- Screen Colours:
- Normal
- Black & Yellow
The GDPR sets out six lawful bases for processing data. Unless an exemption applies, at least one of these will apply in all cases. It is possible for more than one to apply at the same time. One of the new requirements for Privacy Notices is that you must set out in the Privacy Notice which Lawful basis you are relying on. For most councils, the relevant ones will be:
1 – Consent (but not for staff, councillors and other role holders),
2 – compliance with a legal obligation (which includes performance of statutory obligations), 3 – Contractual necessity (for example with contractors), etc.
Slightly different lawful bases apply in each of the sample Privacy Notices as some will only apply to staff, councillors and other role holders.
In many situations, more than one lawful basis may apply. For example, a council may be processing personal data about a staff member in connection with an employment contract and at the same time have a legal obligation to process the same personal data.
The six lawful bases for processing personal data under the GDPR are:
Consent
A controller must be able to demonstrate that consent was given. Transparency is key: consents given in written declarations which also cover other matters must be clearly distinguishable, and must be intelligible, easily accessible and in clear and plain language.
Consent is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes – either by a statement or by a clear affirmative action.
Legitimate interests
This involves a balancing test between the controller (or a third party’s) legitimate interests and the interests or fundamental rights of and freedoms of the data subject – in particular where the data subject is a child. The privacy policy of a controller must inform data subjects about the legitimate interests that are the basis for the balancing of interests.
Councils and parish meetings are public authorities and under the GDPR public authorities cannot rely on legitimate interests as a legal basis for processing personal data.
Contractual necessity
Personal data may be processed if the processing is necessary in order to enter into or perform a contract with the data subject (or to take steps prior to entering into a contract).
Compliance with legal obligation
Personal data may be processed if the controller is legally required to perform such processing e.g. complying with the requirements of legislation.
Vital Interests
Personal data may be processed to protect the ‘vital interests’ of the data subject e.g. in a life or death situation it is permissible to use a person’s medical or emergency contact information without their consent.
Public Interest
Personal data may be processed if the processing is necessary for the performance of tasks carried out by a public authority or private organisation acting in the public interest.
Which lawful bases apply to councils?
As set out above, for most councils a number of different lawful bases will apply at the same time. Often councils will be performing a task in the public interest, under a legal obligation e.g. processing data in the exercise of a statutory power and sometimes as a result of contractual necessity.
How do I show that I am processing personal data lawfully?
For example, the lawful basis for processing the personal data contained in planning applications is ‘compliance with a legal obligation’ This is because this processing activity is a requirement of legislation. However, disclosure of a person’s details to a third party may require the individual’s consent.
When can I process ‘sensitive personal data’ (special category data)?
Sensitive personal data, which the GDPR refers to as ‘special category data’, means information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, and sexual life.
The GDPR adds the following new additional categories: genetic data, biometric data and sexual orientation. To process sensitive personal data one of the following should apply – however please note that more than one of the criteria below can apply at the same time.
Data controllers need to establish a lawful basis for processing any personal data and, if they are processing sensitive personal data they must also establish that at least one of the criteria below applies:
Explicit consent of the data subject has been obtained (which can be withdrawn).
Employment Law – if necessary for employment law or social security or social protection.
Vital Interests – e.g. in a life or death situation where the data subject is incapable of giving consent.
Charities, religious organisations and not for profit organisations – to further the interests of the organisation on behalf of members, former members or persons with whom it has regular contact such as donors. Please note councils and parish meetings cannot rely on (iv) as a lawful basis for processing personal sensitive data.
Data made public by the data subject – the data must have been made public ‘manifestly’.
Legal Claims – where necessary for the establishment, exercise or defence of legal claims or for the courts acting in this judicial capacity.
Reasons of substantial public interest – where proportionate to the aim pursued and the rights of individuals are protected.
Medical Diagnosis or treatment – where necessary for medical treatment by health professionals including assessing work capacity or the management of health or social care systems.
Public Health – where necessary for reasons of public health e.g. safety of medical products.
Historical, Statistical or scientific purposes – where necessary for statistical purposes in the public interest for historical, scientific research or statistical purposes.
In a council context the most relevant lawful basis for processing under Special Category Data are likely to be explicit consent from a person; or employment law (for staff); or reasons of substantial public interest (in performing the public authority role of the council).