Professional Documents
Culture Documents
Legitimate Interests Assessment Form
Legitimate Interests Assessment Form
Asset Reference
Process Name / Description
Data Subject(s)
Nature of personal data
processed
Decision
Outcome Date
Outcome
How was the outcome decided
Further Action
Next Review date
Agreed by
Purpose
Why do you want to process the data – what are you trying to achieve?
Who benefits from the processing? In what way?
Are there any wider public benefits to the processing?
How important are those benefits?
What would the impact be if you couldn’t go ahead?
Would your use of the data be unethical or unlawful in any way?
Necessity
Balance
For what purpose do you want to process the personal data and to
understand whether this is a legitimate interest. The ICO has recommended
considering the following questions:
What is the intended outcome for the individual(s) whose personal data
is being processed?
Once the purpose has been identified, the reason for undertaking the
necessity test is to consider whether the processing is actually necessary.
The ICO has recommended considering the following questions:
Can the purpose be achieved by processing the data into another way
or in a way that is less intrusive?
As part of your LIA you should indicate whether there are any other
alternatives and to the extent there are any alternatives, but these are not
reasonable, to document why these alternatives are not considered
reasonable.
The balancing test weighs the individual’s rights and freedoms against the
purpose and legitimate interest identified. The ICO has stated as a minimum
the following should be considered:
The more sensitive the data the more likely the processing will be considered
to be intrusive or impacts to heavily on the individual’s rights.
The likely impact the processing of the personal data in that way would
have on the individuals and whether any safeguards can be put in
place to mitigate any negative impacts?
Reaching a decision
When considering the outcome of the LIA and how to document this,
consideration should be given to all of the factors identified as part of the
assessment, and, when weighed up, whether the company or the individuals’
interests should take precedence. This should be an objective decision.
A LIA should be kept under review and refreshed to the extent the processing
and/or legitimate interest changes in a way which could affect the outcome of
the LIA. A LIA may identify that a Data Protection Impact Assessment (DPIA)
is required as an additional layer of risk assessment (see further below).
What happens if the LIA concludes the impact outweighs the legitimate
interest?
You will not be able to process the personal data for the purpose by relying
on legitimate interests as the lawful basis for processing. You will need to
consider whether there is another lawful basis which can be relied upon to
justify the processing.