United Kingdom: Information Commissioner’s Office closes consultation on guidance on recognised legitimate interest under Data (Use and Access) Act

On 30 October 2025, the Information Commissioner’s Office (ICO) closes the consultation on draft guidance on recognised legitimate interest as a lawful basis for processing data. The draft guidance clarifies the recognised legitimate interest basis, how it differs from legitimate interests, and when it can be applied. Recognised legitimate interest is a new lawful basis for handling personal information under the UK General Data Protection Regulation, introduced by the Data (Use and Access) Act 2025. It is distinct from the existing legitimate interests basis and applies only where one of the five pre-approved conditions in the public interest is met. These conditions allow personal data to be processed for public task disclosure requests, national and public security or defence, emergencies, crime prevention and investigation, and safeguarding. Unlike the legitimate interests basis, organisations using recognised legitimate interests do not need to balance their purposes against people’s rights and freedoms, as the law has already done this. The main benefit is therefore greater certainty and reduced compliance burden when handling personal information for these specific purposes. However, organisations must still show that processing is necessary for the relevant condition and comply with all other data protection obligations. While recognised legitimate interest is narrower in scope than legitimate interests, it provides a secure lawful basis for certain public interest activities. Organisations already relying on legitimate interests for purposes that fall within these conditions do not need to change their lawful basis.