What is a Legitimate Interests Assessment? Where we rely on legitimate
interests (UK GDPR Article 6(1)(f)) as our lawful basis for processing personal data,
the ICO requires that we carry out a three-part test: (1) identify a legitimate
interest; (2) show that processing is necessary to achieve it;
and (3) conduct a balancing test confirming that the individual's rights
do not override that interest. This document records that assessment for each relevant
activity.
Methodology
Each assessment below follows the ICO's recommended structure as set out in the Legitimate interests guidance (ico.org.uk, updated 2023). The three steps are applied in sequence; if any step is not satisfied, processing cannot rely on this basis and an alternative lawful basis (or abstention from processing) is required.
| Step | Question | Outcome if not met |
|---|---|---|
| 1 — Purpose test | Is there a legitimate interest being pursued? | Cannot rely on Article 6(1)(f) |
| 2 — Necessity test | Is the processing necessary to achieve that interest? Are there less privacy-intrusive means? | Must use least-intrusive method; cannot rely on Article 6(1)(f) for the more intrusive option |
| 3 — Balancing test | Do the individual's interests, rights, or freedoms override the legitimate interest? | Cannot rely on Article 6(1)(f); must use a different lawful basis or cease processing |
This assessment was completed by the Data Protection contact at Senha Ltd on 22 February 2026 and is subject to annual review, or earlier review if the nature of the processing changes materially. To exercise your right to object to any of the processing described below, see the Right to object section.
CDN resource loading
When visitors load any page on mybursary.org, their browser makes requests to third-party servers to retrieve fonts, CSS, and security-verification scripts. These requests transmit the visitor's IP address and browser user-agent to the third-party server. No cookies are set by any of these services.
Google Fonts (fonts.googleapis.com / fonts.gstatic.com)
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Delivering professional typefaces (Syne, Plus Jakarta Sans, JetBrains Mono) that constitute the visual identity of the myBursary brand and ensure consistent, accessible typography for all users regardless of the fonts installed on their device. A well-designed interface is directly relevant to user trust in a service handling sensitive financial data about students. | Satisfied |
| 2. Necessity |
The fonts could be self-hosted, which would eliminate the third-party connection
entirely. We have assessed self-hosting as technically feasible and intend to implement
it as an enhancement. In the interim, Google's documented stance is that font requests
are not used for advertising profiling and that IP addresses are anonymised within a
short period after collection. The data transferred (IP address, user-agent, referrer
origin) is the minimum required for HTTP font delivery. No alternative font format
would satisfy the design requirement with less data transfer.
Action: Self-hosting of Google Fonts is recorded as a planned improvement to eliminate this third-party connection. This LIA should be updated when self-hosting is implemented. |
Provisionally satisfied — improvement planned |
| 3. Balancing |
Nature of the interest: Commercial and reputational interest in
a well-presented service; indirectly supports user trust in a security-sensitive product. Impact on individuals: Low. The data processed (IP address, user-agent) is processed transiently and is not used for any form of individual profiling or advertising. No persistent identifiers are set. Google confirms that font delivery logs are not linked to individual Google accounts. Reasonable expectation: Visitors to a modern commercial website can reasonably expect that web fonts will be loaded from external servers; this is ubiquitous industry practice disclosed in this policy. Conclusion: The limited, transient nature of the data processing and the absence of any profiling or persistent tracking means that individuals' privacy interests do not override the legitimate interest. |
Satisfied |
Bootstrap CDN (cdn.jsdelivr.net)
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Delivering the Bootstrap CSS framework and Bootstrap Icons font set required for the site's layout, components, and iconography. These are integral to the functioning and accessibility of the user interface. | Satisfied |
| 2. Necessity |
Bootstrap could be self-hosted. jsDelivr, as a public CDN, provides the practical
benefit of cross-site browser caching (a user who has visited another Bootstrap site
may have the files cached) and CDN-optimised delivery. jsDelivr's privacy policy
states that access logs are anonymised and not used for tracking. Data transmitted
is limited to IP address and user-agent.
Action: Self-hosting of Bootstrap is recorded as a planned improvement. |
Provisionally satisfied — improvement planned |
| 3. Balancing | The same analysis as Google Fonts applies. jsDelivr does not set persistent cookies, does not build individual profiles, and anonymises access logs. The impact on individuals is low and the processing is proportionate to the purpose. | Satisfied |
Cloudflare Turnstile (challenges.cloudflare.com)
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Protecting login, sign-up, and password-reset forms from automated credential-stuffing, account-takeover, and mass-registration attacks. myBursary processes sensitive personal and financial data about students. Compromise of any account could expose this data. Bot protection is a direct security measure for the data subjects' own benefit. | Satisfied |
| 2. Necessity | Cloudflare Turnstile operates by making a server-side verification call to Cloudflare's API. There is no self-hosted alternative that provides equivalent bot-detection capability without an external data processor. Self-hosted CAPTCHAs (e.g. image challenges) provide significantly weaker protection against modern automated attacks and impose friction on legitimate users. The processing of request characteristics (IP address, browser signals) by Cloudflare is the minimum necessary to perform bot-detection. Cloudflare's privacy documentation confirms that Turnstile data is not used for advertising. | Satisfied |
| 3. Balancing |
Nature of the interest: Security protection — directly preventing
unauthorised access to accounts containing sensitive student personal and financial
data. This also satisfies the Processor's obligation under UK GDPR Article 32 to
implement appropriate technical security measures. Impact on individuals: Low to moderate. Browser behavioural signals and IP address are analysed, but only to distinguish humans from bots. Cloudflare does not use Turnstile data for advertising or cross-site profiling. The analysis is transient and decision-focused. Reasonable expectation: Users of a cloud application storing sensitive personal data have a reasonable expectation that the service operator will take measures to protect their accounts, including bot-prevention mechanisms on authentication flows. Conclusion: The security interest — protecting user accounts and sensitive student data — clearly outweighs the limited and transient privacy impact of the bot-detection analysis. The balancing test is satisfied. |
Satisfied |
Overall conclusion for LIA 1. All three CDN connections satisfy
the three-part test. Processing may proceed on the legitimate interests basis.
