March 21, 2024

Data Protection: What is a Lawful Basis?

This is a summary taken from Judicium’s GDPR ‘Sofa Session’ from the 20th of March, with Data Protection Consultant Patrick Ballantine.

This session focused on the six reasons for processing data:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

What Are Lawful Basis and What Do They Relate To?

Lawful basis are a requirement under the principle of lawfulness, fairness and transparency as detailed in UK GDPR Article 5.

Lawful basis are our reasoning behind processing and the lawfulness aspect of the principle.

You must have at least one in order to lawfully process data.

We will generally think about lawful basis when we look at sharing information. For example, using a new third party which requires the sharing of user information (however it can extend to any form of processing including internal, e.g. installing a CCTV system)

For lawful basis to be valid, you need to ensure the processing is necessary and cannot be achieved by less intrusive means. This is one of the ways a Data Protection Officer will help.

NB: lawful basis is not considered when processing a subject access request (SAR).

What Are the Lawful Basis and When Are They Used?

Public Task

  • This is the most commonly used lawful basis for schools and justifies any processing which falls under your official task as a public authority.
  • It’s important to be careful to not overextend the remit of what is within your public task.

Consent

  • Also commonly used for schools e.g., for school photos, etc.
  • Where an individual has given permission for the processing of their data in the way described.
  • Only appropriate if you can offer individuals a choice as consent can always be withdrawn.

Legal obligations

  • This is where processing is required as part of a statutory obligation.
  • This normally comes up within statutory safeguarding obligations.

Legitimate interests

  • Used when an individual may reasonably expect their data to be processed in this way.
  • This cannot be used in conjunction with an authority’s public task.
  • A good example is marketing where an individual has previously expressed interest in a service, so therefore they would reasonably be interested in similar services.
  • You will need to conduct a legitimate interests assessment to document the balance of your interests against the individual’s.
  • You take on additional responsibility for reducing any impact to data subjects, such as providing opt out and keeping a record of this. 

Vital interests

  • This is when data is processed to preserve the life of an individual.
  • It is generally used during medical emergencies i.e. sharing information with first responders in a first aid situation.

Contract

  • Under this basis, processing is necessary to fulfil the requirements of a contract, or to enter into one.

Are There Different Lawful Basis for Special Category Data?

Yes, the above lawful basis do not apply to special category data.

Special category data refers to more sensitive personal data which is categorised as any data which reveals:

  • Racial or ethnic origin 
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data
  • Biometric data (where used for identification purposes)
  • Health
  • Sex life
  • Sexual orientation.

NB: As special category data is categorised differently to normal personal data, different lawful basis apply.

Article 9 of UK GDPR lists the conditions for processing special category data:

  1. Explicit consent
  2. Vital interests
  3. Not-for-profit bodies
  4. Made public by the data subject
  5. Legal claims or judicial acts
  6. Employment, social security and social protection (if authorised by law)
  7. Reasons of substantial public interest (with a basis in law)
  8. Health or social care (with a basis in law)
  9. Public health (with a basis in law)
  10. Archiving, research and statistics (with a basis in law)

The latter four lawful basis described above must have a basis in law, i.e. required by legislation or in compliance with legislation. 

Substantial Public Interest

The lawful basis of substantial public interest can be broken down into a further 23 conditions. The purpose of proposed processing must meet one of these conditions.

Common conditions which school’s use include:

  • Safeguarding of children and individuals at risk
  • Regulatory requirements
  • Counselling
  • Equality of opportunity or treatment

Special category data’s lawful basis are more technical and are more difficult to satisfy. This is not to obstruct processing, but rather to ensure it is appropriately justified and absolutely necessary.

Criminal Offence Data

Criminal offence data must be processed in line with one of the 23 conditions under the substantial public interest lawful basis.

NB: During some activities, there may be more than one suitable basis for a part of the processing, and there will likely be multiple for a whole activity.

Do We Need To Let Data Subjects Know What Lawful Basis We Are Using?

Transparency is key when processing personal data, and information regarding what lawful basis you as an organisation use should be made accessible through privacy notices.

For some forms of special category data such as biometrics, you should also have an additional policy or guidance document which explains use and individuals’ rights in relation to that processing activity.

Repurposing a Platform: New Basis Needed?

In some cases, the additional form of processing will not alter the lawful basis, i.e. if you are sharing information as part of an activity which falls within your public task, and the new information requested still forms part of that public task, there will likely be no need to define a new lawful basis.

However, should the new activity not be covered under the original lawful basis, then an additional one will need to be established.

Example: If you sign up to an online resource provider and initially sign up pupils, this processing will likely be covered under your public task as a school. However, if later that provider offers a function where parents can be signed up to review pupil progress, then this may not necessarily be covered by your public task and an additional lawful basis may need to be established, e.g. consent.

Data Processor Transparency: Can They Reveal My Lawful Basis for Processing?

They may try to support you, but ultimately it falls to you to decide which lawful basis is most appropriate. It is also important to not get confused between what a provider’s lawful basis for processing may be, versus what yours is. For instance, on most occasions a provider will cite contractual obligations as lawful basis, but this would not be applicable to you. Your provider needs to process this data in accordance with the contract in place with you, but you need to establish the lawful basis to share data required for the contract.

How Do We Keep Track of Our Lawful Basis?

Lawful basis should be established as part of any new data processing activity. If this activity is high risk then the lawful basis will be documented as part of required Data Protection Impact Assessments (DPIA). It’s important to note, even lower risk activities need to be recorded in a data map, or record of processing activities. It is always advisable to involve your DPO in these processes as they will be able to provide support in establishing the most appropriate lawful basis.

Top Takeaways

  1. Ensure lawful basis are logged for all activities and that information about your lawful basis is easily accessible to data subjects.
  2. There may be multiple lawful basis for an activity, but you should always have at least one.
  3. Ensure lawful basis and necessity of processing are qualified by your DPO. 

Helpful Information

Judicium also offer a range of GDPR e-learning  training designed for schools. You can see current course availability by following the link below.

eLearning resources | Judicium Education
Our eLearning courses are built specifically for schools to address the issues relevant in education, including Data Protection, GDPR, Health & Safety, HR Advisory, Clerking and Governance
www.judiciumeducation.co.uk

You can find information regarding our School Data Protection Officer (DPO) service below.

School Data Protection Officer (DPO) Service | Judicium Education
GDPR and Data Protection for your School or MAT from specialised GDPR Consultants. Dedicated to your particular needs and only available to the education sector.
www.judiciumeducation.co.uk

You can review Judicium’s forthcoming Sofa Sessions by following the link below:

Judicium Sofa Sessions | Judicium Education
Join us ‘on the sofa’ where we talk frankly with experts about the real issues facing education.
www.judiciumeducation.co.uk

Get Top Educational Insights Delivered Monthly

Subscribe to our Staffroom Buzz newsletter and join a community of school leaders dedicated to making a difference. 

Continue Reading

Future Teacher Programme: A New Route into Teaching

Future Teacher Programme: A New Route into Teaching

Explore innovative approaches to attracting and developing educators in Episode 2 of the Talking Talent Podcast. Listen as experts discuss the Future Teacher Programme, Apprenticeship Route into Teaching, and more.