Lawfulness: Conditions for Processing

In order to comply with our requirement to process Personal Data lawfully, we must be able to identify a ‘Condition for processing’ (sometimes referred to as a ‘Lawful Basis’ for processing).

The GDPR specifies two sets of ‘Conditions’ (much like the Data Protection Act), one for use where we are dealing with Special Category (Sensitive) Data and one set for ‘normal’ non-sensitive Data.

You should have firstly identified what type of data you are dealing with (and therefore be able to categorise it as normal or Special Category) and have defined the purpose for the processing.

You must have a valid condition in order to process personal data.

No single condition is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.

Most conditions require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.   

You must determine your condition for processing before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason.

Your privacy notice should include your condition for processing as well as the purposes of the processing.

If your purposes change, you may be able to continue processing under the original condition if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent). There may be possibilities to use (or reuse) data for research purposes which was not part of the original purpose (seek advice from the DPO in this instance)

The ICO have produced a useful tool to help assess what your legal basis for processing may be:

https://ico.org.uk/for-organisations/resources-and-support/getting-ready-for-the-gdpr-resources/lawful-basis-interactive-guidance-tool/

 

 

Conditions for 'normal' Personal Data

GDPR Condition

Explanation

Examples

a)    Consent of the Data Subject

If the Data Subject has consented (and fully understood what they were consenting to) then we can process the data accordingly.

Although consent is a powerful condition – it should not be your first choice as there are a number of specific requirements which may make it an incorrect or unsuitable condition (especially if there are other conditions which could be used)

See Consent Guidance

 

Consent will often be the only option in marketing activities. Marketing is unlikely to ever be necessary for (for example) a contract or as part of a legal requirement. It is (or should be) usually an ‘option’ – so consent will usually be appropriate.

b)   The processing is necessary for the performance of a contract with the data subject, or to take steps to enter a contract;

If we have a contract (or are intending to enter into a contract) with a Data Subject then it is likely we will need to process their personal data in order to fulfil our obligations in that contract.

Note, however that it only covers processing that is necessary for the contract – ask yourself could we still perform the contract without that particular processing activity?

A customer who books a wedding reception at Keele Hall will clearly enter into a contract with the University. In order for Keele to fulfil its obligations under that contract we will have to process the customer’s personal data – this condition can therefore be used.

c)    The processing is necessary for compliance with a legal obligation;

If, in order for us to comply with a legal obligation we are subject to, we must process a Data Subjects Personal Data, then this is a suitable condition to use. You should be specify the source of the legal obligation (e.g. cite the particular Act etc)

 

Keele may be required to share certain student’s data with external government bodies (e.g. UKVI).

d)   The processing is necessary to protect the vital interests of a data subject or another person;

This is very much a ‘life or death’ scenario – so for Keele it would be a very unusual condition to have to rely on (we would hope!), and would only really be used in an emergency.

 

 

e)   The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official duty vested in Keele (as the Data Controller)

Keele is classed as a ‘Public Authority’ for the purposes of the GDPR.

It follows therefore that many of the functions the university performs are done so as part of that public authority role and is therefore ‘in the public interest’. It is likely that we can use this condition for a processing activity which is necessary for the performance of our ‘public task’. There is a list of areas of the University’s activities which we would determine are clearly within our ‘public tasks’ at Schedule 1.

One of Keele core activities must be the provision of good quality teaching and learning. Activities directly related to the delivery of this goal may well rely on this condition.

f)     The processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

This condition can be considered as the flip side of condition e) above. The GDPR states that condition f) is not available to processing carried out by public authorities in the performance of their tasks.

This means that we cannot use this condition for any processing which is part of our ‘public tasks’. Of course this in practice shouldn’t be a difficulty because those public task activities could be covered by condition e) (or indeed another condition).

Any tasks that are deemed not to be part of our ‘public tasks’ therefore could rely on this condition.

The test for this condition is that the task is a valid, reasonable, legitimate task for the university to undertake and that this is balanced against any perceived risk to the data subjects.

