Employers often seek to rely on legitimate interests when processing employee personal data. But many do not realise that this should involve completion of a legitimate interests assessment. We consider what is involved in carrying out such assessments.

What the law says

The UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 regulate the way in which employers process personal data. In order to process personal data employers must have a lawful basis for processing the personal data.

The circumstances where such processing may be considered lawful are:

1. consent

2. under a contract or potential contract with an individual

3. to comply with legal obligations

4. to protect the vital interests of the data subject or another natural person

5. performance of a task carried out in the public interest or in the exercise of official authority

6. legitimate interests.
   
   

Legitimate interests is frequently a condition relied upon by employers to process personal data, but employers have to be careful to rely on legitimate interests in the right context and to be able to do so they will need to undertake a legitimate interest assessment (LIA).

What is a LIA?

The LIA is required where the lawful basis being relied upon to process personal data is legitimate interests. A LIA is used to identify what that legitimate interest is, the benefits of processing the personal data in that way and whether such processing is necessary. A LIA requires a balancing assessment to understand whether the legitimate interest being relied upon outweighs the individual’s rights.

Why do employers need to undertake a LIA?

Whilst there is no obligation to undertake a LIA, the Information Commissioner's Office (ICO) has indicated that failure to do so will make it difficult to meet obligations under the accountability principle and therefore it is best practice to undertake a LIA, where appropriate.

Likely scenarios when an employer would need to complete an LIA include where they want to process data to monitor the use of company equipment, undertake criminal record/background checks, managing non-medical absences, assessing performance or training needs, tracking company vehicles and/or operating CCTV to monitor employees.

At what point does an employer need to complete a LIA?

A LIA should be completed prior to the processing of personal data starting. The ICO clearly states that a LIA cannot be conducted retrospectively.

Do employers need to follow a process to undertake a LIA?

A LIA should document both the assessment undertaken and the decision reached. This can then be used to demonstrate compliance with the principles and obligations under UK GDPR including the accountability principle.

There is no set process as to how to conduct a LIA or what it should look like although the ICO has produced a useful downloadable template LIA. That being said, a LIA does need to consider the following questions also known as the three-part test:

1. The purpose test: identifying the legitimate interest being relied upon;

2. The necessity test: considering if the processing is necessary;

3. The balancing test: considering the individuals’ interests.
   
   

When addressing each of these elements, all relevant factors should be considered whether or not they support the conclusion reached to show that everything has been considered prior to a decision being reached. The relevant factors for each test are contained on the ICO template LIA but have been replicated below for completeness.

The purpose test

For what purpose do you want to process the personal data and to understand whether this is a legitimate interest. The ICO has recommended considering the following questions:

• Why do you want to process the personal data?
• What benefit do you expect to get from the processing?
• Do any third parties benefit from the processing?
• Are there any wider public benefits from the processing?
• How important are those benefits?
• What would the impact be if you couldn’t proceed with such processing?
• What is the intended outcome for the individual(s) whose personal data is being processed?
• Is the processing compliant with other relevant laws?
• Is the processing compliant with industry guidelines or codes of practice?
• Does the processing cause any ethical issues?
  
  

The necessity test

Once the purpose has been identified, the reason for undertaking the necessity test is to consider whether the processing is actually necessary. The ICO has recommended considering the following questions:

• Will the processing actually help to achieve the identified purpose?
• Is the processing proportionate to the purpose?
• Can the purpose be achieved using another means and/or by processing less data?
• Can the purpose be achieved by processing the data into another way or in a way that is less intrusive?
  
  

As part of your LIA you should indicate whether there are any other alternatives and to the extent there are any alternatives, but these are not reasonable, to document why these alternatives are not considered reasonable.

The balancing test

The balancing test weighs the individual’s rights and freedoms against the purpose and legitimate interest identified. The ICO has stated as a minimum the following should be considered:

• The nature of the personal data;
  • Whether it is special category data;
  • Is it data regarding a criminal offence;
  • Is it another type of data that is likely to be considered particularly “private” e.g. financial data;
  • Is it data relating to children or other vulnerable individuals?
  • Is it about people in their personal or professional capacity?
    
    

The more sensitive the data the more likely the processing will be considered to be intrusive or impacts to heavily on the individual’s rights.

For example, if the proposed personal data the employer is proposing to process is special category data or criminal record checks then a LIA is only the first limb of being able to lawfully process such personal data.

• The reasonable expectations of what a reasonable person would expect for their personal data;
  • Is there an existing relationship? If so, what is the nature of the relationship?
  • How have you processed their data in the past?
  • Where was this personal data collected from – was it the individual directly?
  • What have you told the individual previously about the processing of their personal data?
  • If obtained from a third party, what have they told the individual about further processing of their personal data by third parties?
  • How long has this personal data be held?
  • Have there been any changes in technology or other context since the personal data was collected which would impact the current proposed processing;
  • Is your intended purpose and/or proposed method of processing obvious or widely used?
  • Is the processing new or innovative in anyway?
  • Do you hold an actual evidence about expectations in respect of personal data e.g. market research, focus groups or other consultation methods;
  • Are there any other factors which would lead individuals to expect or not to expect such processing?
• The likely impact the processing of the personal data in that way would have on the individuals and whether any safeguards can be put in place to mitigate any negative impacts?
  • This involves considering the potential impacts and any damage the processing may cause.
  • Is the processing of high risk to individuals a risk assessment should be undertaken to identify whether the processing will cause harm to individuals’ interests, rights and freedoms? Consideration should be given to the likelihood and also the severity of any harm. The ICO recommends considering the following:
    • Whether it acts as a barrier to individuals exercising their rights (including but not limited to privacy rights);
    • Whether it acts as a barrier to individuals accessing services or opportunities;
    • Whether it would cause the loss of control over further uses of their personal data;
    • The risk of physical harm;
    • The risk of financial loss, identity theft or fraud; or
    • Any other significant economic or social disadvantage (discrimination, loss of confidentiality or reputational damage).
  • Are there any safeguards that could be put in place to reduce or mitigate any risks?
    
    

Reaching a decision

When considering the outcome of the LIA and how to document this, consideration should be given to all of the factors identified as part of the assessment, and, when weighed up, whether the company or the individuals’ interests should take precedence. This should be an objective decision.

A LIA should be kept under review and refreshed to the extent the processing and/or legitimate interest changes in a way which could affect the outcome of the LIA. A LIA may identify that a Data Protection Impact Assessment (DPIA) is required as an additional layer of risk assessment (see further below).

What happens if the LIA concludes the impact outweighs the legitimate interest?

You will not be able to process the personal data for the purpose by relying on legitimate interests as the lawful basis for processing. You will need to consider whether there is another lawful basis which can be relied upon to justify the processing.

What is a DPIA?

As part of an employer’s compliance with UK DPR accountability principles, employers must carry out a DPIA where the processing is likely to result in a high risk to individuals and in specific circumstances such as large scale processing of special category data, criminal records data or systematic monitoring of publicly accessible places. An example of where a DPIA would be required is for example where employers introduce COVID-19 related temperature testing. The DPIA will assess the risks of the proposal, whether the proposal is necessary and proportionate and any mitigating actions that can be put in place to counter the risks.

If you require further information on when and how to carry out a DPIA, please refer to our recent article which can be found here.

And finally... LIA or DPIA?

A LIA is similar to a DPIA and may even be required in conjunction with a DPIA and/or can be used to identify the need to undertake a DPIA. Please see the table below which considers the differences between the two: