Article 6 of the UK General Data Protection Act (UK GDPR) sets out the lawful bases for processing activities within your organisation. There are six lawful bases, and at least one of these must apply before any personal data is processed.
In this article we provide examples for each lawful basis to help you assess which is the most appropriate. However, if you require help our specialist data protection solicitors can assist in assessing your organisation’s legitimate interests, as well as completing Legitimate Interest Assessments and Data Protection Impact Assessments to record your compliance with the UK GDPR.
Jump to:
Lawful Bases
Consent
This is where the data subject has freely given, specific, informed and unambiguous indication of their wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Often, organisation’s believe this to be the easiest lawful basis to rely on, as it doesn’t require much thought and it’s very easy to obtain. This could not be further from the truth. In fact, consent is one of the most complex lawful bases to rely on. Many employers, unfortunately, historically have relied on consent, but failed to consider the imbalance of the relationship between an employer and an employee. In 2019, the Greek Data Protection Authority (GDPA) (the Supervisory Authority of Greece; equivalent to the ICO) fined PwC €150,000 after it wrongly used consent for processing its’ employee’s personal data. The GDPA took heed from the Article 29 Working Party Guidelines on consent which states “…given the dependency that results from the employer/employee relationship, it is unlikely that the data subject is able to deny his/her employer consent to data processing without experiencing the fear or real risk of detrimental effects as a result of a refusal. It is unlikely that an employee would be able to respond freely to a request for consent from his/her employer to, for example, activate monitoring systems such as camera observation in a workplace, or to fill out assessment forms, without feeling any pressure to consent…”
A good example of using consent as a lawful basis would be where the Talent function of your organisation wishes to retain a candidate’s personal data in case of future suitable job opportunities, when there is no offer of employment. This is where consent should be sought and re-confirmed after a certain period of time has lapsed. If later, that particular candidate wishes, they could request their personal data to be deleted from the database, thus, withdrawing consent.
If you rely on consent, it’s also essential to keep proper records, as stipulated by Article 7(1); “…where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data…”
Performance of contract
This is where the processing is necessary for performance of a contract to which the data subject is part or in order to take steps at the request of the data subject, prior to entering into a contract.
The following are examples where performance of contract may be an appropriate lawful basis:
- billing information to supply services to an individual
- to fulfil an employer’s obligation as a controller under an employment contract with said employee
- an insurance company processing personal data to prepare a quotation
The ICO guidance provides the following as examples where performance of contract would not be an appropriate lawful basis;
- if you need to process one person’s details but the contract is with someone else
- if you collect and reuse personal data for your own business purposes, even if this is permitted under your standard contractual terms and is part of your funding model
- if you take pre-contractual steps on your own initiative, to meet other obligations, or at the request of a third party
The European Data Protection Board (EDPB) has issued guidelines on the processing of personal data under the lawful basis of performance of contract, although this is in the context of the provision of online services to data subjects.
Legitimate interest
this is where processing is necessary for the purpose of the legitimate interests pursued by the controller or a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Legitimate interests is probably the most flexible lawful basis. The ICO guidance states that, should an organisation rely on legitimate interests, the controller must satisfy the three-part test:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms
Your organisation would need to demonstrate that its’ compelling legitimate interest overrides the interests or the fundamental rights and freedoms of an individual. However, the ICO guidance also warns “…you should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact…”.
In essence, if your organisation wishes to rely on legitimate interests as a lawful basis, you can use the three-part test (Found here on the ICO's website, Legitimate Interests Assessment) to assess whether it applies. An LIA is a soft risk assessment that helps to ensure your processing is lawful.
One example of where your organisation may be able to rely on legitimate interest is, if you installed CCTV to protect your premises, or for prevention and detection of crime. It’s necessary to conduct an LIA as it can become exasperating if processing under this lawful basis had to stop due to you not initially considering whether the processing activity could potentially override the data subjects rights and freedoms (it may also be necessary to conduct a data protection impact assessment (DPIA) for this type of processing activity). More information on the privacy implications of CCTV along with answers to many other common questions can be found in our FAQ guide to data protection.
You should note that legitimate interest may not be suitable where it’s likely that individuals would object to the data processing under this lawful basis.
Legal obligation
You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation. It basically means that your organisation needs to process the personal data of an individual in order to comply with the law.
A good example is processing an employee’s tax code and national insurance information so that the appropriate amount of tax can be deducted from an employee’s wages. Another would be where a production order sealed by the court is served (in this scenario, the processing activity would be sharing).
It’s important to note, that contractual obligations are not legal obligations and processing personal data to fulfil a contractual relationship would fall under the lawful basis of performance of contract, not legal obligation. Many organisations get this wrong, simply, as a breach of contractual obligations is a legal cause of action, remedies for which can be sought in court.
Vital interests
This is where processing of personal data should be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person’.
An example would be, if a life-threatening accident occurred with one of your employees at work and they were admitted to hospital, any medical information that could assist the hospital should be shared as this disclosure would be necessary to protect that individual’s vital interests.
UK GDPR states vital interests might apply where you are processing on humanitarian grounds such as monitoring epidemics, or where there is a natural or man-made disaster causing a humanitarian emergency. It also goes on to say ,that if you are processing an individual’s personal data to protect someone else’s life, you should try to use an alternative lawful basis, unless none other are available.
Public interest
This is where processing under this lawful basis of personal data is necessary for:
- the administration of justice
- the exercise of a function of either House of Parliament
- the exercise of a function conferred on a person by an enactment or rule of law
- the exercise of a function of the Crown, a Minister of the Crown or a government department, or
- an activity that supports or promotes democratic engagement
An example of processing under this lawful basis would be where local authorities process an individual’s personal data for managing and enforcing the Traffic Regulations Orders (TROs), which is part of the local authority’s public task function.
It’s unlikely that a commercial organisation would ever rely on this lawful basis, as it’s more catered towards public authorities that perform public functions.
Does lawful basis need to be included in your privacy policy?
In short, yes. The UK GDPR states, individuals must be informed about how your organisation processes their personal data and under what lawful basis. This means you would need to include these details in your privacy policy to show that personal data is being processed lawfully, fairly and in a transparent manner.
What happens if the reason for your processing changes?
In some cases, you could probably still continue to process under the original lawful basis, so long as the new purpose is compatible with your original purpose. The ICO provides a non-exhaustive list of the points you need to think about when considering if the new purpose is compatible with the original purpose, such as:
- any link between your original purpose and the new purpose
- the context in which you collected the data, in particular, your relationship with the individual and what they would reasonably expect
- the nature of the personal data, e.g., whether it’s special category data or criminal offence data
- the possible consequences for individuals of the new processing; and
- whether there are appropriate safeguards, e.g., whether encryption or pseudonymisation
However, if you were originally relying on consent as a lawful basis, then you would need to obtain new consent covering the new purpose in relation to the change in processing activity, as consent must always be specific and informed.
Processing special category data
This is personal data that relates to an individual’s:
- Racial or ethnic origin
- Political affiliation
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Medical data
- Sex life and Sexual Orientation
If you are processing special category data at your organisation, you would need to identify a lawful basis for processing, and then a further condition for processing under Article 9 of the UK GDPR and Schedule 1 of the Data Protection Act 2018 (if applicable).
This ICO tool helps those in business to assess which basis is most appropriate. However, we understand that it can be difficult in choosing which lawful basis applies to your processing activities, and some even require risk assessments, but the team at Harper James are here to help.