An introduction to the protection of personal information in the healthcare practice

6. The 6 grounds for lawful processing

6.2. Legitimate Interest Processing & LIA

Topics

  1. The three part test
  2. Legitimate Interest Assessments (LIA)
  3. How do we decide the outcome?
  4. What happens next?
  5. How does this tie in to PIIAs?


1. The three part test

Legitimate interests is the most flexible lawful ground for processing, but you cannot assume it will always be the most appropriate. It is likely to be most appropriate where you use people’s PI in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.

There are three elements to the legitimate interests ground. It helps to think of this as a three-part test. You need to:

  1. The purpose test (identify the legitimate interest);
  2. The necessity test (consider if the processing is necessary); and
  3. The balancing test (consider the individual’s interests).

Purpose test

The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.

Necessity test

The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.

Balancing test

You must balance your interests against the DS. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.


2. Legitimate Interest Assessments

A LIA is a simple risk assessment based on the specific context and circumstances of processing. A LIA provides the opportunity to ask yourself the right questions about your processing and objectively consider what the reasonable expectations of the DS are and any impact of the processing on them. It is necessary to keep a record of your Legitimate Interests Assessment (LIA) to help you demonstrate compliance if required.

Conducting a LIA helps you ensure that your processing is lawful. It helps you to think clearly and sensibly about your processing and the impact it could have on the individual.

As your LIA determines if the legitimate interests ground applies, you must perform it before you start processing the PI. You cannot start processing the PI retrospectively try and apply legitimate interests. Your processing is unlawful without a lawful ground, and this will lead to inevitable breaches of transparency and accountability requirements.

The LIA doesn’t have to take any particular form, but you need to address each part of the three-part test and record the outcome. You should record all the relevant factors, whether or not they support your conclusion, as this shows that you have taken everything into account prior to making your decision.

How do we do the purpose test?

You need to identify your purpose and decide whether it counts as a legitimate interest. Be as specific as possible, as this helps you when it comes to the necessity and balancing tests.

You should ask:

  1. Why do you want to process the data?
  2. What benefit do you expect to get from the processing?
  3. Do any third parties benefit from the processing?
  4. Are there any wider public benefits to the processing?
  5. How important are those benefits?
  6. What would the impact be if you couldn’t go ahead?
  7. What is the intended outcome for individuals?
  8. Are you complying with other relevant laws?
  9. Are you complying with industry guidelines or codes of practice?
  10. Are there any ethical issues with the processing?

How do we do the necessity test?

You must consider carefully whether the processing is actually necessary for the purpose you have identified in step one.

You need to ask:

  1. Will the processing actually help you achieve your purpose?
  2. Is the processing proportionate to that purpose, or could it be seen as using a sledgehammer to crack a nut?
  3. Can you achieve your purpose without processing the data, or by processing less data?
  4. Can you achieve your purpose by processing the data in another more obvious or less intrusive way?

Be honest in your consideration of whether the processing is necessary. If on the face of it there are potentially other less intrusive alternatives you need to be clear in your LIA why these are not reasonable alternatives.

If you find it difficult to explain how the processing helps achieve your objective, or there are many alternative methods which simply aren’t your chosen business model, you may need to go back to step one and be more specific about your purpose. A clearly defined purpose should make the necessity test easier to navigate.

How do we do the balancing test?

You need to consider the interests and fundamental rights and freedoms of the individual, and whether these override the legitimate interests you have identified.

There is no exhaustive list of what you should take into account when conducting the balancing test. However you should as a minimum consider:

  1. the nature of the PI you want to process;
  2. the reasonable expectations of the individual; and
  3. the likely impact of the processing on the individual and whether any safeguards can be put in place to mitigate negative impacts.

1. Nature of the data

You need to think about the sensitivity of the PI you intend to process.

For example:

  • Is it SPI?
  • Is it criminal offence data?
  • Is it another type of data that people are likely to consider particularly ‘private’, for example financial data?
  • Are you processing children’s data or data relating to other vulnerable individuals?
  • Is it data about people in their personal or professional capacity?

The more sensitive or ‘private’ the data, the more likely the processing is to be considered intrusive or to create significant risks to the individual’s rights and freedoms. For example, by putting them at risk of unlawful discrimination. You are likely to need a more compelling reason to use this type of data, and take particular care to put adequate safeguards in place.

In contrast, if the processing involves PI which is considered less sensitive or private, such as that of individuals in their work capacity, then it may be that the impact is less (although you should still give some thought to the likely impact).

Example

An employer asks its employees to provide emergency contact details of a family member or friend in case they have an accident or become seriously ill at work.

It is not practical for the employer to have consent from the family or friends of all its employees in order to process their contact details for the purposes of being used in an emergency. The employer therefore considers if the legitimate interests ground applies.

The employer considers that being able to contact an individual’s designated family member or friend in an emergency is a legitimate interest as a responsible employer. It also notes that it is in the interests of the employee that a family member or friend knows about the emergency and likewise it is in the interests of nominated person to be told.

It decides that asking employees to provide the PI of other individuals is necessary for this purpose and that there is no other reasonable way of achieving the purpose.

The employer goes on to consider the balancing test. It takes into account that the data that it will be processing is not sensitive (names and contact details) and determines that the impact of holding these details in case of an emergency is minimal. The employer decides that only its HR department will have access to the contact details and will ensure that these details can only be used in an actual emergency. It determines that the balance favours their legitimate interest in processing the data.

2. Reasonable expectations

You need to consider whether people will reasonably expect you to use their data in this way in the particular circumstances. See the information in the chapter on Processing limitation for more on the reasonable manner of processing.

