The Information Commissioner’s Office (ICO) has published guidance on the new ‘recognised legitimate interest’ basis, introduced by the Data (Use and Access) Act 2025.

As the guidance explains, ‘recognised legitimate interest’ is the newest lawful basis for handling personal information and – despite its name – differs in important respects from the ‘legitimate interests’ basis.

The most obvious difference is that the recognised legitimate interest basis does not require an organisation to engage in the balancing exercise of weighing up the interest pursued against a person’s rights, freedoms or interests. That is because, in effect, the balancing exercise has already been done, as the new law introduces a series of ‘pre-approved’ purposes which are deemed to be in the public interest.

Annex 1 of the UK GDPR sets out these pre-approved purposes, which involve the need to use personal information for the following reasons:

1. sharing it with another organisation that has requested it for their public task or official functions (the ‘public task disclosure request condition’);
2. safeguarding national security, protecting public security or for defence reasons (the ‘national security, public security and defence condition’);
3. responding to, or dealing with, an emergency situation (the ‘emergencies condition’);
4. preventing, detecting or investigating crimes, including the apprehension and prosecution of offenders (the ‘crime condition’); or
5. protecting the physical, mental or emotional well-being of people who need extra support to do this or protecting them from harm or neglect (the ‘safeguarding condition’).

The new guidance explores each of these in detail. Among other things, the ICO reminds organisations that they must demonstrate that it is necessary to use the personal information for the pre-approved purpose in question, meaning that it doesn’t have to be “absolutely essential” but must be “a targeted and proportionate way of achieving the pre-approved purpose”.

The ICO also makes clear that “recognised legitimate interest is a lawful basis and not an exemption”; other provisions of data protection law, such as transparency and accountability, still apply.

To read the guidance in full, click here.