Under the current Data Protection Act 1998 (DPA) any organisation that processes personal data and sensitive personal data must have a legal basis for doing so. The GDPR, which comes into force in May 2018, is more rigorous in maintaining this position. Changes affected by the GDPR will have clear, practical implications in a way that the current DPA does not. Individuals’ rights will differ depending upon the lawful basis for processing their data.
If your organisation wants to process personal data then it must satisfy at least one of the following conditions:
The data subject has explicitly consented to the processing of their personal data.
It is necessary to process personal data prior to entering into a contract with the data subject.
Processing is necessary to comply with a legal obligation.
This applies when the data subject is not physically or mentally capable of giving consent but processing is necessary to protect the vital interests of the data subject or another person. For example, when an individuals’ medical history is disclosed to a hospital following a serious accident.
It is in the interests of public safety to carry out the processing of this personal data.
It’s necessary to process the personal data for the legitimate interests of the organisation or a third party, except when this negatively affects the interests, rights or freedoms of the data subject.
The following GDPR recitals give examples of ‘legitimate interests’ for processing personal data:
Recital 47: processing for direct marketing purposes or preventing fraud. However, Recital 47 states that data controllers must consider whether their legitimate interests are outweighed by the interests and fundamental rights of data subjects.
Recital 48: transmission of personal data within a group of undertakings for internal administrative purposes including client and employee data.
Recital 49: processing for the purposes of ensuring network and information security, including preventing unauthorised access to electronic communications.
Recital 50: reporting possible criminal acts or threats to public security to a competent authority.
It’s mandatory under the GDPR for organisations to satisfy at least one of the following requirements in order to process sensitive personal data:
The data subject has given explicit consent for their sensitive personal data to be processed.
Processing is necessary to meet employment, social security and social protection laws or ‘a collective agreement providing for appropriate safeguards for the fundamental rights and interests of the data subject’.
This only applies when a data subject isn’t physically or mentally able to give consent but processing is a matter of life or death for them or for somebody else.
When processing is carried out by an NFP for political, philosophical, religious or trade union reasons providing that this information is not shared with any third parties without the data subject’s consent.
Where the data subject has ‘manifestly’ shared their sensitive information publically under their own initiative.
Processing is necessary for legal matters.
Processing is necessary in the interests of public health and safety.
Processing for ‘the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of EU or Member State law…’
Processing is necessary for the public interest or for scientific, historical or research purposes providing the aims are proportionate to the fundamental rights and interests of the data subject. The data subject’s rights must be respected and safeguarded.
The GDPR defines consent as ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. Silence, pre-ticked boxes or inactivity do not constitute consent.
Most importantly, make sure you identify and document your lawful basis for processing personal data and sensitive personal data so that you comply with the GDPR.
Our information security consultants can provide on/off consultancy and training that will support you to: