The UK government has introduced the Data (Use and Access) Bill (DUAB) to modernise how data is accessed, shared, and processed across both public and private sectors. This Bill forms part of a broader effort to make the UK a global leader in trusted data use, building upon the existing UK General Data Protection Regulation (UK GDPR). For data protection practitioners, the DUAB introduces important changes that could significantly impact how data is managed, particularly through the creation of a new lawful basis known as “Recognised Legitimate Interests.”
This guide explains Recognised Legitimate Interests, how they interact with the current legal framework, and what practical steps organisations need to take to ensure compliance and readiness.
The Current Lawful Bases Under UK GDPR
Under the UK GDPR, all data controllers must identify a lawful basis under Article 6 to process personal data. These include:
- Consent (Article 6(1)(a)) – Freely given, specific, informed and unambiguous indication of the data subject’s wishes.
- Contract (Article 6(1)(b)) – Necessary for the performance of a contract.
- Legal Obligation (Article 6(1)(c)) – Necessary to comply with a legal obligation.
- Vital Interests (Article 6(1)(d)) – Necessary to protect someone’s life.
- Public Task (Article 6(1)(e)) – Necessary to perform a task in the public interest or in the exercise of official authority.
- Legitimate Interests (Article 6(1)(f)) – Used by private entities when processing is necessary for legitimate interests, unless overridden by the data subject’s rights.
Importantly, public authorities are prohibited from using the legitimate interests basis (Article 6(1)(f)) when processing personal data to perform their official tasks. Instead, they typically rely on the public task, legal obligation, or vital interests bases.
What the DUAB introduces:
recognised legitimate interests
Clause 70 of the DUAB amends Article 6 of the UK GDPR to introduce a new lawful basis: Recognised Legitimate Interests under Article 6(1)(ea). This provision applies only to private and third-sector organisations. It allows them to process data for a set list of purposes without conducting the usual “balancing test” that is required under Article 6(1)(f).
The specific recognised purposes are outlined in Schedule 4 of the Bill, and include:
- Safeguarding vulnerable individuals (e.g., a housing association alerting a council about suspected abuse)
- Crime prevention and detection (e.g., a retail company sharing CCTV footage with the police)
- Responding to emergencies (e.g., a utility company sharing location data during a fire or flood or an air ambulance sharing medical data with a hospital)
- Public health protection (e.g., a private lab forwarding COVID testing results to a local authority)
- Safeguarding national security or public safety (e.g., a telecoms provider reporting threats to law enforcement)
These categories reflect situations where the need to share or use data is generally recognised to serve the public interest. The government can also expand this list via secondary legislation.
How this impacts public sector organisations
While public bodies cannot rely on Recognised Legitimate Interests themselves, the DUAB provides indirect but meaningful benefits to them by improving the data-sharing environment.
In practice, this means:
- Faster access to relevant data from private or third-sector partners who now have a clearer legal basis for sharing.
- Improved multi-agency safeguarding efforts, where housing, health, and education organisations need to collaborate.
- Reduced hesitancy among partners, such as charities or technology firms, who may have previously been unsure whether data sharing was permitted.
For example, a charity supporting victims of domestic abuse may feel more confident in sharing information with a local authority without the fear of breaching data protection laws.
Responsibilities of data controllers
Even with the new provisions, data controllers must continue to uphold core data protection principles. Whether relying on existing lawful bases or Recognised Legitimate Interests, organisations must:
- Clearly identify the appropriate lawful basis for each processing activity.
- Ensure this basis is documented in Records of Processing Activities (ROPAs).
- Update privacy notices to reflect any changes.
- Maintain transparency with data subjects.
5 tasks for data controllers under the DUAB
- Review Lawful Bases: Reassess all current data processing activities to ensure the appropriate lawful basis is in use, especially in light of Recognised Legitimate Interests.
- Update Documentation: Amend Records of Processing Activities (ROPA) to reflect any lawful basis changes, especially where third-party data sharing may now occur more confidently.
- Amend Privacy Notices: Update public-facing privacy notices to explain any new or altered data uses and the legal grounds for doing so.
- Revisit Data Sharing Agreements: Review existing contracts and memoranda of understanding to ensure they account for any changes introduced by the DUAB.
- Train Relevant Staff: Educate teams—especially those handling safeguarding, compliance, and data partnerships—on the implications of Recognised Legitimate Interests and the correct procedures to follow.
Checklist: Updating Privacy Notices
- Is the lawful basis for each activity clearly stated?
- Have you included recognised legitimate interest purposes where relevant?
- Are all third-party recipients of personal data listed?
- Have you explained why data is being shared or processed?
- Is the notice written in clear, accessible language?
Checklist: Reviewing Data Sharing Agreements
- Does the agreement identify each party’s lawful basis?
- Is the sharing organisation using a recognised legitimate interest from Schedule 4?
- Are responsibilities for data subject rights (e.g., access, correction) clearly assigned?
- Are there terms covering security, retention, and breach notification?
- Have parties agreed on how transparency obligations will be met?
Final thoughts
The DUAB is a strategic development in the UK’s post-Brexit data governance landscape. While it does not radically alter the core principles of the UK GDPR, it provides much-needed clarity and confidence for private and third-sector organisations involved in public interest work.
The key message for data protection practitioners, especially those advising public sector bodies, is clear: the legal framework around data sharing is shifting, but accountability remains at the centre. Understanding the scope and application of Recognised Legitimate Interests will be crucial to navigating these changes and ensuring continued compliance.
By Nigel Gooding
LLM Information Rights Law & Practice. FBCS, PG Dip Information Rights Law and Practice, PG Cert Data Protection Law and Information Governance, PG Cert Management
