Part 3: Key GDPR Principles
The GDPR operates on six key principles (set out in A to F below) and six ‘lawful bases’ (set out in 1 to 6 below).
Important GDPR Definitions
The following definitions are used throughout the GDPR, and throughout the SWGfL GDPR guidance:
- Processing is any operation (including collection, recording, organising, storing, altering, using, and transmitting) performed on Personal Data.
- Personal Data is any information relating to a natural person (called a Data Subject) who can be (directly or indirectly) identified using that information.
- A Data Controller is a person, authority, agency or other body which determines the purposes and the means of Processing.
- A Data Processor is a person, authority, agency or other body which undertakes Processing on behalf of a Data Controller.
Principle A: Lawful, Fair and Transparent
In order for Processing to be lawful, fair and transparent, the requirements of one of the six lawful bases (set out in Article 6) must be met:
- The Data Subject has given explicit consent for Processing for a specific purpose; or
- Processing is necessary for the performance of a contract with the Data Subject; or
- Processing is necessary for compliance with a Data Controller’s legal obligation(s); or
- Processing is necessary to protect the vital interests of a natural person; or
- Processing is necessary for carrying out tasks in the public interest; or
- Processing is necessary for the purposes of the legitimate interests of the Data Controller or a third party (unless the protection of Personal Data (particularly of a child) prevents it).
Note that 6. (‘legitimate interests’) does not apply to Processing carried out by public authorities in the performance of their public tasks. Public authorities are defined as those subject to the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002 in Scotland.
This means that organisations subject to FOIA are not able to use the ‘legitimate interests’ basis when performing public tasks (and therefore such organisations are only considered ‘public’ when performing tasks carried out in the public interest or in the exercise of official authority vested in them). ‘Legitimate interests’ may be an appropriate basis for other legitimate tasks.
All Processing must either:
Principle B: Limited Purposes
The purpose limitation principle means that processing is only permissible if it is for specified, explicit and legitimate purposes and that no further Processing takes place in a manner that is incompatible with those original purposes.
Where further Processing does take place that is not compatible (i.e. for a different reason) with the original purpose, it is not compliant with the GDPR unless further consent is obtained from the Data Subject, or one of the other lawful bases permits it.
Principle C: Minimised
The data minimisation principle requires that Personal Data that is Processed is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. This relates to the amount of Personal Data collected, how much Processing takes place on it, and how long it is stored for.
Data Controllers must ensure they collect sufficient Personal Data to perform their tasks, but no more than that.
Principle D: Accurate
The accuracy requirements state that Personal Data must be accurate and kept up to date.
Data Controllers are required to take every reasonable step to ensure the accuracy of Personal Data they are Processing, and where it is inaccurate, to erase it or rectify it without delay.
Principle E: Retained for no Longer than Necessary
The storage limitation rules require that Personal Data only be kept for as long as it necessary for the purposes (which themselves must be lawful, fair and transparent).
This means that, when organisations no longer require Personal Data for the purpose it was collected, it should be deleted (unless there are other lawful grounds to retain it).
Principle F: Secure
The security, or integrity and confidentiality, of the Personal Data means it must be protected against unauthorised or unlawful Processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
This means that Data Controllers need to assess the risks to Personal Data, and deploy technical and/or organisational security measures that are appropriate to those risks.
The GDPR also sets out (in Article 5.2) that Data Controllers are responsible for compliance, and for being able to demonstrate compliance.
All Processing must:
Data Controllers are accountable for both doing, and demonstrating that they are doing this.
Lawful Basis 1: Consent
The GDPR sets out (in Article 7) conditions for consent, stating that:
- The Data Controller must be able to demonstrate that the Data Subject provided consent for the Processing;
- The request for consent must be clear and in plain language, and easily accessible;
- The Data Subject must be able to withdraw consent at any time, as easily as they provided it; and
- Consent must be freely given.
This is the only lawful basis that does not include the word "necessary“, so it is anticipated that it may be used for Processing that is not necessary (and that it should not be for Processing that is).
Consent should be used when the Data Subject has (or should have) more control of Processing than the Data Controller. Data Subjects must have a genuine choice what Personal Data to provide, if any, and must be able to change this at any time.
