This section explains the conditions that need to be satisfied before you may process personal data.
In brief – what does the Data Protection Act say about the “conditions for processing”?
The first data protection principle requires, among other things, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information.
The conditions for processing take account of the nature of the personal data in question. The conditions that need to be met are more exacting when the information being processed is sensitive personal data, such as information about an individual’s health or criminal record.
However, our view is that in determining if you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. If it is, then you are very likely to identify a condition for processing that fits your purpose.
Being able to satisfy a condition for processing will not on its own guarantee that the processing is fair and lawful – fairness and legality must still be looked at separately. So it makes sense to ensure that what you want to do with personal data is fair and lawful before worrying about the conditions for processing set out in the Act.
In more detail…
What are the conditions for processing?
The conditions for processing are set out in Schedules 2 and 3 to the Data Protection Act. Unless a relevant exemption applies, at least one of the following conditions must be met whenever you process personal data:
- The individual who the personal data is about has consented to the processing.
- The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
- The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
- The processing is in accordance with the “legitimate interests” condition.
What is the “legitimate interests” condition?
The Data Protection Act recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – ie to recover the debt.
The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.
In the above example, it is clear that the interests of the customer are likely to differ from those of the finance company (it may suit the customer quite well to evade paying his outstanding debt). However, passing his personal data to a debt collection agency in these circumstances could not be called “unwarranted”.
Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles.
Continuing the above example, the finance company must ensure that the personal data it passes to the debt collection agency is accurate (for example, in the known details of the customer’s identity); that it is up to date (for example, in the amount outstanding and the customer’s last known address); and that it is not excessive – the agency should only get as much personal data as is relevant or necessary for the purpose of finding the customer and recovering the debt.
What conditions need to be met in respect of sensitive personal data?
At least one of the conditions must be met whenever you process personal data. However, if the information is sensitive personal data, at least one of several other conditions must also be met before the processing can comply with the first data protection principle. These other conditions are as follows:
- The individual who the sensitive personal data is about has given explicit consent to the processing.
- The processing is necessary so that you can comply with employment law.
- The processing is necessary to protect the vital interests of:
- the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or
- another person (in a case where the individual’s consent has been unreasonably withheld).
- The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
- The individual has deliberately made the information public.
- The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
- The processing is necessary for administering justice, or for exercising statutory or governmental functions.
- The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
- The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
In addition to the above conditions – which are all set out in the Data Protection Act itself – regulations set out several other conditions for processing sensitive personal data. Their effect is to permit the processing of sensitive personal data for a range of other purposes – typically those that are in the substantial public interest, and which must necessarily be carried out without the explicit consent of the individual. Examples of such purposes include preventing or detecting crime and protecting the public against malpractice or maladministration. A full list of the additional conditions for processing is set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000 and subsequent orders.
When is processing “necessary”?
Many of the conditions for processing depend on the processing being “necessary” for the particular purpose to which the condition relates. This imposes a strict requirement, because the condition will not be met if the organisation can achieve the purpose by some other reasonable means or if the processing is necessary only because the organisation has decided to operate its business in a particular way.
An employer processes personal data about its employees on the basis that it is necessary to do so in connection with their individual contracts of employment and to comply with the employer’s legal obligations. However, the employer decides to outsource its HR functions to an overseas company and transfers its employees’ data to that company. It is not “necessary” to transfer the data overseas for these purposes, and the employer would instead have to rely on consent, or on the legitimate interests condition, to be able to process its employees’ personal data in this way.
What is meant by “consent”?
One of the conditions for processing is that the individual has consented to their personal data being collected and used in the manner and for the purposes in question.
You will need to examine the circumstances of each case to decide whether consent has been given. In some cases this will be obvious, but in others the particular circumstances will need to be examined closely to decide whether they amount to an adequate consent.
Consent is not defined in the Data Protection Act. However, the European Data Protection Directive (to which the Act gives effect) defines an individual’s consent as:
“…any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed”.
The fact that an individual must “signify” their agreement means that there must be some active communication between the parties. An individual may “signify” agreement other than in writing, but organisations should not infer consent if an individual does not respond to a communication – for example, from a customer’s failure to return a form or respond to a leaflet.
Consent must also be appropriate to the age and capacity of the individual and to the particular circumstances of the case. For example, if your organisation intends to continue to hold or use personal data after the relationship with the individual ends, then the consent should cover this. Even when consent has been given, it will not necessarily last forever. Although in most cases consent will last for as long as the processing to which it relates continues, you should recognise that the individual may be able to withdraw consent, depending on the nature of the consent given and the circumstances in which you are collecting or using the information. Withdrawing consent does not affect the validity of anything already done on the understanding that consent had been given.
You should review whether a consent you have been given remains adequate as your organisation’s relationship with an individual develops, or as the individual’s circumstances change.
Consent obtained under duress or on the basis of misleading information does not adequately satisfy the condition for processing.
The Data Protection Act distinguishes between:
- the nature of the consent required to satisfy the first condition for processing; and
- the nature of the consent required to satisfy the condition for processing sensitive personal data, which must be “explicit”.
This suggests that the individual’s consent should be absolutely clear. It should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.
As explained above, a particular consent may not be adequate to satisfy the condition for processing (especially if the individual might have had no real choice about giving it), and even a valid consent may be withdrawn in some circumstances. For these reasons an organisation should not rely exclusively on consent to legitimise its processing. In our view it is better to concentrate on making sure that you treat individuals fairly rather than on obtaining consent in isolation. Consent is the first in the list of conditions for processing set out in the Act, but each condition provides an equally valid basis for processing personal data.