Principle (a): Lawfulness, fairness and transparency
Latest updates - last updated 10 January 2025
10 January 2025 - We have added more detail to the 'what is transparency?' section following an Upper Tribunal decision. The update sets out some points for organisations to consider when deciding what steps to take to comply with the transparency principle.
At a glance
- You must identify valid grounds under the UK GDPR (known as a ‘lawful basis’) for collecting and using personal data.
- You must ensure that you do not do anything with the data in breach of any other laws.
- You must use personal data in a way that is fair. This means you must not process the data in a way that is unduly detrimental, unexpected or misleading to the individuals concerned.
- You must be clear, open and honest with people from the start about how you will use their personal data.
Checklist
Lawfulness
☐ We have identified an appropriate lawful basis (or bases) for our processing.
☐ If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data.
☐ We don’t do anything generally unlawful with personal data.
Fairness
☐ We have considered how the processing may affect the individuals concerned and can justify any adverse impact.
☐ We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.
☐ We do not deceive or mislead people when we collect their personal data.
Transparency
☐ We are open and honest, and comply with the transparency obligations of the right to be informed.
In brief
- What is the lawfulness, fairness and transparency principle?
- What is lawfulness?
- What is fairness?
- What is transparency?
What is the lawfulness, fairness and transparency principle?
Article 5(1) of the UK GDPR says:
“1. Personal data shall be:(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)”
There are more detailed provisions on lawfulness and having a ‘lawful basis for processing’ set out in Articles 6 to 10.
There are more detailed transparency obligations set out in Articles 13 and 14, as part of the ‘right to be informed’.
The three elements of lawfulness, fairness and transparency overlap, but you must make sure you satisfy all three. It’s not enough to show your processing is lawful if it is fundamentally unfair to or hidden from the individuals concerned.
What is lawfulness?
For processing of personal data to be lawful, you need to identify specific grounds for the processing. This is called a ‘lawful basis’ for processing, and there are six options which depend on your purpose and your relationship with the individual. There are also specific additional conditions for processing some especially sensitive types of data. For more information, see the lawful basis section of this guide.
If no lawful basis applies then your processing will be unlawful and in breach of this principle.
Lawfulness also means that you don’t do anything with the personal data which is unlawful in a more general sense. This includes statute and common law obligations, whether criminal or civil. If processing involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence;
- your organisation exceeding its legal powers or exercising those powers improperly;
- an infringement of copyright;
- a breach of an enforceable contractual agreement;
- a breach of industry-specific legislation or regulations; or
- a breach of the Human Rights Act 1998.
These are just examples, and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.
Although processing personal data in breach of copyright or industry regulations (for example) will involve unlawful processing in breach of this principle, this does not mean that the ICO can pursue allegations which are primarily about breaches of copyright, financial regulations or other laws outside our remit and expertise as data protection regulator. In this situation there are likely to be other legal or regulatory routes of redress where the issues can be considered in a more appropriate forum.
If you have processed personal data unlawfully, the UK GDPR gives individuals the right to erase that data or restrict your processing of it.
What is fairness?
Processing of personal data must always be fair as well as lawful. If any aspect of your processing is unfair you will be in breach of this principle – even if you can show that you have a lawful basis for the processing.
In general, fairness means that you should only handle personal data in ways that people would reasonably expect and not use it in ways that have unjustified adverse effects on them. You need to stop and think not just about how you can use personal data, but also about whether you should.
Assessing whether you are processing information fairly depends partly on how you obtain it. In particular, if anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair.
In order to assess whether or not you are processing personal data fairly, you must consider more generally how it affects the interests of the people concerned – as a group and individually. If you have obtained and used the information fairly in relation to most of the people it relates to but unfairly in relation to one individual, there will still be a breach of this principle.
Personal data may sometimes be used in a way that negatively affects an individual without this necessarily being unfair. What matters is whether or not such detriment is justified.
Example
Where personal data is collected to assess tax liability or to impose a fine for breaking the speed limit, the information is being used in a way that may cause detriment to the individuals concerned, but the proper use of personal data for these purposes will not be unfair.
You should also ensure that you treat individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights. Read our guidance on rights for more information.
What is transparency?
Transparency is an overarching principle that is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with people from the start about who you are, how and why you use their personal information, and their rights.
This is very important - without this, people may lack trust and confidence in your use of their personal information, and cannot exercise their rights under data protection legislation.
Transparency is always important, but especially in situations where people have a choice about whether they wish to enter into a relationship with you. If people know at the outset what you will use their information for, they will be able to make an informed decision about whether to enter into a relationship, or perhaps to try to renegotiate the terms of that relationship.
Transparency is important even when you have no direct relationship with the person and collect their personal information from another source. In some cases, it can be even more important - as people may have no idea that you are collecting and using their personal information, and this affects their ability to assert their rights over their information. This is sometimes known as ‘invisible processing’.
You must ensure that you tell people about your processing in a way that is easily accessible and easy to understand. You must use clear and plain language.
Articles 13 and 14 of the UK GDPR specify the types of information that you always need to provide people with. We call this ‘privacy information’. For more detail about the privacy information you must provide, see our guidance on the right to be informed.
However, this is just your starting point. To be truly transparent, you may need to go above and beyond the minimum requirements set out in Articles 13 and 14. This will depend on the particular circumstances of your processing and is about taking proportionate steps to inform people about what you are doing. Things to consider here include:
- Are you processing ‘sensitive’ personal information?
- The nature and purpose of your processing – is it beyond what people expect to be happening? Are they likely to find it intrusive?
- What could happen to people as a result of your processing – what types of harms could occur, and how serious could they be? On the other hand, what benefits could people get from your processing?
- Are there any rights under data protection legislation that are particularly relevant to your processing? For example, Article 21 gives people the ‘absolute right’ to object to processing for direct marketing purposes.
- What are the costs for you in taking extra steps beyond the requirements of Articles 13 and 14 in order to make sure that people can understand how you’re using their personal information, what the risks are, what safeguards you’ve put in place, and how they can exercise their rights?
You must be able to demonstrate that people can easily find the information you provide and that it enables them to exercise their rights.
Further reading
Read our guidance on:
- Lawful basis for processing
- The right to be informed
- Individuals’ rights
- Transparency in health and social care
The Accountability Framework looks at the ICO’s expectations in relation to transparency.