 

Some activities in relation to alumni, conferences & events, and other commercial activities may qualify as non-core activities and could rely on this condition.

Note: the greyed out conditions are ones that are unlikely to be used by the University. Contact the DPO for further advice.

Conditions for 'sensitive' Personal Data

GDPR Condition Article 9 Paragraph 2

Explanation

Examples

a)    Explicit consent of the Data Subject (unless prohibited by law)

Similar to the consent condition for ‘normal’ data - although serious consideration should be given to a requirement that this consent must be clearly evidenced in writing or other demonstrable (digital?) means.

Consent is more likely to be the only option for processing Special Category Data – but it is still important that other options are explored before having to rely on consent.

Remember - consent must by definition be optional (i.e. they must be able to say no)

See Consent Guidance

 

Marketing purposes

 

b)   The processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement.

The most likely avenue under this condition is obligations under employment law.

It may also be relevant for areas of 'social protection'

Where we are obliged to carry out processing (that involves Special Category data) we can do so under this condition with safeguards

See Guidance on Policy Documents & Safeguards below

Processing special category data under for example Health & Safety at work legislation may fall in to this condition.

c)    The processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent.

This is a similar condition to condition d) for ‘normal’ data i.e. life or death situations.

In emergency medical sitiations where patient consent is not possible / practical

d)   The processing is carried out by a not-for-profit body with a political, philosophical, and religious or trade union aim provided…

This condition is unlikely to apply to Keele, but is designed to allow not-for-profit bodies who have to deal with special category data by virtue of what they are (e.g. trade unions have to deal with personal data that evidences the data subjects membership of a trades union.)

 

e)   The processing relates to personal data manifestly made public by the data subject.

This is fairly self-explanatory. If the data subject has themselves, voluntarily made the Special Category data public, then we can rely on this condition to process that information. Please seek advice from the DPO if in any doubt on this point.

 

e.g. data posted on publically accessible websites/social media or other media

f)     The processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity.

Unlikely to be used as a general condition, but in exceptional circumstances where legal action is involved / contemplated

 

g)    The processing is necessary for reasons of substantial public interest and is authorised by domestic law (the UK domestic law applicable here is Sch 2 Part 2 of the DPA18 - see table below)

This condition is available for specific activities as detailed in the Table below.

There may also be an appropriate policy document in place when relying on this condition

See Guidance on Policy Documents & Safeguards below

 

See examples in table below

h)   The processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of domestic law (Sch 1 Part 1 Para 2 of DPA18) or pursuant to contract with a health professional and subject to the conditions and safeguards.

Note that this must be ‘necessary’.  It will possibly overlap with conditions b) with respect to occupational health / assessment of the working capacity.

It includes:

a) Preventative or occupational medicine;
b) the assessment of the working capacity of an employee;
c) medical diagnosis;
d) the provision of health care or treatment;
e) the provision of social care;
f) the management of health care or social care systems or services.

See Guidance on Policy Documents & Safeguards below

 

Return to work processing involving assessment of medical data for fitness.

i)      The processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law (Sch 1 Part 1 paragraph 3) 

May be be used as a condition for the University in rare public health incidents

must be necessary for reasons of public interest in the area of public health and is carried out by or under the responsibility of a health professional or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

 

j)     The processing is necessary for archiving purposes in the public interest, or scientific and historical research purposes or statistical purposes

Likely to be used by the University for the archiving, research and statistical purposes

 

 

Most research projects involving processing sesitive personal data should be able to rely on this conditon

Substantial Public Interest conditions (Sensitive data condition (g))

**** Remember a ‘Policy Document’ is required for many of these conditions****

 

Substantial Public Interest Condition

Description

Possible uses at Keele

Statutory & government purpose

Processing necessary for the exercise of a function conferred by an enactment or rule of law (this could include a 'duty of care' obligation) AND is necessary for reason of substantial public interest

DPA18 Sch 1 Part 2 (6)

 

Administration of justice and parliamentary purposes

Processing necessary for the administration of justice

DPA18 Sch 1 Part 2 (7)

 

Equality of opportunity or treatment

Only for

  • Racial or ethnic data;
  • religious or philosophical beliefs;  
  • health data;
  • sexual orientation.