3. Impact and safeguards

You need to consider the potential impact on individuals and any damage that your processing might cause.

Firstly, you should consider whether your processing is of a type inherently likely to result in a high risk to individuals’ rights and freedoms. In other words, you need to do a risk assessment to consider whether your processing might cause any harm to individuals’ interests, rights and freedoms, even if this falls short of a high risk. You should in particular think about whether your processing might contribute to:

  • a barrier to individuals exercising their rights (including but not limited to privacy rights);
  • a barrier to individuals accessing services or opportunities;
  • any loss of control over the further use of PI;
  • physical harm;
  • financial loss, identity theft or fraud; or
  • any other significant economic or social disadvantage (such as discrimination, loss of confidentiality or reputational damage).

You should look at both the likelihood and severity of any harm.

If you identify the potential for a high risk (either due to a chance of severe harm or a high likelihood of some harm), you need a much more compelling legitimate interest to satisfy the balancing test. You need to demonstrate that your legitimate interests can override a serious impact. This also triggers the need for a PIIA to assess those risks in more detail.

If you identify a lower risk of some harm, you need to weigh this against the potential benefits of the processing. 

You may also wish to consider if there are any safeguards that you could put in place to reduce or mitigate this risk. For example could you collect less data, or provide individuals with an opt-out?


3. How do we decide the outcome?

You need to weigh up all the factors identified during your LIA for and against the processing, and decide whether you still think your interests should take priority over any risk to individuals. This is not a mathematical exercise and there is an element of subjectivity involved, but you should be as objective as possible.

You must be confident that you can show why the benefits of the processing justify any risks you have identified. The more significant the risks, the more compelling your justification must be.

Sometimes the outcome very obviously weighs in one direction in which case making the decision should be straightforward.

Example

A practice is deciding whether to dismiss one of its employees for misconduct. The practice decides that it needs advice about employment law and wants to send details of the employee’s alleged misconduct to its external legal advisors.

Purpose test: the practice needs to be able to manage the performance of its workforce and ensure employees act appropriately. It also needs to ensure that any action it takes is in accordance with its employment law obligations. This is in the legitimate interest business interests of the company. It is also in the legitimate interests of employees that the practice acts fairly and within the law in its dealings with employees.

Necessity test: it is necessary to obtain external legal expertise about the alleged misconduct and the relevant legal framework for this purpose. Only the PI that is relevant to the allegations will be shared with its legal advisors, subject to professional confidentiality obligations.

Balancing test: the data concerns the individual’s professional life rather than private life. There is a clearly defined employer-employee relationship and employees would reasonably expect the practice to process details of professional conduct to manage performance, and to seek legal advice when dealing with potential dismissals. Whilst the sharing of the data might contribute to significant harm to the individual if the advice supports dismissal, it should also help to ensure that the decision is not arbitrary or unlawful. The data is also shared subject to professional confidentiality obligations, which provides a safeguard against other risks or loss of control over the data.

The outcome for the practice having considered all the relevant factors is that the employee’s interests do not outweigh its legitimate interests in obtaining legal advice, and processing is lawful on the ground of these legitimate interests.

In other cases you may find the outcome is harder to determine. If you are not sure, it may be safer to look for another lawful ground. Legitimate interests is not often the most appropriate ground for processing which is unexpected or high risk.


4. What happens next?

If you have conducted your LIA and decided to rely on legitimate interests as your lawful ground, you should not assume that this is where your responsibilities end.

Keep your LIA under regular review. If anything significant changes – such as the purpose, nature or context of the processing – that may affect the balance between you and the individual you should revisit your LIA and refresh it as appropriate.

For example if a new and unforeseen impact of your processing comes to light you need to revisit your LIA and the balancing test, and perhaps consider if any further safeguards are needed.

If your LIA concludes that the impact on individual overrides your legitimate interests, then you are not able to process the data for that particular purpose using the legitimate interest ground. You may be able to consider another lawful ground instead.

If it’s a borderline call and you’re not confident that your interests justify the impact on individuals, then you may also wish to look for other lawful ground. For example you may wish to consider if consent is appropriate, to give the individuals full control over the use of their data.

If your LIA identifies potential high risks to the rights and freedoms of the individual you need to go on to do a PIIA to assess the risks and potential safeguards in more detail.


5. How does this tie in to PIIAs?

There are similarities between a LIA and a PIIA. Both involve considering the purpose of the processing, identifying and assessing risk, and considering possible safeguards.

However a LIA is intended as a simpler form of risk assessment, to prompt you to properly identify your purpose and think about the impact on individuals. You need to do a LIA in any case where you are considering using the legitimate interests ground, whether or not there are any particular reasons for concern. There are no absolute requirements for content or process, as long as you are confident that your processing is justifiable.

By contrast, a PIIA is a much more in-depth end-to-end process, with more specific minimum requirements as to content and process. You only need to do a PIIA if you identify that the processing is of a type considered likely to result in high risk, but you need to do it irrespective of what lawful ground you are considering. If you cannot mitigate risks, you need to consult the IR before you can start processing.

However, there is some overlap between the two and you should recognise this in your processes. In practice, it is sensible to incorporate the PIIA screening checklist for types of processing likely to result in high risk as part of your balancing test as a simple way of identifying risks to individuals. 

A LIA is also a potential trigger for a PIIA. If your LIA identifies the potential for high risks to individuals’ rights and freedoms (either because of the severity or likelihood of the harm) then you are likely to need to carry out a PIIA.

You may be able to build on or adapt your LIA into your PIIA. If you have not yet carried out a LIA, there is no need to do both. You can use your PIIA instead of a LIA to demonstrate how legitimate interests applies, as it covers the same ground in more detail.