to perform a task in the public interest. Examples include most of UCL’s research, teaching and learning activities – we can clearly demonstrate a ‘public task’ basis for these because performing such tasks is a core part of UCL’s Charter and Statutes.
It is important to understand where UCL’s processing falls under the ‘public task’ condition because you can only rely on ‘legitimate interests’ at Article 6(1)(f) above if you are processing for a legitimate reason other than performing UCL’s tasks as a public authority. UCL has produced a Statement of Tasks in the Public Interest, which sets out when the ‘public task’ condition can be used as a basis for processing.
Please note that you cannot rely upon either the ‘public task’ basis or the ‘legitimate interests’ basis alone when processing: (a) special category personal data (e.g. data relating to ethnicity, health, religion etc.); or (b) personal data relating to criminal convictions or offences. If you are processing data of this kind, you will need to establish an additional lawful condition under either Article 9 or Article 10 GDPR (as applicable).
- Legitimate interests
Legitimate interests is the most flexible lawful basis for processing, but if you choose to rely on it, you are taking on extra responsibility for considering and protecting people’s rights and interests, including privacy rights.
There are three elements to the legitimate interests basis and a corresponding three-part test:1. Identify a legitimate interest: what interest are you pursuing?
2. Necessity test: is the processing necessary for that purpose?
3. Balancing test: do the individual’s interests override the legitimate interest?
You should avoid relying on ‘legitimate interests’ if you plan to use personal data in ways people do not understand and would not reasonably expect, or if you think people would object after it was explained to them. You should also avoid ‘legitimate interests’ for processing that could cause harm.
Use Template A below to help you conduct this test otherwise known as a Legitimate Interests Assessment (LIA). The guidance below is designed to help you to complete the LIA. You must keep a record of the completed LIA to demonstrate compliance with the principle of accountability and so that you can justify the decision if asked to do so. You should also email email@example.com when relying on Article 6(1)(f) ‘legitimate interests’ so that UCL’s privacy notices can be kept updated.
- Identify a legitimate interest
The first stage is to identify a legitimate interest.
An ‘interest’ can be understood widely. It can be a broad stake that UCL or any third party may have in the processing or the benefit to be derived from the processing. An interest must be real and present, something that corresponds with current activities or benefits in the very near future and not vague or speculative; be sufficiently clearly articulated to allow for a balancing test to be carried out; and be lawful. Interests can be commercial, individual or even broader societal benefits.
Some interests are likely to be ‘legitimate’ because they are necessary for an administrative function or compliance issue. This is often the case when the processing is not required by law, but the processing is essential to ensure UCL meets external or internal governance obligations, for example, the provision of physical or network security or holding marketing suppression lists to prevent spamming.
Other interests are considered legitimate on the basis that while they do not fall within scope of the ‘public task’ condition, they support UCL’s core business functions, for example activities around graduation and the provision of an alumni newsletter.
Interests are more likely to be legitimate interests when:
i. there is a relevant and appropriate relationship between UCL and the individual, for example between UCL and its alumni, and
ii. the processing is within the reasonable expectations of the individual.
- Necessity test
The second stage is to carry out a necessity test.
You will need to consider whether the processing of personal data is ‘necessary’ for achieving the objective. ‘Necessary’ in this context means that the processing should be a targeted and proportionate way of achieving your objective.
It is useful to ask, ‘Is there another way of achieving the identified interest?’ If there is no other way, then clearly the processing is necessary. If there is another way but it would require disproportionate effort, then you may determine that the processing is still necessary. If there are multiple ways of achieving the objective, then a Data Privacy Impact Assessment (DPIA) can be used to identify the least intrusive processing activity. Guidance on PIAs can be found here: https://www.ucl.ac.uk/legal-services/research/data-privacy-impact-assessment
If the processing is not necessary, then ‘legitimate interest’ cannot be relied on as a legal basis for that processing activity.
- Balancing test
The third stage is to balance the legitimate interest against the rights and freedoms of the individuals whose personal infirmation you are proposing to process.
This balancing test must be conducted fairly, which means that you must always give due regard and weighting to the rights and freedoms of individuals.
There are several factors to consider when making a decision regarding whether an individual’s rights would override UCL’s legitimate interest, including:
- the nature of the interests;
- the impact of processing; and
- any safeguards which are or could be put in place.
i. the nature of the interests includes:
- the reasonable expectations of the individual: would they expect the processing to take place? If so, then the impact of the processing is likely to have already been considered by them and accepted. If they have no expectation that any processing would take place, then the impact is greater and is given more weight in the balancing test
- the type of data: children’s personal data or data where there is more expectation of privacy, e.g. salaries, should be consider in a balancing test, and
- the interests of UCL (e.g. is it a fundamental right, public or other type of interest):
- Does it add value or convenience?
- Is it also in the interests of the individual?
- If there may be harm as a result of the processing, is it unwarranted?
ii. the impact of processing includes:
- any positive or negative impacts on the individual, any bias or prejudice to UCL, third party or to society of not conducting the processing
- the impact on children. Data protection legislation obliges UCL to consider the interests of children in particular so consider carefully what impact your proposed processing will have on them
- the likelihood of impact on the individual and the severity of that impact. Is it justified? A much more compelling justification will be required if there is the likelihood of unwarranted harm occurring
- the status of the individual – a customer, a child, an employee, or other
- the ways in which data are processed, e.g. does the processing involve profiling or data mining? Publication or disclosure to a large number of people? Is the processing on a large scale?
iii. any safeguards which are or could be put in place include:
- a range of compensating controls or measures which may be put in place to protect the individual or to reduce any risks or potentially negative impacts of processing, identified through a DPIA, for example:
- data minimisation;
- additional layers of encryption;
- data retention limits;
- restricted access opt-out options;
- pseudonymisation or anonymisation;
- encryption, hashing, salting.
When UCL is processing personal data relating to children, or special categories of personal data, special care should be taken with the balancing test, as it may need to give additional weight to the rights of the individual.
- Further guidance and template download
We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please contact the data protection team at firstname.lastname@example.org.
Download the Legitimate Interests Assessment template