Legitimate Interests Assessments (LIA)

A Legitimate Interests Assessment is a useful self-assessment tool which allows you to identify the impact of your processing activity, avoid potential risks associated with unfair data processing, and ensure the lawfulness of the processing.

What is a Legitimate Interests Assessment? And do I need to complete one?

An LIA is a fairness test which you would undertake if you are relying on ‘legitimate interests’ as your legal base for processing personal data. You would need to complete an LIA before you begin data processing activities.

In practice the University are required to have a coherent audit trail of decisions and justifications for processing on the basis of legitimate interests which an LIA would fulfil.  It evidences you have carefully considered the impact on data subjects, and tests if your interests are outweighed by the impact the processing will have on data subject’s data protection rights and interests.   Please see our template (and note that the length of the LIA will depend on the complexity or sensitivity of the data processing activity). If you are using legitimate interest as your legal basis for processing personal data, please contact your Data Co-ordinator in the first instance if you require support to do this.

Three main questions

There are three main questions you need to ask yourself in relation to your data processing activity, which are summarised below. Please see the template for further questions you can reflect on when completing the LIA.

1. The Purpose Test – Does the purpose justify processing personal info?

Show why you are processing personal data, what is the outcome you trying to achieve?

Do your predicted outcomes justify the processing of personal information?

Are there any ethical issues with the processing?

The processing activity does not need to be essential, but you must ensure that the processing is proportionate to your purpose and the interests of both the controller and the data subject. You must follow the minimisation principle and process the least amount of personal data to fulfil your aims.

Prospectus example

For example, the University has a legitimate interest in collecting the name and address of a person interested in studying at º¬Ðß²ÝÊÓƵ, to send them a prospectus.

Research on peanut butter to aid long-distance runners' recovery

For example, a researcher uses legitimate interest as their legal basis for undertaking research involving personal data on a commercial basis.  Their work focuses on nutrition and the consumption of certain foods to aid recovery amongst athletes.  A peanut butter manufacturer, ‘Nut-Tricia' invites them to undertake paid research on their product’s success in reducing the recovery time of long-distance runners.  To undertake the study the researcher will process the personal data of two groups of runners, one group will eat a Nut-Tricia's peanut butter sandwiches after training, the control group and will eat a peanut butter sandwich using a different manufacturer’s filling.  The purpose of the test is to see if Nut-Tricia's peanut butter aids recovery.  The researcher will collect personal data about the athletes age, sex, time taken to complete a set distance, and ‘special category’ data about their injury history (health data), they will ask each athlete to keep a diary and record how they felt after each run and two days later.   As a qualifying question the researcher will also ask if interested participants have a peanut allergy (health data).

2. The Necessity Test – there has to be a legitimate interest of the controller or a third party (this can include the data subject).

The processing activity does not need to be essential to pass this test, you will need to evidence that your objective cannot be successfully achieved without processing personal information, and it is proportionate and required to fulfil your objectives.

Will the processing actually help you to achieve your purpose?

Consider whether you can achieve the same purpose without processing personal data?

Could you process less data, or use less intrusive methods? The processing does not need to be essential to go forward, but it should be proportionate in relation to your purpose.

Prospectus example

Without collecting the enquirer’s name and address, it would not be possible for the University to send a prospectus to the enquirer, asking for their name and address is proportionate to their interest in receiving more information about studying at the University

 

Research on peanut butter to aid long-distance runners' recovery

To complete the research study, it is necessary for the researcher to collect and analyses the following personal data:

Personal Data Legitimate Interest
Age To examine if a person’s age has an impact on the effect of peanut butter as a recovery food.
Sex To examine if a person’s sex has an impact on the effect of peanut butter as a recovery food.
Time of run over a set distance To identify if the athlete's performance improves during the lifespan of the study
Participant diary To collect qualitative evidence of the effects of peanut butter on recovery and compare feedback on Nut-Tricia's and the other brand.
Nut allergy For the benefit of excluding any potential participants with a nut allergy to protect their health.

3. The Balancing Test – legitimate interest cannot override the data subject’s fundamental rights, freedoms and interests

Have you considered whether the fundamental rights and freedoms of the individual(s), whose data you’d process, override your legitimate interest?  For example, you are asking for more information than you need to achieve your objective, do the legitimate interests outweigh any potential negative impacts on the data subject?

Prospectus Example

For example, the University has a legitimate interest in encouraging interested enquirers to consider studying at º¬Ðß²ÝÊÓƵ, it needs students to function.  In responding to the enquirer’s request for a prospectus, the University is also acting in the interest of the enquirer (giving them what they asked for), and the enquirer would reasonably expect the University needs their name and address to send them a prospectus.

Research on peanut butter to aid long-distance runners' recovery

Due to the nature of the study, it will be necessary for the researcher to process sensitive special category health data about the participants.  UK law recognises there is a higher risk involved when processing special category data.  The researcher will share the findings of the study with Nut-Tricia's, the company sponsoring the research.  To protect the participants privacy all the data will be pseudonymised so none of the participants are identifiable.  It is unlikely that the data processing is likely to cause substantial harm to the research participants. 

I’ve identified some issues; how do I move forward?

If you’re still unsure whether you can move forward with your data processing activity after completing an LIA, we’d encourage you to contact your Data Co-ordinator in the first instance.

If you identify a lower risk of some harm, you need to weigh this against the potential benefits of the processing. You can also consider if you can put any safeguards in place to reduce or mitigate these risks.

If your data processing activity has the potential to be high risk, you may not be able to satisfy the balancing test. Consider whether a different legal basis may be more suitable and contact your data co-ordinator for advice. 

When completing the LIA, if you’ve identified that your processing does include Special Category Data and therefore may be classed as high-risk processing, you must complete a Data Protection Impact Assessment (DPIA). Please also retain a copy of your complete Legitimate Interests Assessment.