In particular consent should not be used where it is presented to the Data Subject as a condition of providing something (e.g. a service). In such cases it would not be freely given.
Example of use cases for consent could include a wide range of marketing activities.
Lawful Basis 2: Contract
This basis is used for Processing that is necessary for a contract with the Data Subject (which may be an existing contract or a new contract to be formed at the Data Subject's request).
Example of use cases for the contract basis could include a wide range of activities in relation to providing goods and services to the Data Subject.
Lawful Basis 3: Legal Obligation
This basis is used for Processing that is necessary to meet one or more of the Data Controller’s legal obligations. Such a legal obligation needs to be set out in EU or UK law.
Examples of use cases for the legal obligation basis could include a number of employment activities.
Lawful Basis 4: Vital Interests
This basis is used for Processing that is necessary for the protection of vital interests, which means the protection of someone’s life (which could be the Data Subject, or another natural person).
It is anticipated that this basis would allow for Processing where a Data Subject is not capable of providing consent for the Processing (and therefore where a Data Subject is capable – legally and practically – of providing consent, it should not be used).
Examples of use cases for the vital interests basis include emergency medical procedures.
Lawful Basis 5: Public Interest
This basis is used for Processing for ‘public tasks’, carried out in the public interest or in the exercise of official authority vested in the Data Controller.
As per the ICO’s guidance here, this can apply if the Data Controller is either:
- carrying out a specific task in the public interest which is laid down by law; or
- exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.
Examples of use cases for the public interest basis include a range of health and safety applications, however this basis is likely to be of particular interest to schools and colleges, as the teaching of children and the effective operation of a school is likely to be considered as being in the public interest.
The maintenance of attendance and attainment records, providing food and drink, collecting and analysing behavioural and medical data, and certain communications to parents could reasonably be considered as necessary for the school or college to operate effectively.
The key question is whether a specific piece of Personal Data is required in order for this to happen.
Lawful Basis 6: Legitimate Interests
This basis is used for Processing Personal Data where that Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
What are legitimate interests? Though the GDPR does not contain a precise definition or a list of purposes that constitute a legitimate interest, a reasonable definition of legitimate interests might be “clear lawful benefits, either to oneself or a third party, that are realised from lawful Processing of Personal Data”. Such benefits can include individual and commercial interests, as well as benefits to wider society.
As per the ICO’s guidance here, Recitals 47, 48, 49 and 50 of the GDPR do set out a number of situations and conditions, including where legitimate interests may constitute an appropriate lawful basis for Processing, those being:
- fraud prevention;
- ensuring network and information security;
- indicating possible criminal acts or threats to public security;
- processing employee or client data;
- direct marketing; and
- administrative transfers within a group of companies.
Note however that, specifically in the case of e) direct marketing, Recital 70 of the GDPR clearly states that Data Subjects should have the right to object to such Processing, and therefore consent may be a more appropriate basis.
The ICO does advise here that the ‘legitimate interests’ basis is the most flexible of the six lawful bases, as it is not focused on a particular purpose and therefore gives more scope to potentially rely on it in many different circumstances.
It may be the most appropriate basis when:
- the processing is not required by law but is of a clear benefit;
- there’s a limited privacy impact on the Data Subject;
- the Data Subject could reasonably expect their Personal Data to be used in the manner envisaged; and
- It is not possible to, or not desirable to, give the Data Subject full upfront control (i.e. use the consent basis) or bother them with disruptive consent requests when they are unlikely to object to the Processing.
The ICO further recommends the use of a three-part test when using the ‘legitimate interests’ basis:
- identify a legitimate interest;
- show that the Processing is necessary to achieve it; and
- balance it against the Data Subject’s interests, rights and freedoms.
Data Controllers should keep a record of these assessments as part of demonstrating compliance, and include the details of the legitimate interests they are pursuing in published privacy information.
An important note, however, is that the ‘legitimate interests’ basis is not applicable to Processing carried out by public authorities in the performance of their public tasks. Public authorities are defined as those subject to the Freedom of Information Act 2000 (FOIA) or the Freedom of Information Act (Scotland) 2002 in Scotland.