Data Protection: What is a Lawful Basis?

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 20th of March, with our Data Protection Consultant Patrick Ballantine. This session focused on: the six reasons for processing data: consent, contract, legal obligation, vital interests, public task, and legitimate interests.

Poll 1

What are lawful basis and what do they relate to?

1. Lawful basis are a requirement under the principle of lawfulness, fairness and transparency as detailed in UK GDPR Article 5.

2. Lawful basis are our reasoning behind processing and the lawfulness aspect of the principle.

3. You must have at least one in order to lawfully process data.

4. We will generally think about lawful basis when we look at sharing information.
   • For example: using a new third party which requires the sharing of user information however it can extend to any form of processing including internal, e.g. installing a CCTV system.

For lawful basis to be valid, you need to ensure the processing is necessary and cannot be achieved by less intrusive means. This is one of the ways a Data Protection Officer will help.

NB: lawful basis is not considered when processing a subject access request (SAR).

What are the lawful basis and when are they used?

1. Public Task

• • This is the most commonly used lawful basis for schools and justifies any processing which falls under your official task as a public authority.
  • It's important to be careful to not overextend the remit of what is within your public task.

2. Consent

• • Also commonly used for schools e.g., for school photos, etc.
  • Where an individual has given permission for the processing of their data in the way described.
  • Only appropriate if you can offer individuals a choice as consent can always be withdrawn.

3. Legal obligations

• • This is where processing is required as part of a statutory obligation.
  • This normally comes up within statutory safeguarding obligations.

4. Legitimate interests

• • Used when an individual may reasonably expect their data to be processed in this way.
  • This cannot be used in conjunction with an authority’s public task.
  • A good example is marketing where an individual has previously expressed interest in a service, so therefore they would reasonably be interested in similar services.
  • You will need to conduct a legitimate interests assessment to document the balance of your interests against the individual’s.
  • You take on additional responsibility for reducing any impact to data subjects, such as providing opt out and keeping a record of this. 

5. Vital interests

• • This is when data is processed to preserve the life of an individual.
  • It is generally used during medical emergencies i.e. sharing information with first responders in a first aid situation.

6. Contract

• • Under this basis, processing is necessary to fulfil the requirements of a contract, or to enter into one.

Are there different lawful basis for special category data?

Yes, the above lawful basis do not apply to special category data.

Special category data refers to more sensitive personal data which is categorised as any data which reveals:

• Racial or ethnic origin 
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data (where used for identification purposes)
• health
• sex life
• sexual orientation.

NB: As special category data is categorised differently to normal personal data, different lawful basis apply.

Article 9 of UK GDPR lists the conditions for processing special category data:

1. Explicit consent
2. Vital interests
3. Not-for-profit bodies
4. Made public by the data subject
5. Legal claims or judicial acts
6. Employment, social security and social protection (if authorised by law)
7. Reasons of substantial public interest (with a basis in law)
8. Health or social care (with a basis in law)
9. Public health (with a basis in law)
10. Archiving, research and statistics (with a basis in law)

The latter four lawful basis described above must have a basis in law, i.e. required by legislation or in compliance with legislation. 

Substantial public interest

The lawful basis of substantial public interest can be broken down into a further 23 conditions. The purpose of proposed processing must meet one of these conditions.

Common conditions which school’s use include:

• Safeguarding of children and individuals at risk
• Regulatory requirements
• Counselling
• Equality of opportunity or treatment

Special category data’s lawful basis are more technical and are more difficult to satisfy. This is not to obstruct processing, but rather to ensure it is appropriately justified and absolutely necessary.

Criminal offence data

Criminal offence data must be processed in line with one of the 23 conditions under the substantial public interest lawful basis.

NB: During some activities, there may be more than one suitable basis for a part of the processing, and there will likely be multiple for a whole activity.

Poll 2

Do we need to let data subjects know what lawful basis we are using?

Transparency is key when processing personal data, and information regarding what lawful basis you as an organisation use should be made accessible through privacy notices.

For some forms of special category data such as biometrics, you should also have an additional policy or guidance document which explains use and individuals’ rights in relation to that processing activity.

We started using a platform for one purpose, but now we wish to use a platform differently, do we need a new basis?

In some cases, the additional form of processing will not alter the lawful basis, i.e. if you are sharing information as part of an activity which falls within your public task, and the new information requested still forms part of that public task, there will likely be no need to define a new lawful basis.

However, should the new activity not be covered under the original lawful basis, then an additional one will need to be established.

Example:

If you sign up to an online resource provider and initially sign up pupils, this processing will likely be covered under your public task as a school. However, if later that provider offers a function where parents can be signed up to review pupil progress, then this may not necessarily be covered by your public task and an additional lawful basis may need to be established, e.g. consent.

If my processing is through a third party, can that third party tell me what my lawful basis is?

They may try to support you, but ultimately it falls to you to decide which lawful basis is most appropriate. It is also important to not get confused between what a provider’s lawful basis for processing may be, versus what yours is. For instance, on most occasions a provider will cite contractual obligations as lawful basis, but this would not be applicable to you. Your provider needs to process this data in accordance with the contract in place with you, but you need to establish the lawful basis to share data required for the contract.

Poll 3

How do we keep track of our lawful basis?

Lawful basis should be established as part of any new data processing activity. If this activity is high risk then the lawful basis will be documented as part of required Data Protection Impact Assessments (DPIA). It's important to note, even lower risk activities need to be recorded in a data map, or record of processing activities. It is always advisable to involve your DPO in these processes as they will be able to provide support in establishing the most appropriate lawful basis.

Top Takeaways

1. Ensure lawful basis are logged for all activities and that information about your lawful basis is easily accessible to data subjects.
2. There may be multiple lawful basis for an activity, but you should always have at least one.
3. Ensure lawful basis and necessity of processing are qualified by your DPO. 

Helpful Information

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability here.

You can find information regarding our School Data Protection Officer (DPO) service here.

If you’d like to review Judicium’s forthcoming Sofa Sessions please click here

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.