Legal basis for data processing
Guidance on how to determine the legal basis for processing personal data.
You must have a valid lawful basis in order to process personal data and you will need to inform the data processing subjects what this basis is in a privacy statement.
There are six available bases for processing personal data:
- Consent - the individual has given clear consent for you to process their personal data for a specific purpose
- Contract - the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation - the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests - the processing is necessary to protect someone’s life
- Public task - the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interest - the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
Consent is not a default basis; more often than not one of the other bases will apply. A lot of the time the University is processing data as part of its contractual service, to comply with the law or in order to perform a public task. Consent requires a positive opt-in.
Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you're not sure if legitimate interest is your legal basis, you should conduct a Legitimate Interest Assessment (LIA).
You must determine your lawful basis before you begin processing.
If you're unsure how to do it, the Information Commissioner's Office has a useful tool.