To help an Agency establish whether it would be safe for them to use Legitimate Interest for some of their processing, there is a useful article on the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/legitimate-interests/when-can-we-rely-on-legitimate-interests/
If an Agency decides to use Legitimate Interest to process data, the ICO states that:
“You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of the GDPR, the information you need to give people includes:
your intended purposes for processing the personal data; and
the lawful basis for the processing.”
Also,
“You must include details of your legitimate interests in your privacy information.”
Under the Individual’s Right to be Informed, the ICO states that “When you collect personal data from the individual it relates to, you must provide them with privacy information (including the legitimate interests for the processing) at the time you obtain their data”.
The ICO also states “You must inform individuals of their right to object “at the point of first communication” and in your privacy notice.” This means that details on their right to object should also be included in the privacy policy.
Agencies can choose how to inform the individual of their privacy policy, perhaps by emailing them a link to their privacy policy or by using the Adapt workflow ‘Consent/Permission Request’ and using the Permission Type of ‘Privacy Policy’ to send a link to or copy of their privacy policy.
Once the individual has been informed, the Adapt Journal record will be updated. The Agency can also choose to record that they have contacted the individual and told them they are processing their data under Legitimate Interest.
Adapt has had the following features to enable Agencies to facilitate the Legitimate Interest approach if required:
The Permission Request workflow can be used to send the Individual a copy of or a link to the Agencies’ privacy policy which includes details of their legitimate interest and of the individual’s right to object. This can be sent to multiple Candidates by using the Batch function from a set of search results.
The Record Permission workflow can be used to record that the individual has been sent a copy or a link to the Agencies’ privacy policy which includes details of their legitimate interest and of the individual’s Right to object.
The Adapt Journal automatically records evidence that each workflow (including Record Permission) has been run and can be used as an audit trail to prove the Agency has exercised the Individual’s Right to be informed.
To check that all the people you are processing data for have been informed of your legitimate interest, users can check Journal records or run searches or use reports to check individuals have 'Legitimate Interest' selected in the field Person informed data is being processed under. This is currently set when running the Record Permission workflow.
Please see GDPR - Using the Legitimate Interest Approach in Adapt for more information.