The new data protection regime under the EU General Data Protection Regulation and the new Data Protection Act come into force on 25 May. With this in mind, the Information Commissioner’s Office has issued new guidance which is helpful to employers who are considering processing data under the lawful basis of ‘legitimate interests.’ The guidance can be found here alongside the ICO’s other GDPR guidance.
The guidance states that ‘legitimate interests’ is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate. It is likely to be appropriate where you use people’s data in ways that they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. The interests can be your own or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
The ICO highlights a three-part test for employers and other data controllers to undertake. You must identify a legitimate interest; show that the processing is necessary to achieve it; and balance it against the individual’s interests, rights and freedoms. You should keep a record of your assessment and include details of your legitimate interests in the privacy information which you provide to employees.
All of the advice and guidance that we emailed to you in March can still be found on our website.