Legal basis for data processing
Guidance on how to determine the legal basis for processing personal data.
You must have a valid lawful basis in order to process personal data and you will need to inform the data processing subjects what this basis is in a privacy statement.
There are six available bases for processing personal data:
- Consent - the individual has given clear consent for you to process their personal data for a specific purpose
- Contract - the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract
- Legal obligation - the processing is necessary for you to comply with the law (not including contractual obligations)
- Vital interests - the processing is necessary to protect someone’s life
- Public task - the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law
- Legitimate interest - the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests
Consent is not a default basis; more often than not one of the other bases will apply. A lot of the time the University is processing data as part of its contractual service, to comply with the law or in order to perform a public task. Consent requires a positive opt-in.
More information about consent
Legitimate interest is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing. If you're not sure if legitimate interest is your legal basis, you should conduct a Legitimate Interest Assessment (LIA).
More information about legitimate interest
You must determine your lawful basis before you begin processing.
If you're unsure how to do it, the Information Commissioner's Office has a useful tool.
Legal bases for data processing - general information