Legitimate Interests Assessment Form

The LIA is a light-touch test complete in three parts.

It is not necessary to follow this exact process, but you can use this form to help assess
whether legitimate interest can be applied to your processing of personal data.
You should complete and keep a record of this assessment to provide justification for your
decision to use legitimate interest as a legal basis before you start processing the data.

Asset Reference
Process Name / Description
Data Subject(s)
Nature of personal data
processed

Special category, criminal

offence or children's data?
Are the data assets recorded
in the information asset
register?
Process owner
Assessment Owner
Assessment Start date
Decision Date

1) Purpose: identify the legitimate interest(s). Consider:

Why do you want to process
the data – what are you trying
to achieve?
Who benefits from the
processing? In what way?
Are there any wider public
benefits to the processing?
How important are those
benefits?
What would the impact be if
you couldn’t go ahead?
Would your use of the data be
unethical or unlawful in any
way?
Have you considered any
Tribunal judgements/case law
in identifying 'legitimate
interests'?
2) Necessity: apply the necessity test. Consider:
Does this processing actually
help to further that interest?
Is it a reasonable way to go
about it?
Is there another less intrusive
way to achieve the same
result?

What is the nature of your

relationship with the
individual? Is it pre-exisiting and
have you used their data
previously?
How has the data been obtained?
If supplied from a third party
what did they tell the individual
about reuse?
Do you have the means and
processes to keep the
information up to date.
Is any of the data particularly
sensitive or private?
Would people expect you to
use their data in this way?
Are you happy to explain it to
them?
Are some people likely to
object or find it intrusive?
What is the possible impact on
the individual?
How big an impact might it
have on them?
Are you processing children’s
data?
Are any of the individuals
vulnerable in any other way?
Can you adopt any safeguards
and technical measures to
minimise the impact?
Can you offer an opt-out?

Decision
Outcome Date
Outcome
How was the outcome decided
Further Action
Next Review date
Agreed by
Purpose

 Why do you want to process the data – what are you trying to achieve?
 Who benefits from the processing? In what way?
 Are there any wider public benefits to the processing?
 How important are those benefits?
 What would the impact be if you couldn’t go ahead?
 Would your use of the data be unethical or unlawful in any way?

Necessity

 Does this processing actually help to further that interest?

 Is it a reasonable way to go about it?
 Is there another less intrusive way to achieve the same result?

Balance

 What is the nature of your relationship with the individual?

 Is any of the data particularly sensitive or private?
 Would people expect you to use their data in this way?
 Are you happy to explain it to them?
 Are some people likely to object or find it intrusive?
 What is the possible impact on the individual?
 How big an impact might it have on them?
 Are you processing children’s data?
 Are any of the individuals vulnerable in any other way?
 Can you adopt any safeguards to minimise the impact?
 Can you offer an opt-out?

The purpose test

For what purpose do you want to process the personal data and to
understand whether this is a legitimate interest. The ICO has recommended
considering the following questions:

 Why do you want to process the personal data?

 What benefit do you expect to get from the processing?

 Do any third parties benefit from the processing?

 Are there any wider public benefits from the processing?

 How important are those benefits?

 What would the impact be if you couldn’t proceed with such

processing?

 What is the intended outcome for the individual(s) whose personal data
is being processed?

 Is the processing compliant with other relevant laws?

 Is the processing compliant with industry guidelines or codes of

practice?
  Does the processing cause any ethical issues?

The necessity test

Once the purpose has been identified, the reason for undertaking the
necessity test is to consider whether the processing is actually necessary.
The ICO has recommended considering the following questions:

 Will the processing actually help to achieve the identified purpose?

 Is the processing proportionate to the purpose?

 Can the purpose be achieved using another means and/or by

processing less data?

 Can the purpose be achieved by processing the data into another way
or in a way that is less intrusive?

As part of your LIA you should indicate whether there are any other
alternatives and to the extent there are any alternatives, but these are not
reasonable, to document why these alternatives are not considered
reasonable.

The balancing test

The balancing test weighs the individual’s rights and freedoms against the
purpose and legitimate interest identified. The ICO has stated as a minimum
the following should be considered:

 The nature of the personal data;

o Whether it is special category data;

o Is it data regarding a criminal offence;

o Is it another type of data that is likely to be considered

particularly “private” e.g. financial data;

o Is it data relating to children or other vulnerable individuals?

o Is it about people in their personal or professional capacity?

The more sensitive the data the more likely the processing will be considered
to be intrusive or impacts to heavily on the individual’s rights.

For example, if the proposed personal data the employer is proposing to

process is special category data or criminal record checks then a LIA is only
the first limb of being able to lawfully process such personal data.

 The reasonable expectations of what a reasonable person would

expect for their personal data;

o Is there an existing relationship? If so, what is the nature of

the relationship?

o How have you processed their data in the past?

 o Where was this personal data collected from – was it the
individual directly?

o What have you told the individual previously about the

processing of their personal data?

o If obtained from a third party, what have they told the

individual about further processing of their personal data by
third parties?

o How long has this personal data be held?

o Have there been any changes in technology or other context

since the personal data was collected which would impact
the current proposed processing;

o Is your intended purpose and/or proposed method of

processing obvious or widely used?

o Is the processing new or innovative in anyway?

o Do you hold an actual evidence about expectations in

respect of personal data e.g. market research, focus groups
or other consultation methods;

o Are there any other factors which would lead individuals to

expect or not to expect such processing?

 The likely impact the processing of the personal data in that way would
have on the individuals and whether any safeguards can be put in
place to mitigate any negative impacts?

o This involves considering the potential impacts and any

damage the processing may cause.

o Is the processing of high risk to individuals a risk

assessment should be undertaken to identify whether the
processing will cause harm to individuals’ interests, rights
and freedoms? Consideration should be given to the
likelihood and also the severity of any harm. The ICO
recommends considering the following:

 Whether it acts as a barrier to individuals exercising

their rights (including but not limited to privacy
rights);

 Whether it acts as a barrier to individuals accessing

services or opportunities;

 Whether it would cause the loss of control over

further uses of their personal data;

 The risk of physical harm;

 The risk of financial loss, identity theft or fraud; or

  Any other significant economic or social
disadvantage (discrimination, loss of confidentiality
or reputational damage).

o Are there any safeguards that could be put in place to reduce

or mitigate any risks?

Reaching a decision

When considering the outcome of the LIA and how to document this,
consideration should be given to all of the factors identified as part of the
assessment, and, when weighed up, whether the company or the individuals’
interests should take precedence. This should be an objective decision.

A LIA should be kept under review and refreshed to the extent the processing
and/or legitimate interest changes in a way which could affect the outcome of
the LIA. A LIA may identify that a Data Protection Impact Assessment (DPIA)
is required as an additional layer of risk assessment (see further below).

What happens if the LIA concludes the impact outweighs the legitimate
interest?

You will not be able to process the personal data for the purpose by relying
on legitimate interests as the lawful basis for processing. You will need to
consider whether there is another lawful basis which can be relied upon to
justify the processing.