Lawful basis for processing
Lawful basis
Data protection legislation requires that an appropriate lawful basis for the processing of personal data is identified and documented before that data is collected or used.
It is important to identify the applicable lawful basis at the outset, as this will directly dictate the relevant rights an individual can exercise. Please see What are your data protection rights? (PDF, 104KB) for further information.
The lawful bases for processing of personal data and special categories of personal data are outlined below.
For most activities, it will be relatively straightforward to identify the appropriate justification for your processing. If you are unsure what ground to rely on:
- Read the Information Commissioner's Office (ICO) guidance
- Try the ICO lawful basis interactive tool
- Contact the DP&FOI Office for advice
Processing personal data
The lawful bases for processing personal data are set out in Article 6 of the UK GDPR. At least one of the following must apply whenever you process personal data:
(a) Consent of the data subject
(b) Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
(c) Processing is necessary for compliance with a legal obligation
(d) Processing is necessary to protect the vital interests of a data subject or another person
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
(f) Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Note: Article 6(1)(f) Legitimate interests cannot be used by the University in relation to processing that falls within our public task, such as education or research activities. For these processing activities, Article 6(1)(e) Public task would be a possible alternative. For non-public task processing, legitimate interests remains an option, however before relying on this basis, you must justify your decision and document using the Legitimate Interests Assessment (Word, 24KB).
Guidance on using Article 6(1)(a) Consent
Be aware that when the University relies on consent to process data, an individual has additional rights.
The rules around obtaining and evidencing consent are quite strict. The guidance below will help you gather, record, and manage consent in line with the requirements under Data Protection legislation.
Asking for consent
- Check that consent is the most appropriate lawful basis for processing.
- Make the request for consent prominent and separate from your terms and conditions.
- Make sure that your consent form is separate from your privacy notice.
- Ask people to positively opt-in.
- Do not use pre-ticked boxes, or any other type of consent by default.
- Use clear, plain language tailored to your specific audience.
- Specify why you want the data and what you are going to do with it.
- Give granular options to consent to independent processing operations.
- Name your organisation and any third parties using the data.
- Inform individuals how they can withdraw their consent.
- Ensure that the individual can refuse to consent without detriment.
- Do not make consent a precondition of a service.
- If you offer online services directly to children or vulnerable adults, only seek consent if you have age verification and parental consent measures in place.
Recording consent
- Keep a record of when and how you got consent from the individual.
- Keep a record of exactly what they were told at the time consent was obtained.
Managing consent
- Regularly review consents to check that the relationship, processing, and purposes of processing have not changed.
- Have processes in place to refresh consent at appropriate intervals, including any parental consents.
- Consider using privacy dashboards or other preference management tools as a matter of good practice.
- Make it easy for individuals to withdraw their consent at any time, and publicise how to do so.
- Act on withdrawals of consent promptly, and within 30 days of the withdrawal request.
- Do not penalise individuals who wish to withdraw consent.
Processing special categories of data
In order to lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9
The conditions for processing special category data under Article 9 are:
(a) Explicit consent of the data subject, unless reliance on consent is prohibited by EU or Member State law
(b) Processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement
(c) Processing is necessary to protect the vital interests of a data subject or another individual where the data subject is physically or legally incapable of giving consent
(d) Processing carried out by a not-for-profit body with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
(e) Processing relates to personal data manifestly made public by the data subject
(f) Processing is necessary for the establishment, exercise or defence of legal claims or where courts are acting in their judicial capacity
(g) Processing is necessary for reasons of substantial public interest on the basis of Union or Member State law which is proportionate to the aim pursued and which contains appropriate safeguards
(h) Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional
(i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of healthcare and of medicinal products or medical devices
(j) Processing is necessary for archiving purposes in the public interest, or scientific and historical research
- Additional conditions and safeguards must be met when relying on conditions (b), (g) (h), (i), or (j) as set out in UK law in Schedules 1 and 2 of the Data Protection Act 2018.
Further guidance on lawfully processing special category personal data can be found on the Information Commissioner's Office (ICO) website.