I want to choose one of the 6 lawful bases for processing personal data
If you collect, manage, and hold etc., (process) personal data you must have a lawful basis to do so. Choosing the most appropriate will depend on the purpose of your data processing activity and your relationship with the individual.
It is essential to determine the most appropriate lawful basis before you begin processing personal data, it is difficult to swap to a different legal basis retrospectively, as this is unfair to the individuals who's data you are processing.
There are six lawful bases, and they are set out below:
- Public task: the processing is necessary for you to perform a task in the public interest or for official functions which the University has.
- For example, the University uses public task as the lawful basis for processing personal data for the delivery of learning and teaching programmes, assessments, and graduation ceremonies.
- Individuals have a right to object to their personal data being processed, where the lawful basis is public task.
- Vital interests: the processing is necessary to protect someone's life.
- For example, in a medical emergency your details may be released to the emergency services to ensure you receive appropriate treatment and to protect your interests.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- For example, the University processes Performance and Development Review (PDR) records to support an employee's career and development goals.
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Individuals’ must be given a real choice and control over whether their data is processed, and they must be aware that consent can be withdrawn at any time.
- When using consent as a lawful basis, we must keep a record to evidence that consent was given.
- Example: To receive a free student membership of a professional body, student's are asked to provide their consent for their school to share their name, University email address, and course title with the organisation.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- For example, an employer needs to process personal data to comply with its legal obligation to disclose employee salary details to HMRC.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests interests e.g. if the processing would cause unjustified harm or the person would not reasonably expect it.
- This cannot apply if you are a public authority processing data to perform your official tasks.
If you are unsure which of the following legal basis applies, please contact your Data Co-ordinator.