Shoosmiths LLP
  July 29, 2021 - Milton Keynes, England

When To Use a Legitimate Interest Assessment
  by Shoosmiths LLP

Employers often seek to rely on legitimate interests when processing employee personal data. But many do not realise that this should involve completion of a legitimate interests assessment. We consider what is involved in carrying out such assessments.

What the law says

The UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018 regulate the way in which employers process personal data. In order to process personal data employers must have a lawful basis for processing the personal data.

The circumstances where such processing may be considered lawful are:

  1. consent

  2. under a contract or potential contract with an individual

  3. to comply with legal obligations

  4. to protect the vital interests of the data subject or another natural person

  5. performance of a task carried out in the public interest or in the exercise of official authority

  6. legitimate interests.

Legitimate interests is frequently a condition relied upon by employers to process personal data, but employers have to be careful to rely on legitimate interests in the right context and to be able to do so they will need to undertake a legitimate interest assessment (LIA).

What is a LIA?

The LIA is required where the lawful basis being relied upon to process personal data is legitimate interests. A LIA is used to identify what that legitimate interest is, the benefits of processing the personal data in that way and whether such processing is necessary. A LIA requires a balancing assessment to understand whether the legitimate interest being relied upon outweighs the individual’s rights.

Why do employers need to undertake a LIA?

Whilst there is no obligation to undertake a LIA, the Information Commissioner's Office (ICO) has indicated that failure to do so will make it difficult to meet obligations under the accountability principle and therefore it is best practice to undertake a LIA, where appropriate.

Likely scenarios when an employer would need to complete an LIA include where they want to process data to monitor the use of company equipment, undertake criminal record/background checks, managing non-medical absences, assessing performance or training needs, tracking company vehicles and/or operating CCTV to monitor employees.

At what point does an employer need to complete a LIA?

A LIA should be completed prior to the processing of personal data starting. The ICO clearly states that a LIA cannot be conducted retrospectively.

Do employers need to follow a process to undertake a LIA?

A LIA should document both the assessment undertaken and the decision reached. This can then be used to demonstrate compliance with the principles and obligations under UK GDPR including the accountability principle.

There is no set process as to how to conduct a LIA or what it should look like although the ICO has produced a useful downloadable template LIA. That being said, a LIA does need to consider the following questions also known as the three-part test:

  1. The purpose test: identifying the legitimate interest being relied upon;

  2. The necessity test: considering if the processing is necessary;

  3. The balancing test: considering the individuals’ interests.

When addressing each of these elements, all relevant factors should be considered whether or not they support the conclusion reached to show that everything has been considered prior to a decision being reached. The relevant factors for each test are contained on the ICO template LIA but have been replicated below for completeness.

The purpose test

For what purpose do you want to process the personal data and to understand whether this is a legitimate interest. The ICO has recommended considering the following questions:

The necessity test

Once the purpose has been identified, the reason for undertaking the necessity test is to consider whether the processing is actually necessary. The ICO has recommended considering the following questions:

As part of your LIA you should indicate whether there are any other alternatives and to the extent there are any alternatives, but these are not reasonable, to document why these alternatives are not considered reasonable.

The balancing test

The balancing test weighs the individual’s rights and freedoms against the purpose and legitimate interest identified. The ICO has stated as a minimum the following should be considered:

The more sensitive the data the more likely the processing will be considered to be intrusive or impacts to heavily on the individual’s rights.

For example, if the proposed personal data the employer is proposing to process is special category data or criminal record checks then a LIA is only the first limb of being able to lawfully process such personal data.

Reaching a decision

When considering the outcome of the LIA and how to document this, consideration should be given to all of the factors identified as part of the assessment, and, when weighed up, whether the company or the individuals’ interests should take precedence. This should be an objective decision.

A LIA should be kept under review and refreshed to the extent the processing and/or legitimate interest changes in a way which could affect the outcome of the LIA. A LIA may identify that a Data Protection Impact Assessment (DPIA) is required as an additional layer of risk assessment (see further below).

What happens if the LIA concludes the impact outweighs the legitimate interest?

You will not be able to process the personal data for the purpose by relying on legitimate interests as the lawful basis for processing. You will need to consider whether there is another lawful basis which can be relied upon to justify the processing.

What is a DPIA?

As part of an employer’s compliance with UK DPR accountability principles, employers must carry out a DPIA where the processing is likely to result in a high risk to individuals and in specific circumstances such as large scale processing of special category data, criminal records data or systematic monitoring of publicly accessible places. An example of where a DPIA would be required is for example where employers introduce COVID-19 related temperature testing. The DPIA will assess the risks of the proposal, whether the proposal is necessary and proportionate and any mitigating actions that can be put in place to counter the risks.

If you require further information on when and how to carry out a DPIA, please refer to our recent article which can be found here.

And finally... LIA or DPIA?

A LIA is similar to a DPIA and may even be required in conjunction with a DPIA and/or can be used to identify the need to undertake a DPIA. Please see the table below which considers the differences between the two:

 

 

LIA

DPIA

Length

Short form assessment.

 

Detailed assessment.

Lawful basis for processing

Legitimate interests.

All.

Purpose

To identify the purpose for the processing and how this will impact on individuals.

 

If you identify that the processing is considered likely to be high risk and in specified circumstances

Content

No required content but should consider the three-stage test.

 

Minimum requirements in terms of content.

Process

There is no set process.

 

Minimum requirements in terms of the process.

 

Mitigate risks

Yes.

If not possible, you need to consult the ICO prior to processing.

 




Read full article at: https://www.shoosmiths.co.uk/insights/articles/when-to-use-a-legitimate-interest-assessment