Processing Personal Data
What are the lawful bases for processing of personal data?
Under the General Data Protection Regulation, the University must have a valid lawful basis in order to process personal data and, in most cases, will also need to be satisfied that it is ‘necessary’ to process personal data to achieve the purpose.
There are six lawful bases for processing:
1. Public task – this means that the processing is necessary for the University to perform a task in the public interest or as part of its official functions.
2. Legitimate interests - the processing is necessary for the legitimate interests of the University or a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The purpose of the University, set out in its Royal Charter, is to advance learning and knowledge by teaching and research to the benefit of the wider community. So, in most cases, the University will rely on ‘public task’ and ‘legitimate interests’ as the lawful basis for processing.
3. Contract – the processing is necessary for a contract the University has with the individual, or because they have asked the University to take specific steps before entering into a contract. When relying on a contract as the legal basis, any processing of personal data must be targeted and proportionate.
4. Legal obligation – the processing is necessary for the University to comply with the law (not including contractual obligations). This can relate to legal, regulatory and other compliance obligations, as well as matters such as the prevention or detection of crime.
5. Vital interests – the processing is necessary to protect the vital interest of someone, in other words, to protect someone’s life.
6. Consent – the individual has given clear consent for the University to process their personal data for a specific purpose.
Special category data
Special category data is personal data that is more sensitive and needs more protection. In order to lawfully process special category data, the University must have a lawful basis as well as an additional condition for processing.
Special category data relates to:
- Racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade Union membership,
- Genetic data
- Biometric data (where used for ID purposes)
- Physical and mental health, and
- Sex life or sexual orientation.
There are ten conditions which allow the processing of special categories of personal data. The most relevant in the context of the University are set out below:
a) The individual has given explicit consent to processing for one or more specified purposes. In most cases, the University will process special category data on this basis;
b) Processing is necessary in relation to employment, social security and social protection law;
c) Processing is necessary to protect the vital interests of a person, where they are physically or legally incapable of giving consent;
d) Processing relates to personal data which is already in the public domain;
e) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
f) Processing is necessary for preventive or occupational medicine, for example, assessment the working capacity of the employee and providing health or social case.
Further information about the legal basis for processing personal data and the conditions for processing special categories of data can be found on the Information Commissioner’s Office’s website.
The specific requirements in relation to special categories of data are set out in Article 9 of the General Data Protection Regulation and can be found here.