In another blog, we covered the meaning of ‘personal data’ (linked here) under the UK General Data Protection Regulation (GDPR) and in this blog we will discuss how to process personal data lawfully and in compliance with the GDPR.
‘Processing’ personal data means any operation or set of operations which is performed on personal data or on sets of personal data, including collection, recording, organisation, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure and destruction.
Organisations must have a valid lawful basis in order to process personal data under Article 6 of the GDPR. These bases are set out below and at least one of these must apply in order for organisations to process personal data lawfully:
- Consent: the individual has given clear consent for the organisation to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract the organisation has with the individual, or because they have asked the organisation to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for the organisation to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for the organisation to perform a task in the public interest or for its official functions, and the task or functions has a clear basis in law.
- Legitimate interests: the processing is necessary for the organisation’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply to public authorities processing personal data to perform their official tasks).
Many of the above lawful bases depend on the processing being “necessary”. This does not mean that processing has to be absolutely essential. However, it must be more than just useful, and more than just standard practice. It must be a targeted and proportionate way of achieving a specific purpose. The lawful basis will not apply if the organisation can reasonably achieve the purpose by some other less intrusive means, or by processing less data. The question is whether the processing is objectively necessary for the stated purpose.
Which lawful basis applies will depend on your specific purposes and the context of processing. Organisations should think about why they want to process the personal data and consider which lawful basis best fits its circumstances.
When relying on the lawful basis of legitimate interests, organisations must also conduct a Legitimate Interest Assessment (“LIA”), which is discussed further in our blog here.
Special Category Data
Where organisations are processing special category data (e.g. personal data concerning someone’s: racial or ethnic origin, political opinions, religious or philosophic beliefs, trade union membership, genetic data, biometric data, health, sex life or sexual orientation), they must identify both a lawful basis for processing and a special category condition for processing under Article 9 of the GDPR. These include:
- The individual has granted their explicit consent;
- Complying with certain employment, social security and social protection laws;
- Protecting a person’s vital interests where they are unable to consent;
- Certain processing performed by not-for-profit bodies (although only in very strict circumstances);
- Where the data has been manifestly made public by the individual in question;
- Processing which is necessary for pursuing or defending legal claims and/or courts are acting in their judicial capacity;
- Processing is necessary for the substantial public interest with a basis in law (the Data Protection Act 2018 sets out circumstances where this might apply);
- Processing is necessary for certain health or social care functions;
- Processing is necessary for reasons of public health; and
- Processing is necessary for archiving, research and statistics.
Organisations should consider the exact requirements in the legislation carefully when trying to determine if any of the above conditions apply to their processing.
Criminal Convictions Data
Where organisations are processing criminal convictions data, they may only do so where they have a lawful basis and (a) are processing under the control of an official authority or (b) the processing meets one of the conditions contained within Schedule 1 of the Data Protection Act 2018. For many organisations they will process criminal conviction data under a Schedule 1 condition, these include:
- Complying with certain employment, social security and social protection laws;
- The processing is necessary for certain health or social care purposes;
- The processing is necessary for public health purposes subject to certain requirements being met;
- The processing is necessary for certain statutory and government purposes;
- The processing is linked to preventing or detecting unlawful acts;
- The processing is linked to preventing the public against dishonesty;
- Preventing fraud;
- Safeguarding of children and individuals at risk;
- The processing involves certain disclosures to elected representatives; and
- The processing is linked to raising or defending legal claims.
Organisations should consider the exact requirements in the legislation carefully when trying to determine if any of the above conditions apply to their processing.
Appropriate Policy Document (APD)
Certain conditions for processing Special Category Data and Criminal Convictions Data also require organisations to have an APD in place which outlines, amongst other things, retention policies and measures being taken to ensure the security of the special category data and/or criminal convictions data.
We have an experienced team that are able to advise on all issues relating to data protection. Please contact our team here if you would like more information or advice.
