On 23 March 2026, the Information Commissioner’s Office (ICO) published new guidance on recognised legitimate interests (RLI), following changes introduced by the Data (Use and Access) Act 2025 (DUAA).
This marks a notable development in UK data protection law. RLI has been introduced as a new, standalone lawful basis under the UK GDPR, designed to provide greater certainty for certain types of processing that are considered to be in the public interest.
The ICO’s guidance explains how this new basis operates, when it can be used, and how it differs from the existing “legitimate interests” ground.
What are recognised legitimate interests?
RLI is a limited and prescriptive lawful basis for processing personal data. Unlike standard legitimate interests, which allows organisations to define their own purposes (subject to a balancing test), RLI applies only to a fixed list of public interest purposes set out in legislation.
A key distinction is that no balancing test is required when relying on RLI. Parliament has already determined that the specified purposes are capable of outweighing individuals’ rights, removing the need for organisations to carry out a legitimate interests assessment.
However, organisations must still demonstrate that the processing is necessary and proportionate for the relevant purpose.
The recognised legitimate interest conditions
The ICO confirms that RLI can only be used where processing is necessary for one of five specific conditions:
Public task disclosures – sharing data with organisations performing official functions
National security, public security and defence
Emergencies
Crime prevention and detection
Safeguarding vulnerable individuals.
These categories are exhaustive and focus on clear public interest outcomes, rather than general commercial activity.
Key takeaways
No LIA required - organisations do not need to carry out a legitimate interests assessment when relying on RLI, reducing administrative burden
Not a compliance shortcut - all other UK GDPR obligations continue to apply, including transparency, fairness and data minimisation
Necessity remains central - processing must be genuinely required for the relevant condition and cannot be excessive
Optional use - organisations already relying on legitimate interests do not need to switch to RLI
Public authorities - generally, cannot rely on RLI when performing statutory functions (where “public task” is more appropriate)
Individual rights preserved: Individuals retain the right to object to processing.
Our views
RLI is a new lawful basis, but its scope is deliberately narrow
It removes the need for a balancing test, offering simplification and greater certainty in specific scenarios
It is most likely to be relevant where processing supports public interest objectives, such as crime prevention or safeguarding
Organisations must still comply with core data protection principles and maintain appropriate governance.
The content of this page is a summary of the law in force at the date of publication and is not exhaustive, nor does it contain definitive advice. Specialist legal advice should be sought in relation to any queries that may arise.
Related news & articles
Related expertise
Contact us today
Whatever your legal needs, our wide ranging expertise is here to support you and your business, so let’s start your legal journey today and get you in touch with the right lawyer to get you started.
Get in touch
For general enquiries, please complete this form and we will direct your message to the most appropriate person.