Data Protection: Which lawful basis?

Under UK GDPR, and as Controller, you must have a lawful basis for processing personal data (and remember that anything you do with personal data – including storing it or deleting it – counts as processing). UK GDPR won’t make processing lawful that would otherwise be unlawful, but it can prevent you from doing something you might otherwise expect to be able to do, if you can’t identify an appropriate lawful basis that applies. These are set out in Article 6(1) of the legislation:

Processing shall be lawful only if and to the extent that at least one of the following applies:

1. the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. processing is necessary for compliance with a legal obligation to which the controller is subject;
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Many people believe – incorrectly – that the lawful bases are set out hierarchically; that a Controller should start at the top of the list and work down until they find a lawful basis that applies. Often, this means that they rely on consent, but this may not be the best choice and, in fact, should not be used if the Controller would process the personal data whether the Data Subject wanted them to or not: it must be as easy to withdraw consent as it is to give it.

As an Education Provider, a Controller will often be required to comply with a legal obligation or be performing a task carried out in the public interest, and so these lawful bases should be considered first for regular and systematic processing of Pupil personal data.

Where an Education Provider is carrying out processing of Personal Data not linked to the performance of their tasks as a public authority – for example, the production of School Leaver hoodies – they may be able to rely upon their legitimate interests.

Only where the Data Subject has a genuine choice and where it can be freely given and withdrawn at any time should consent be relied upon as the lawful basis for processing of Personal Data.