31st July 2017

Data Protection: What’s your legal basis for processing personal data?

At a glance

Our Commercial Team looks at the lawful grounds available for businesses to process personal data under new EU data protection laws.

If a business wants to process personal data about a client, prospective client, supplier or employee it must have a legal basis for doing so. This is the position under our existing data protection law, the Data Protection Act 1998 (DPA), and will remain the position under a new EU data protection law – the General Data Protection Regulation 2016 (GDPR) – which comes into force in the UK on 25 May 2018. However there will be changes on what is required under GDPR and consent will have a much higher threshold.

Current laws – DPA

Under the DPA, if a business wants to process personal data it can only do so if it can satisfy at least one of the following conditions in relation to that personal data:

  1. Consent – the individual (a data subject) whom the personal data is about has consented to the processing
  2. Contractual – processing is necessary in relation to a contract which the data subject has entered into with the business, or because the data subject has asked for something to be done so they can enter into a contract with the business
  3. Legal obligation – processing is necessary because of a legal obligation that applies to the business (except an obligation imposed by a contract)
  4. Vital interests – processing is necessary to protect the data subject’s ‘vital interests’ (but this only applies to cases of life or death)
  5. Public tasks – processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions or
  6. Legitimate interests – processing is necessary for the businesses’ legitimate interest or those of a third party to whom the personal data is disclosed, except where such interests are overridden by the interests, rights or freedoms of the data subject.

If a business wants to process sensitive personal data (eg medical history) it can only do so if it can satisfy at least one of the following conditions in relation to that sensitive personal data:

  1. Explicit consent – the data subject whom the sensitive personal data is about has given explicit consent to the processing
  2. Employment laws – processing is necessary so that the business can comply with employment laws
  3. Vital interests – processing is necessary to protect the vital interests of the data subject (in a case where the data subject’s consent cannot be given or reasonably obtained), or another person (in a case where the data subject’s consent has been unreasonably withheld)
  4. NFP – processing is carried out by a not-for-profit organisation and doesn’t involve disclosing personal data to a third party, unless the data subject consents
  5. Public – the data subject has deliberately made the information public
  6. Legal matters – processing is necessary in relation to legal proceedings, for obtaining legal advice or otherwise for establishing, exercising or defending legal rights
  7. Public tasks – processing is necessary for administering justice, or for exercising statutory or governmental functions
  8. Medical purposes – processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality or
  9. Equal opportunities – processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of data subjects.

What satisfies consent?

Consent is not defined in the DPA but the overarching EU Data Protection Directive defines it as ‘any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed’. In addition, the EU Directive states that in order for consent to be valid it must be unambiguous. There must therefore be some active and clear communication from the data subject. Businesses shouldn’t interpret a failure to respond as consent (although the Article 29 Working Party (A29WP) says that such passive behaviour could be interpreted as an indication if it is being given in a totally unambiguous context).

Explicit consent is not defined in the DPA or the overarching EU Directive but the A29WP says this has the same meaning as express consent ie actively responding rather than consent being inferred or implied.

What does ‘necessary’ mean?

For both personal data and sensitive personal data the word “necessary” is used a number of times. Guidance from the Information Commissioner’s Office (ICO) says that a business will only be able to satisfy this strict requirement if it can’t achieve the purpose by another means – so if it can achieve it by some other reasonable means or if the processing is necessary only because the business has decided to operate its business in a particular way, it will not satisfy this requirement.

Fines

The maximum fine that the ICO can issue under the DPA is £500,000.

New law – GDPR

Under the GDPR, if a business wants to process personal data it can only do so if it can satisfy at least one of the following conditions in relation to that personal data (the wording in italics shows how these conditions differ to those under to the DPA):

  1. Consent – the data subject whom the personal data is about has consented to the processing
  2. Contractual – processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  3. Legal obligation – processing is necessary for compliance with a legal obligation
  4. Vital interests – processing is necessary to protect the vital interests of the data subject or another person
  5. Public tasks – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the business
  6. Legitimate interests – processing is necessary for purposes of legitimate interests pursued by the business or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

If a business wants to process sensitive personal data it can only do so if it can satisfy at least one of the following conditions in relation to that sensitive personal data (the wording in italics shows how these conditions differ to those under the DPA):

  1. Explicit consent – the data subject whom the sensitive personal data is about has given explicit consent to the processing (unless reliance on consent is prohibited by EU or Member State law)
  2. Employment, social security or social protection laws – processing is necessary for carrying out obligations under employment, social security or social protection law, or a collective agreement providing for appropriate safeguards for the fundamental rights and the interests of the data subject
  3. Vital interests – processing is necessary to protect the vital interests of the data subject or another person where the data subject is physically or legally incapable of giving consent
  4. NFP – processing is carried out by a not-for-profit with a political, philosophical, religious or trade union aim provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent
  5. Public – processing relates to personal data manifestly made public by the data subject
  6. Legal matters – processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. Public tasks – processing is necessary for reasons of substantial public interest, on the basis of EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject
  8. Medical purposes – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional (provided that professional is subject to the obligation of professional secrecy under EU or Member State law) or by another person also subject to an obligation of secrecy under EU or Member State law
  9. Public healthprocessing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy or
  10. Archiving, research or statistical purposesprocessing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes based on EU or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

What satisfies consent?

Consent is defined as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Furthermore, businesses must be able to demonstrate that consent was given and this could include the data subject ‘ticking a box when visiting an internet website, choosing technical settings for information society services or by any other statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of their personal data. Silence, pre-ticked boxes or inactivity should therefore not constitute consent’.

The GDPR therefore places a much higher threshold on the requirement for consent, meaning that it is likely to be harder to obtain. This will be the case particularly if a service is conditional upon consent and the business wants to process personal data, in a manner which is unnecessary for the data subject to receive or be provided with the service.

The ICO’s consultation on its draft guidance on consent closed on 31 March 2017 (it had over 300 responses) and we are currently waiting for its final guidance to be published (it was expected at the end of June 2017, subject to ‘developments at EU level’ – it hasn’t yet materialised).

What is clear from the GDPR and the ICO’s draft guidance is that businesses should give consent a wide berth and rely on the other (non-consent) lawful processing grounds.

What does ‘necessary’ mean?

No definition is provided in the GDPR and it remains to be seen whether the ICO will revise its current guidance (as above).

Fines

The ICO can issue a fine under the GDPR which is the greater of €20m or 4% of the businesses total worldwide annual turnover in the preceding 12 months.

What should businesses do now?

Businesses should:

  1. Audit their use of personal data to assess what lawful processing ground(s) it currently relies on and whether they remain valid under the GDPR (if you currently rely on consent, it is highly unlikely that it will be valid under the GDPR).
  2. Review and update internal and external policies/procedures eg privacy notices and any other documentation which deals with, or seeks, ‘consent’ to processing will very likely need to be changed and one or more of the other lawful processing grounds relied upon.
  3. Train staff so that they are aware of which legal basis you will be relying on for the purposes of the GDPR.

If you would like any further guidance on these lawful processing grounds, or the GDPR generally, please contact our Commercial Team or you can phone +44 (0)1293 527744.

This document is provided for information purposes only and doesn’t constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this document.