Clifford Chance

The UK Information Commissioner's Office (ICO) has several draft guidance documents open for consultation in September 2025. We've written a series of short overviews of some of this draft guidance – our overview page can be used to navigate to other summaries: Draft ICO guidance and consultations: September update.

Some of this guidance, alongside other guidance that is anticipated in the ICO's pipeline, will form an important part of understanding how to apply the Data Use and Access Act 2025 (DUA Act). (See also our briefing: UK Data Reform: What you need to know about the Data (Use and Access) Act.)

This article relates to draft Recognised Legitimate Interest Guidance. The consultation on this draft guidance closes on 30 October 2025. Responses can be submitted here. This sits alongside separate draft guidance on Recognised Legitimate Interest: Requesting Personal Information for your Public Tasks or Official Functions for organisations that have public tasks or official functions, such as public authorities, which is under consultation until 30 October 2025.

Overview

The DUA Act introduces a new legal basis for processing personal data under the UK GDPR: "recognised legitimate interests". This is distinct from the existing "legitimate interests" basis and is designed to give organisations greater confidence when processing data for certain pre-approved public interest purposes. Under the DUA Act, these include processing necessary for: (i) making a disclosure of personal data in response to certain requests made by bodies acting in the public interest; (ii) national security, public security and defence purposes; (iii) responding to or dealing with an emergency situation; (iv) the detection, investigation or prevention of crime; or (v) the safeguarding of vulnerable individuals.

Once these provisions enter into force (on such day as the Secretary of State may appoint by regulation) processing based on 'recognised legitimate interests' will satisfy the UK GDPR requirement to process personal data under a legal basis without the need to conduct a 'balancing test'. The Secretary of State may make regulations adding to, or varying, these 'recognised legitimate interests'.

The ICO’s draft guidance, which will be supplemented by a shorter summary version and updates to existing legal basis guidance, explains how reliance on "recognised legitimate interests" works in practice, including emphasising that:

• organisations must satisfy themselves that using the data is necessary for the particular, recognised legitimate interest, and must identify and document which recognised legitimate interests(s) they consider applicable to particular processing;
• the right to object applies (but is not an absolute right);
• other data protection requirements apply, e.g., transparency requirements need to be met, and data minimisation and purpose limitation principles should still be considered;
• it is not a suitable legal basis for significant automated decision-making (as per the new Art 22B(4) of the UK GDPR); and
• additional conditions must be met for special category data processing and criminal offence data.

The draft guidance provides examples of acceptable use cases and clarifications regarding expected steps. For example:

• For public task disclosure requests, the draft guidance states that the organisation requesting the disclosure must tell the controller that it needs the personal information in connection with a public task or other power given to it by UK law (without needing to specify what these are) and specify the information needed. The controller can rely on this declaration, and its considerations as to what information is necessary and proportionate would be made by reference to the scope of the request. The ICO recommends audit trails for such disclosures as a way of meeting accountability requirements.

• In relation to the 'crime condition', the draft guidance states that if this involves handling criminal offence data, the controller must also meet the requirements of Article 10 UK GDPR, but adds: "…if your purpose for using people’s personal information satisfies the crime condition, it’s likely this will also satisfy an appropriate condition from the DPA for processing criminal offence data." In some circumstances, personal information about people other than offenders might be covered by this condition (e.g., victims or witnesses of crime) – the draft guidance clarifies that their personal information is not criminal offence data.

• For the 'safeguarding condition', the clarifications in the draft guidance include: (i) the legal obligation lawful basis is likely to be more suitable if a controller needs to handle personal information for safeguarding to comply with a law; (ii) it is necessary to check specific definitions such as 'safeguarding', 'vulnerable individual' and 'at risk' to check whether the relevant criteria are met – and be aware that someone's circumstances may change such that the definitions are no longer met (in which case another legal basis may become appropriate, e.g., legitimate interests, which would require a balancing test).

Key takeaways

Organisations that are subject to UK data protection law should:

• Review their data processing activities to identify those for which the new legal basis of 'recognised legitimate interest' may be appropriate and record these decisions.
• Keep these assessments under review for ongoing processing, remembering that that circumstances can change in a way that can impact continued applicability of a legal basis (e.g. in relation to data processing for the safeguarding of vulnerable individuals).
• Remember to make follow-on changes to reflect any reliance on this legal basis – including updating privacy notices and records of processing activities.
• Consider whether to respond to the consultation (which closes on 30 October 2025).
• Monitor the DUA Act commencement regulations as they are made, to understand when the organisations will begin being able to rely on the new legal basis of 'recognised legitimate interest'.
• Monitor the ICO website for the final guidelines. The ICO has indicated that they aim to make these available by January 2026.