• 3 min read

Data Protection - For what purposes can my organisation collect, use and process personal data?

Cybersecurity and privacy concepts to protect data. Lock icon an

If an organisation collects, uses or otherwise ‘processes’ personal data (see our article which describes what ‘processing’ means here), it must ensure that it has a ‘lawful basis’ (i.e. a legitimate reason) for how it proposes to use that data and that lawful basis should be recorded in writing (and will also need to be set out in the organisation’s privacy notice). If an organisation cannot demonstrate a lawful basis for a processing activity, then it shouldn’t be carrying out that processing. 

There are six lawful bases for processing personal data and organisations need to decide before the processing commences which basis (or in some cases, bases) are most appropriate for the processing to be carried out. The lawful bases are: 

  • Legitimate interests. This is a lawful basis which is commonly used by organisations and means the processing of the data subject’s personal data is necessary for the organisation’s legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests). For example, an organisation may put in place security measures to protect its IT systems which involves its customers’ personal data being processed. This would be beneficial for both the organisation and all of its customers. This processing is in the legitimate interests of both the organisation and the data subject.
  • Consent. The data subject must have given clear and specific consent for the organisation to use their personal data for the relevant purpose. For example, an organisation may run a competition and after the prize has been allocated ask the winner to consent to participate in a photoshoot so that their photo can be put on the organisation’s social media channels to show who won the competition. Many people believe consent is the corner stone requirement for organisations to lawfully use a data subject’s personal data, however, in many cases organisations will find it is not the best or most appropriate lawful basis at all. For example, there are question marks over the use of consent in an employment context as the balance of power between an employee and an employer is such that consent cannot generally be said to be freely given by an employee. Consent to processing can also be withdrawn by a data subject whenever they wish which in business and logistical terms may often make reliance on consent as a lawful basis unsuitable.  
  • Contract. The processing is necessary for a contract between the organisation and the data subject (or necessary for carrying out required pre-contract steps). For example, a holiday provider needs the personal data of the person who wishes to book the holiday in order to look into making the necessary arrangements and provide quotes and an employer needs to use an employee’s personal data in order to pay them in accordance with their contract of employment.
  • Legal obligation. The processing is necessary in order for the organisation to comply with the law. For example, a bank collects information from its customers in order to carry out anti-money laundering checks to comply with anti-money laundering legislation.
  • Vital interests. This is processing which is necessary to protect someone’s life. For example, an employer passing on details about an employee’s health to a paramedic if the employee falls ill at work and an ambulance is called.
  • Public task. This is a lawful basis which can be used by an organisation performing official functions or public interest task (e.g. the DVLA or the Passport Office).

It is worth noting that an organisation cannot keep changing the lawful basis it is relying on for a particular processing activity. This is especially important to know when the lawful basis being relied upon is consent as an organisation cannot change from consent to, for example, legitimate interests once it runs into problems gaining the required consent (or consent is provided but subsequently withdrawn by the data subject). 

If the personal data being processed includes any special category (i.e. sensitive) personal data or criminal conviction personal data, then there are separate additional conditions which must be met before the personal data can be processed and we will be exploring those in our next article.

Our data protection team has many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away