Processing Personal Data
What are the lawful bases for processing of personal data?
Under the General Data Protection Regulation, the Â鶹´«Ã½ must have a valid lawful basis in order to process personal data and, in most cases, will also need to be satisfied that it is ‘necessary’ to process personal data to achieve the purpose.
There are six lawful bases for processing:
1. Public task – this means that the processing is necessary for the Â鶹´«Ã½ to perform a task in the public interest or as part of its official functions.
2. Legitimate interests - the processing is necessary for the legitimate interests of the Â鶹´«Ã½ or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The purpose of the Â鶹´«Ã½, set out in its Royal Charter, is to advance learning and knowledge by teaching and research to the benefit of the wider community. So, in most cases, the Â鶹´«Ã½ will rely on ‘public task’ and ‘legitimate interests’ as the lawful basis for processing.
3. Contract – the processing is necessary for a contract the Â鶹´«Ã½ has with the individual, or because they have asked the Â鶹´«Ã½ to take specific steps before entering into a contract. When relying on a contract as the legal basis, any processing of personal data must be targeted and proportionate.
4. Legal obligation – the processing is necessary for the Â鶹´«Ã½ to comply with the law (not including contractual obligations). This can relate to legal, regulatory and other compliance obligations, as well as matters such as the prevention or detection of crime.
5. Vital interests – the processing is necessary to protect the vital interest of someone, in other words, to protect someone’s life.
6. Consent – the individual has given clear consent for the Â鶹´«Ã½ to process their personal data for a specific purpose.
Special category data
Special category data is personal data that is more sensitive and needs more protection. In order to lawfully process special category data, the Â鶹´«Ã½ must have a lawful basis as well as an additional condition for processing.
Special category data relates to:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade Union membership,
- Genetic data
- Biometric data (where used for ID purposes)
- Physical and mental health, and
- Sex life or sexual orientation.
There are ten conditions which allow the processing of special categories of personal data. The most relevant in the context of the Â鶹´«Ã½ are set out below:
a) The individual has given explicit consent to processing for one or more specified purposes. In most cases, the Â鶹´«Ã½ will process special category data on this basis;
b) Processing is necessary in relation to employment, social security and social protection law;
c) Processing is necessary to protect the vital interests of a person, where they are physically or legally incapable of giving consent;
d) Processing relates to personal data which is already in the public domain;
e) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
f) Processing is necessary for preventive or occupational medicine, for example, assessment the working capacity of the employee and providing health or social case.
Further information about the legal basis for processing personal data and the conditions for processing special categories of data can be found on the .
The specific requirements in relation to special categories of data are set out in Article 9 of the General Data Protection Regulation and can be found .