Legitimate processing
Processing is defined in section 1(1) of the DPA as meaning "obtaining, recording or holding" data and carrying out various operations such as organising, adapting, altering, disclosing, erasing or blocking.
The First Data Protection Principle provides that, in order for any processing to be legitimate, it must satisfy certain conditions. This is in recognition of the fact that the processing of any personal data impacts upon your privacy rights. In order to be lawful, you must therefore either have consented to the processing or it must be justified in some other way.
All processing must satisfy at least one of the conditions in Schedule 2 of the DPA. In the case of the processing of sensitive personal data (information about racial or ethnic origin, political opinions, religious beliefs and a number of other specific categories), at least one of the conditions in Schedule 3 of the DPA must also be met.
The conditions in Schedule 2 include:
1. Where you have given your consent (this can be express or implied, for example if you do not tick an "opt out" box at the bottom of a web page).
2. Where the processing is necessary for the performance of a contract (e.g. processing for the purpose of obtaining payment and effecting delivery if you have ordered something from a website); or for "the taking of steps at the request of the data subject with a view to entering into a contract (e.g. credit reference checks).
3. Where the processing is necessary for the data controller to comply with any legal obligation.
4. Where the processing is necessary to protect your vital interests. The ICO considers that this condition may only be claimed "where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital casualty department treating the data subject after a serious road accident".
5. Where the processing is necessary for the completion of public functions including, including for the administration of justice and for the exercise of any functions of a government department.
In order for sensitive personal data to be processed fairly it must meet one of the conditions in Schedule 3 as well as at least one of the conditions in Schedule 2. The Schedule 3 conditions include:
1. Where you have given explicit consent;
2. Where processing is necessary for the purposes of exercising or performing any legal right or obligation in connection with employment (for example to ensure compliance with non-discrimination obligations).
3. Where processing is necessary to protect the vital interests of yourself or another person in circumstances where consent cannot be given or is withheld. For example, where a government department wishes to obtain information relating to a person's criminal record or mental health where that record discloses offences or behaviour which may put others at serious risk
4. Where processing is necessary for the purpose of legal proceedings; for the purpose of taking legal advice; or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
5. Where processing is needed by a health professional (i.e. a registered GP, dentist, optician, psychologist, nurse etc) for medical purposes.
6. Where processing is for the purposes of ethnic monitoring.
The Data Protection (Processing of Sensitive Personal Data) Order (SI 2000/417) sets out ten additional grounds on which sensitive personal data may be processed without breaching the legitimate processing requirement. Five of the ten grounds must be carried out "in the substantial public interest". In eight of the ten processing must meet some form or necessity.
The First Data Protection Principle provides that, in order for any processing to be legitimate, it must satisfy certain conditions. This is in recognition of the fact that the processing of any personal data impacts upon your privacy rights. In order to be lawful, you must therefore either have consented to the processing or it must be justified in some other way.
All processing must satisfy at least one of the conditions in Schedule 2 of the DPA. In the case of the processing of sensitive personal data (information about racial or ethnic origin, political opinions, religious beliefs and a number of other specific categories), at least one of the conditions in Schedule 3 of the DPA must also be met.
The conditions in Schedule 2 include:
1. Where you have given your consent (this can be express or implied, for example if you do not tick an "opt out" box at the bottom of a web page).
2. Where the processing is necessary for the performance of a contract (e.g. processing for the purpose of obtaining payment and effecting delivery if you have ordered something from a website); or for "the taking of steps at the request of the data subject with a view to entering into a contract (e.g. credit reference checks).
3. Where the processing is necessary for the data controller to comply with any legal obligation.
4. Where the processing is necessary to protect your vital interests. The ICO considers that this condition may only be claimed "where the processing is necessary for matters of life and death, for example, the disclosure of a data subject's medical history to a hospital casualty department treating the data subject after a serious road accident".
5. Where the processing is necessary for the completion of public functions including, including for the administration of justice and for the exercise of any functions of a government department.
In order for sensitive personal data to be processed fairly it must meet one of the conditions in Schedule 3 as well as at least one of the conditions in Schedule 2. The Schedule 3 conditions include:
1. Where you have given explicit consent;
2. Where processing is necessary for the purposes of exercising or performing any legal right or obligation in connection with employment (for example to ensure compliance with non-discrimination obligations).
3. Where processing is necessary to protect the vital interests of yourself or another person in circumstances where consent cannot be given or is withheld. For example, where a government department wishes to obtain information relating to a person's criminal record or mental health where that record discloses offences or behaviour which may put others at serious risk
4. Where processing is necessary for the purpose of legal proceedings; for the purpose of taking legal advice; or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
5. Where processing is needed by a health professional (i.e. a registered GP, dentist, optician, psychologist, nurse etc) for medical purposes.
6. Where processing is for the purposes of ethnic monitoring.
The Data Protection (Processing of Sensitive Personal Data) Order (SI 2000/417) sets out ten additional grounds on which sensitive personal data may be processed without breaching the legitimate processing requirement. Five of the ten grounds must be carried out "in the substantial public interest". In eight of the ten processing must meet some form or necessity.
