This section explains the conditions that need to be satisfied before you may process personal data.
In brief – what does the Data Protection Act say about the “conditions for processing”?
The first data protection principle requires, among other things, that you must be able to satisfy one or more “conditions for processing” in relation to your processing of personal data. Many (but not all) of these conditions relate to the purpose or purposes for which you intend to use the information.
The conditions for processing take account of the nature of the personal data in question. The conditions that need to be met are more exacting when the information being processed is sensitive personal data, such as information about an individual’s health or criminal record.
However, our view is that in determining if you have a legitimate reason for processing personal data, the best approach is to focus on whether what you intend to do is fair. If it is, then you are very likely to identify a condition for processing that fits your purpose.
Being able to satisfy a condition for processing will not on its own guarantee that the processing is fair and lawful – fairness and legality must still be looked at separately. So it makes sense to ensure that what you want to do with personal data is fair and lawful before worrying about the conditions for processing set out in the Act.
In more detail…
- What are the conditions for processing?
- What is the “legitimate interests” condition?
- What conditions need to be met in respect of sensitive personal data?
- When is processing “necessary”?
- What is meant by “consent”?
The conditions for processing are set out in Schedules 2 and 3 to the Data Protection Act. Unless a relevant exemption applies, at least one of the following conditions must be met whenever you process personal data:
- The individual whom the personal data is about has consented to the processing.
- The processing is necessary:
- in relation to a contract which the individual has entered into; or
- because the individual has asked for something to be done so they can enter into a contract.
- The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
- The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.
- The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions
- The processing is in accordance with the “legitimate interests” condition.
The Data Protection Act recognises that you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with. The “legitimate interests” condition is intended to permit such processing, provided you meet certain requirements.
The first requirement is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.
A finance company is unable to locate a customer who has stopped making payments under a hire purchase agreement. The customer has moved house without notifying the finance company of his new address. The finance company engages a debt collection agency to find the customer and seek repayment of the debt. It discloses the customer’s personal data to the agency for this purpose. Although the customer has not consented to this disclosure, it is made for the purposes of the finance company’s legitimate interests – ie to recover the debt.
The second requirement, once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Your legitimate interests do not need to be in harmony with those of the individual for the condition to be met. However, where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.
In the above example, it is clear that the interests of the customer are likely to differ from those of the finance company (it may suit the customer quite well to evade paying his outstanding debt). However, passing his personal data to a debt collection agency in these circumstances could not be called “unwarranted”.
Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles.
Continuing the above example, the finance company must ensure that the personal data it passes to the debt collection agency is accurate (for example, in the known details of the customer’s identity); that it is up to date (for example, in the amount outstanding and the customer’s last known address); and that it is not excessive – the agency should only get as much personal data as is relevant or necessary for the purpose of finding the customer and recovering the debt.
At least one of the conditions listed above must be met whenever you process personal data. However, if the information is sensitive personal data, at least one of several other conditions must also be met before the processing can comply with the first data protection principle. These other conditions are as follows.
- The individual whom the sensitive personal data is about has given explicit consent to the processing.
- The processing is necessary so that you can comply with employment law.
- The processing is necessary to protect the vital interests of:
- the individual (in a case where the individual’s consent cannot be given or reasonably obtained), or
- another person (in a case where the individual’s consent has been unreasonably withheld).
- The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
- The individual has deliberately made the information public.
- The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
- The processing is necessary for administering justice, or for exercising statutory or governmental functions.
- The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
- The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
In addition to the above conditions – which are all set out in the Data Protection Act itself – regulations set out several other conditions for processing sensitive personal data. Their effect is to permit the processing of sensitive personal data for a range of other purposes – typically those that are substantially in the public interest, and which must necessarily be carried out without the explicit consent of the individual. Examples of such purposes include preventing or detecting crime and protecting the public against malpractice or maladministration.
A full list of the additional conditions for processing is set out on the legislation.gov website: