popi_compliance_monitoring

Overview

  • 'Legitimate interests of the responsible party or of a third party to whom the information is supplied' is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
  • It is likely to be most appropriate where you use data subjects’ information in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
  • If you choose to rely on the 'legitimate interests of the responsible party or of a third party to whom the information is supplied', you are taking on extra responsibility for considering and protecting the affected data subjects' rights and interests.
  • Public authorities can only rely on legitimate interests if they are processing for a legitimate reason other than performing their tasks as a public authority.
  • There are three elements to the legitimate interests basis:
    • identify a legitimate interest;
    • show that the processing is necessary to achieve it; and
    • balance it against the individual’s interests, rights and freedoms.
  • The legitimate interests can be your own interests or the interests of third parties to whom information is supplied. They can include commercial interests, individual interests or broader societal benefits.
  • The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
  • You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
  • Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
  • You must include details of your legitimate interests in your privacy information.

Checklists

☐ We have checked that 'legitimate interests of the responsible party or of a third party to whom the information is supplied' is the most appropriate basis.

☐ We understand our responsibility to protect the affected data subjects’ interests.

☐ We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.

☐ We have identified the relevant legitimate interests.

☐ We have checked that the processing is necessary and there is no less intrusive way to achieve the same result.

☐ We have done a balancing test, and are confident that the data subjects' interests do not override our legitimate interests.

☐ We only use data subjects’ information in ways they would reasonably expect, unless we have a very good reason.

☐ We are not using data subjects’ information in ways they would find intrusive or which could cause them harm, unless we have a very good reason.

☐ If we process children’s information, we take extra care to make sure we protect their interests.

☐ We have considered safeguards to reduce the impact where possible.

☐ We have considered whether we can offer an opt out.

☐ If our LIA identifies a privacy impact, we have conducted a PIIA.

☐ We keep our LIA under review, and repeat it if circumstances change.

☐ We include information about our legitimate interests in our privacy information.

Briefly

What’s needed under POPIA?

You can consider the legitimate interests of a third party to whom information is shared, but you cannot extend this to any third party or the wider benefits to society. When weighing against the data subject’s interests, the emphasis is on ‘unwarranted prejudice’ to the data subject, even without specific harm.

Public authorities are more limited in their ability to rely on legitimate interests, and should consider the ‘public law duty’ basis instead for any processing they do to perform their tasks as a public authority. Legitimate interests may still be available for other legitimate processing outside of those tasks.

You need to document your decisions on legitimate interests so that you can demonstrate compliance under the accountability condition. You must also include information in your privacy information.

You need to review your existing processing to identify your lawful basis and document where you rely on legitimate interests of the responsible party, update your privacy information, and communicate it to data subjects.

What is the ‘legitimate interests of the responsible party’ basis?

Section 11(1)(f) gives you a lawful basis for processing where:

“processing is necessary for pursuing the legitimate interests of the responsible party or of a third party to whom the information is supplied.”

This can be broken down into a three-part test:

  1. Purpose test: are you pursuing a legitimate interest?
  2. Necessity test: is the processing necessary for that purpose?
  3. Balancing test: do the data subjects’ interests override your legitimate interest?

A wide range of interests may be legitimate interests. They can be your own interests or the interests of the third parties with whom information is shared. They may be compelling or trivial, but trivial interests may be more easily overridden in the balancing test.

Typical legitimate interests are the use of client or employee information for fraud prevention, intra-group transfers, or IT security. You will also have a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You cannot rely on legitimate interests if there is another reasonable and less intrusive way to achieve the same result.                      

You must balance your interests against the data subject’s interests. In particular, if they would not reasonably expect you to use information in that way, or it would cause them unwarranted harm, their interests are likely to override yours. However, your interests do not always have to align with the data subject’s interests. If there is a conflict, your interests can still prevail as long as there is a clear justification for the impact on the data subject.

When can we rely on legitimate interests?

Legitimate interests is the most flexible lawful basis, but you cannot assume it will always be appropriate for all of your processing.

If you choose to rely on legitimate interests, you take on extra responsibility for ensuring data subjects' rights and interests are fully considered and protected.

Legitimate interests is most likely to be an appropriate basis where you use information in ways that data subjects would reasonably expect and that have a minimal privacy impact. Where there is an impact on data subjects, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.

You can consider legitimate interests for processing children’s information, but you must take extra care to make sure their interests are protected.

You may be able to rely on legitimate interests in order to lawfully disclose personal information to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine their lawful basis for their own processing.

You should avoid using legitimate interests if you are using personal information in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact.

If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate. This will be particularly relevant for public authorities with commercial interests.

How can we apply legitimate interests in practice?

If you want to rely on legitimate interests, you should conduct the three-part legitimate interests assessment (LIA) and you should do so before you start the processing.

An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations. In some cases an LIA will be quite short, but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the information – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the information be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the data subject?
  • Is any of the information particularly sensitive or private?
  • Would data subjects expect you to use their information in this way?
  • Are you happy to explain it to them?
  • Are some data subjects likely to object or find it intrusive?
  • What is the possible impact on the data subject?
  • How big an impact might it have on them?
  • Are you processing children’s information?
  • Are any of the data subjects vulnerable in any other way?
  • Can you adopt any safeguards to minimise the impact?

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no foolproof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

Keep a record of your LIA and the outcome. It’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome.

Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.

If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will not often be the most appropriate basis for processing which is unexpected or high risk.

If your LIA identifies risks, consider whether you need to complete a PIIA to assess the risk and potential mitigation in more detail.

What else do we need to consider?

You must tell data subjects in your privacy information that you are relying on legitimate interests, and explain what these interests are.

If you want to process the personal information for a new purpose, you may be able to continue processing under legitimate interests as long as your new purpose is compatible with your original purpose. You should conduct a new LIA as this will help you demonstrate compatibility.