The planned actions to self-host Google Fonts and Bootstrap are recorded and should
be implemented to further strengthen the privacy position.
Website analytics
Where Google Analytics 4 is enabled (controlled by the GOOGLE_ANALYTICS_ID
configuration), pageview and interaction data is collected from visitors to mybursary.org.
Analytics cookies (_ga, _ga_*) are
set only when the visitor explicitly chooses Accept all via the cookie consent banner.
This LIA covers the legitimate interest relied upon to offer and describe this processing;
the consent mechanism provides an independent additional lawful basis where consent is given.
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Understanding in aggregate how visitors navigate mybursary.org — which pages are most visited, where users drop off, which features are most used — to make evidence-based decisions about product development, UX improvements, and content prioritisation. This serves the commercial interest of Senha Ltd in improving its product, and indirectly benefits users by improving the platform they use. | Satisfied |
| 2. Necessity |
Less privacy-intrusive analytics alternatives exist (e.g. server-side log analysis,
privacy-first analytics tools such as Plausible or Fathom that do not use cookies
and do not require consent). We have assessed these alternatives and the following
safeguards have been applied to make the current implementation as privacy-preserving
as possible:
|
Satisfied with safeguards — improvement under evaluation |
| 3. Balancing |
Nature of the interest: Commercial interest in product improvement;
moderate weight. Impact on individuals: Low to moderate without safeguards; reduced to low with safeguards applied. Visitors are not individually profiled. Data is aggregated. IP addresses are anonymised before any reporting. Reasonable expectation: Visitors to a commercial website can reasonably expect that aggregate usage analytics may be collected; this is a near-universal practice disclosed in the cookie policy. Consent mechanism: Analytics cookies are additionally gated behind explicit consent ("Accept all"), providing a stronger safeguard beyond the minimum required by this LIA. Visitors who choose "Essential only" are not tracked. Conclusion: With IP anonymisation, no advertising use, consent gating, and the option to object (see below), the legitimate interest is not overridden. |
Satisfied |
Direct marketing to existing customers
Senha Ltd sends product update emails, feature announcements, maintenance notices, and relevant industry guidance to staff contacts at subscribing institutions. This processing uses work email addresses provided during onboarding.
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Keeping existing customers informed of changes that affect their use of myBursary: new features relevant to their workflow, security patches requiring action, scheduled maintenance windows, and changes to legal documents (Privacy Policy, DPA, Terms). This serves both the commercial interest of Senha Ltd (customer retention, product adoption) and the customers' own operational interest (staying informed about a service they rely on for regulatory compliance). | Satisfied |
| 2. Necessity | Email is the necessary channel for time-sensitive operational communications (e.g. security patches, maintenance windows, policy changes with notice periods). Communications are limited to matters directly relevant to the subscription and are not combined with third-party marketing. Each email includes a clear opt-out mechanism. Volume is kept to the minimum necessary. | Satisfied |
| 3. Balancing |
Nature of the interest: Commercial (customer retention) and
operational (keeping subscribers informed of a service they are actively using
for regulatory compliance). Strong weight given the B2B context. Existing relationship: Recipients are active subscribers with an ongoing commercial relationship. The ICO's direct marketing guidance and PECR Regulation 22 (soft opt-in) specifically recognise that marketing to existing customers about similar products/services they have purchased is a well-established legitimate practice. Impact on individuals: Low. Only work email addresses of staff contacts are used. Messages are directly relevant to the service. Opt-out is straightforward and always honoured immediately. Conclusion: The existing customer relationship, the relevance of the communications to the subscribers' operational needs, and the ease of opt-out all mean that the legitimate interest is not overridden. |
Satisfied |
Error and performance monitoring
The application uses an error monitoring service (Sentry) to automatically capture software exceptions, performance anomalies, and infrastructure errors. This enables the engineering team to diagnose and resolve issues that affect service reliability.
