Legal grounds for processing personal data
The GDPR expands upon and alters some of the legal bases for processing personal data that are present under the DPA. The updated legal bases are that the processing operation:
- has been consented to by the data subject;
- is necessary for carrying out or entering into a contract with the data subject;
- is necessary to comply with a legal obligation;
- is necessary to protect someone’s vital interests;
- is necessary for the public interest or in the exercise of official authority; or
- is necessary for pursuing the controller’s legitimate interests (except where overridden by the interests or rights of the data subject)
In particular, the ‘legitimate interest’ basis (the last in the list above) will not be available to public authorities. The University is likely to be classified as a ‘hybrid’ authority, meaning that in some of its functions it will be treated as a public authority, whilst in others it will not, entailing that it can use the legitimate interests basis to justify the processing of personal data in some circumstances.
Also see the ICO’s webpage section on lawful processing, and Articles 6, 7, 8, 9 and 10 of the GDPR.
Consent
The GDPR strengthens the protections and requirements about using consent as the basis for data processing, so any processing currently carried out on this basis will need to be reviewed to ensure compliance.
Moving forward under the GDPR, consent will need to be:
- specific – the processing activities for which consent is given must be clear and separate
- auditable – who gave consent, when and how it was given, and what it was for
- easily withdrawn – subjects will have a specific right to withdraw consent, and this must be as easy to do as it is to give consent
- positive and unambiguous - this requires an affirmative action by the data subject: pre-ticked boxes, etc will not be valid indicators of consent
- renewed for new processing activities that were not specified when the original consent was given
- separate from other terms and conditions – it should not be a precondition of signing up to a service
Also see the ICO’s draft guidance on consent under the GDPR, and Articles 4(11), 6(1)(a), 7, 8 and 9(2)(a) of the GDPR.