In our previous post we mentioned that organisations needed to be fully aware of the lawful processing basis that they are relying on for each data processing activity. This post will address the main bases applicable to agents.
There are 6 lawful bases for processing and no single basis is more important or better than the others. A lawful basis must be determined prior to any processing and this should be documented. The guidance suggests that it is important to get the basis right first time because a change should not be made without a good reason.
Of these 6 bases, only 4 are applicable to agents, consent has been addressed in a previous post, so this post will only address the other three.
This is a lawful basis if you have a contract with an individual and you need to process their personal data to comply with your contractual obligations under that contract. This processing basis also applies where you are asked to do something preparatory to entering into a contract (i.e. provide a quote).
The contract does not have to be a formal document signed or in writing. It does however need to meet the requirements of a contact under UK contract law. This of course means there must be an offer between the parties, an acceptance of that offer with an exchange and finally the parties intending to be legally bound.
Again, the processing must be necessary meaning that if you can do what they want without processing the personal data then the basis does not apply. The processing must be targeted and proportionate and only used to deliver your side of the contract. There is no right to object to your data being processed under this basis.
- Legal Obligation
This basis can be relied on if you need to process personal data in order to comply with the law. There does not need to be a specific legal obligation requiring the specific processing activity. There only needs to be an overall purpose to comply with a legal obligation which has a sufficiently clear basis in law. The example used by the ICO is the employer processing personal data to comply with its legal obligations to disclose employee salary details to HMRC. Another example would of course be Right to Rent checks. This extends beyond statutory obligations and would include processing to comply with a court order.
It is important to note that given this is processing personal data to comply with a legal obligation there is no right to object, no right to have the data erased and no right to obtain and reuse the data for your own purpose (referred to as right of portability).
- Legitimate Interests
This is the most flexible lawful basis for processing, but it does not necessarily mean it is the most appropriate. This basis will have minimal privacy impact but there are 3 parts to the basis. The 3 parts are:
i Purpose test– Identify a legitimate interest;
ii Necessity test– show that the processing is necessary to achieve it, and;
iii Balancing test-balance it against the individual’s interests, rights and freedoms.
The legitimate interest does not need to be that of those processing the personal data but could be that of a third party (reference check companies on behalf of an agent). Whatever the reason for choosing this basis or any other, again it must be documented.
Legitimate interests can include, but is not limited to, client or employee data, fraud prevention, IT security and reporting possible criminal acts or security threats to the authorities. Again, the processing must be necessary, and you must balance your interests against the individual’s interests. This means that if the person would not expect you to process their data and it could cause them unwarranted harm then their interests are likely to override yours. However, even where there is a conflict between your interests and theirs, your interests can prevail if there is a clear justification for the processing.
For agents, legitimate interest is most likely to be the appropriate basis for a wide range of marketing activities to existing or former clients if it can be shown that the use is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object. However, where marketing is electronic or over the phone it is important that consent, where necessary, is sought under the Privacy and Electronic Communications Regulations.
More guidance on these 3 bases can be viewed on the ICO website here. For those struggling with which basis to select and what for, advice should be sought sooner than later given the Regulation is in force this week.