Processing is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained.

Exceptions (not allowed for):

  • Processing carried out for the purposes of measures or decisions with respect to a particular data subject (& is carried out without consent)
  • Is likely to cause substantial damage or distress
  • The data subject has given notice to Keele requiring us not to process this data.

 

DPA18 Sch 1 Part 2 (8)

Equality monitoring

Racial and ethnic diversity at senior levels of organisations

 

This is for data revealing racial or ethnic origin and is used as aprt of a process to identify suitable individuals to hold senior posts in the university in order to promote diversity. See the DPA18 for more details

DPA18 Sch 1 Part 2 (9)

 

Preventing or detecting unlawful acts

Processing necessary for the purposes of the prevention or detection of an unlawful act (+ without consent so as to not prejudice purposes) AND is necessary for reason of substantial public interest

DPA18 Sch 1 Part 2 (10)

May be relevant to some discipline cases (staff or students)

 

May be relevant to staff/student/visitor site security processing (criminal behaviour suspected)

 

Protecting the public against dishonesty

Processing necessary for protecting members of the public against:

  • Dishonesty, malpractice or other seriously improper conduct;
  • Unfitness or incompetence;
  • Mismanagement in the admin of a body;
  • Failures in services provided by a body or association

(+ without consent so as to not prejudice purposes) AND is necessary for reason of substantial public interest

DPA18 Sch 1 Part 2 (11)

May be suitable for fitness to practice (students or staff) type processing (but need to seek consent unless that would prejudice purpose)

 

Possible for certain staff discipline cases

Regulatory requirements relating to unlawful acts and dishonesty etc

 

DPA18 Sch 1 Part 2 (12)  

Journalism etc in connection with unlawful acts, dishonesty etc (includes academic, artistic and literary purposes)

 

Related to publication of the sensitive data

See DPA18 Sch 1 Part 2 (13)

 

Preventing fraud

 

DPA18 Sch 1 Part 2 (14)

 

Suspicion if terrorist funding or money laundering

 

DPA18 Sch 1 Part 2 (15)

 

Support for individuals with a particular disability or medical condition 

 

DPA18 Sch1 Part 2 (16)

 

Counselling etc

 

DPA18 Sch 1 Part 2 (17)

 

Safeguarding of children and of individuals at risk

 

DPA18 Sch 1 Part 2 (18)

 

Safeguarding of economic well-being of certain individuals

 

DPA18 Sch 1 Part 2 (19)

 

Insurance

 

DPA18 Sch 1 Part 2 (20)

 

Occupational Pensions

 

DPA18 Sch 1 Part 2 (21)

 

Political Parties

DPA18 Sch 1 Part 2 (22)

 

Elected representatives…

DPA18 Sch 1 Part 2 (23, 24, 25)

 

Publication of legal judgments

DPA18 Sch 1 Part 2 (26)

 

Anti-doping in sport

DPA18 Sch 1 Part 2 (27)

 

Standards of behaviour in sport

DPA18 Sch 1 Part 2 (28)

 

greyed out conditons are unlikely to be used at Keele

Policy Documents & Safeguards

When processing Special Category Personal Data for certain circumstances, there will be a requirement to have in place Policy Documents and/or other safeguards.

Policy Document

This document should:

  1. Explain Keele’s procedures for securing compliance with the principles of the GDPR
  2. Explain Keele’s policies relating to the retention and erasure of personal data being processed under this condition.
  3. Be retained, reviewed (and if appropriate updated) and made available to the ICO for a period of at least 6 months after the end of the relevant processing.

[Template Policy Document link to be added]

Record of Processing

The processing must be recorded on the relevant Asset Register