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose | Maintaining the reliability, performance, and security of the myBursary platform. Error monitoring enables rapid identification and resolution of software defects that could affect data integrity, accessibility of the service, or security. This directly serves the interest of users in receiving a functioning, reliable service for managing time-sensitive bursary processes. | Satisfied |
| 2. Necessity |
Error monitoring is an industry-standard, widely recognised component of
operating a production cloud service. Manual log review alone is insufficient
to provide timely detection of errors affecting users. The following safeguards
reduce the privacy impact to the minimum necessary:
|
Satisfied |
| 3. Balancing |
Nature of the interest: Service reliability and security — strong
weight, particularly for a service handling sensitive student financial data where
data loss or inaccessibility during application windows would cause real harm. Impact on individuals: Very low. Personal data is scrubbed before transmission. Error reports contain technical context only. Users of a cloud service reasonably expect that technical monitoring will be in place. Overlap with Article 32 obligation: UK GDPR Article 32 requires "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures". Error monitoring is one implementation of this obligation, which provides further support for the necessity finding. Conclusion: The legitimate interest is not overridden. |
Satisfied |
Security monitoring and audit logging
The platform maintains comprehensive audit logs of all access to personal data: login events, application views, assessment decisions, data exports, and administrative actions. These logs record the user ID, timestamp, action taken, and affected records.
| Test | Analysis | Outcome |
|---|---|---|
| 1. Purpose |
(a) Security monitoring: Detecting unauthorized access, account
compromise, anomalous data access patterns, and potential data breaches in
real time, to protect the personal data of students and staff. (b) Audit trail: Providing institutions with an immutable record of all bursary assessment decisions and actions for DfE compliance purposes and to satisfy the institutions' own audit requirements. (c) Dispute resolution: Enabling investigation and resolution of disputes about data access or decisions. |
Satisfied |
| 2. Necessity | Comprehensive audit logging is widely recognised as essential for any system processing sensitive personal data. The DfE's 16–19 Bursary Fund guidance requires that institutions maintain an audit trail of all award decisions. Log entries use pseudonymised user IDs rather than names where possible. Access to logs is restricted to authorised personnel only. Retention periods are defined and enforced (12 months live, 6 years archived — consistent with DfE audit requirements and the DPA). | Satisfied |
| 3. Balancing |
Nature of the interest: Security and regulatory compliance —
very strong weight. Audit logging directly protects data subjects (students)
by enabling detection of misuse of their data, and directly serves their
interest in having their applications assessed accurately and transparently. Overlap with legal obligation: The audit trail component also satisfies a legal obligation under DfE guidance (UK GDPR Art. 6(1)(c)), providing a concurrent lawful basis for that specific purpose. Impact on individuals: Moderate — logs record detailed action histories for users. Mitigated by: pseudonymisation where possible, strict access controls, defined retention periods, and restriction to authorised security and compliance personnel. Reasonable expectation: Users of a platform processing sensitive personal data have a clear and reasonable expectation that access to that data will be logged for security and accountability purposes. Conclusion: The security and compliance interests, the direct benefit to data subjects, and the reasonable expectation of logging in this context mean that the legitimate interest is not overridden. |
Satisfied |
Right to object
Under UK GDPR Article 21, you have the right to object to processing based on legitimate interests at any time. On receipt of an objection, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
| Processing activity | How to object | Effect of objection |
|---|---|---|
| CDN resource loading (Google Fonts, Bootstrap CDN) | Use a content-blocking browser extension (e.g. uBlock Origin) to block requests to fonts.googleapis.com and cdn.jsdelivr.net |
Site will render with system fonts and may have layout differences; core functionality is not affected |
| Cloudflare Turnstile (bot protection) | Block challenges.cloudflare.com via browser extension, or email [email protected] |
Login and password-reset forms may not function; we will work with you to find an alternative access method where feasible |
| Website analytics | Select Essential only on the cookie consent banner, or install the Google Analytics opt-out add-on | No analytics cookies are set; your visit is not tracked in Google Analytics |
| Direct marketing to existing customers | Click Unsubscribe in any marketing email, or email [email protected] | Removed from marketing lists immediately; transactional and security emails (required for service delivery) continue |
| Error monitoring | Email [email protected] with details of your objection | We will assess whether compelling grounds exist (given the security necessity) and respond within one calendar month |
| Security and audit logging | Email [email protected] with details of your objection | Compelling grounds exist for this processing (security of personal data; regulatory compliance); however we will document and respond to your objection within one calendar month |
Review and sign-off
| Assessment completed by | Data Protection contact, Senha Ltd t/a myBursary |
| Date of assessment | 22 February 2026 |
| Next scheduled review | February 2027, or earlier if: (a) a new processing activity relying on legitimate interests is introduced; (b) the nature of an existing activity changes materially; or (c) guidance from the ICO materially changes the applicable test |
| Planned improvements recorded |
Self-hosting of Google Fonts and Bootstrap CDN (to eliminate LIA 1 CDN connections); Evaluation of privacy-first analytics tool (to eliminate LIA 2 or remove consent requirement) |
Questions about this assessment
[email protected]
We aim to respond to all privacy queries within 5 working days.
We aim to respond to all privacy queries within 5 working days.
ICO Registration number: ZC012206 ·
View register entry