Cookies on this website

We use cookies to ensure that we give you the best experience on our website. If you click 'Accept all cookies' we'll assume that you are happy to receive all cookies and you won't see this message again. If you click 'Reject all non-essential cookies' only necessary cookies providing core functionality such as security, network management, and accessibility will be enabled. Click 'Find out more' for information on how to change your cookie settings.

Accept all cookies Reject all non-essential cookies Find out more

What are the lawful bases for processing data under GDPR?

Under the GDPR, there must be a lawful basis in order to process personal data.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:           

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Special Category Data (previously known as Sensitive Personal Data) requires the application of a further legal basis. The conditions are listed in Article 9(2) of the GDPR.

WHICH BASIS DO I SELECT?

When carrying out research as a public authority (such as the University), the most appropriate lawful basis for processing personal data, under GDPR, is

Article 6(1)E ‘task in the public interest’.  

When processing special category data while undertaking research as a public authority, the most appropriate lawful basis under GDPR is 

Article 9(2)J 'Necessary for archiving purposes in public interest, scientific or historical research purposes'.

If you are unsure whether the data you process falls under this criteria, please contact the Information Governance Lead for further information.

 

Further information on legal basis for processing data:

MRC guidance on lawful basis

ICO guidance on lawful basis

University guidance on legal basis for processing

Quick links:

PRISMS-IG: All our IG policies in one place

Information Security Training Module: Provided by the University, needs to be completed by everyone

NHS Data Security and Protection Toolkit

How to:

Report an information governance incident

Ensure you are working securely