Module 2: Lawful Basis For Processing

Introduction

Under the General Data Protection Regulations you must have a lawful basis in order to process personal data. There are six lawful bases for processing data and you must determine and document your lawful basis before you begin processing. Take care to get it right first time as you should not swap to a different lawful basis at a later date without good reason. If your purposes do change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent).

No single basis is ‘better’ or more important than the others, which basis is most appropriate for you to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.

Your privacy notice should include your lawful basis for processing as well as the purpose for the processing.

Consent

The GDPR sets a high standard for consent, but the biggest change is what this means in practice for your consent mechanisms.

The GDPR is clear that an indication of consent must be unambiguous and involve a clear affirmative action (an opt-in). It specifically bans ‘pre-ticked’ opt-in boxes. It also requires individual (‘granular’) consent options for distinct processing operations. Consent should be separate from other terms and conditions and should not generally be a precondition of signing up to a service.

You must keep clear records to demonstrate consent.

The GDPR gives a specific right to withdraw consent. You need to tell people about their right to withdraw and offer them easy ways to withdraw consent at any time.

Public authorities, employers and other organisations in a position of power may find it more difficult to show valid freely given consent.

You need to review existing consents and your consent mechanisms to check they meet the GDPR standard. If they do, there is no need to obtain fresh consent.

Why?

Consent is one lawful basis for processing, and consent (or explicit consent) can also legitimise use of special category data, restricted processing, automated decision-making and overseas transfers of data.

Genuine consent should put individuals in control, build customer trust and engagement, and enhance your reputation.

Relying on inappropriate or invalid consent could destroy trust and harm your reputation – and may leave you open to large fines.

What?

Consent must be freely given; this means giving people genuine ongoing choice and control over how you use their data.

Consent should be obvious and require a positive action to opt in. Consent requests must be prominent, unbundled from other terms and conditions, concise, easy to understand, and user-friendly.

Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity.

Explicit consent must be expressly confirmed in words, rather than by any other positive action.

There is no set time limit for consent. How long it lasts will depend on the context. You should review and refresh consent as appropriate.

When?

Consent is one lawful basis for processing, but there are alternatives. Consent is not inherently better or more important than these alternatives. If consent is difficult, you should consider using an alternative.

Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.

If you make consent a precondition of a service, it is unlikely to be the most appropriate lawful basis.

Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent unless they are confident they can demonstrate it is freely given.

How?

Make your consent request prominent, concise, separate from other terms and conditions, and easy to understand. Include:

• the name of your organisation;

• the name of any third-party controllers who will rely on the consent;

• why you want the data;

• what you will do with it; and

• that individuals can withdraw consent at any time.

You must ask people to actively opt in. Don’t use pre-ticked boxes, opt-out boxes or other default settings. Wherever possible, give separate (‘granular’) options to consent to different purposes and different types of processing.

Keep records to evidence consent – who consented, when, how, and what they were told.

Make it easy for people to withdraw consent at any time they choose. Consider using preference-management tools.

Keep consents under review and refresh them if anything changes. Build regular consent reviews into your business processes.

Consent – Continued

When it comes to consent being a lawful basis for processing there are things you should know.

Asking for Consent:

• You have checked that consent is the most appropriate lawful basis for processing.

• You have made the request for consent prominent and separate from your terms and conditions.

• You ask people to positively opt in.

• You don’t use pre-ticked boxes or any other type of default consent.

• You use clear, plain language that is easy to understand.

• You specify why you want the data and what we are going to do with it.

• You give individual options to consent separately to different purposes and types of processing.

• You name your organisation and any third-party controllers who will be relying on the consent.

• You tell individuals they can withdraw their consent.

• You ensure that individuals can refuse to consent without detriment.

• You avoid making consent a precondition of a service.

• If you offer online services directly to children, you only seek consent if you have age-verification measures (and parental-consent measures for younger children) in place.

Recording Consent:

• You keep a record of when and how you got consent from the individual.

• You keep a record of exactly what they were told at the time.

Managing Consent:

• You regularly review consents to check that the relationship, the processing and the purposes have not changed.

• You have processes in place to refresh consent at appropriate intervals, including any parental consents.

• You consider using privacy dashboards or other preference-management tools as a matter of good practice.

• You make it easy for individuals to withdraw their consent at any time and publicise how to do so.

• You act on withdrawals of consent as soon as you can.

• You don’t penalise individuals who wish to withdraw consent.

Contract

You can rely on this lawful basis if you need to process someone’s personal data to fulfil your contractual obligations to them; or because they have asked you to do something before entering into a contract (for example, providing a quote).

The processing must be necessary. If you could reasonably do what they want without processing their personal data, this basis will not apply. You should document your decision to rely on this lawful basis and ensure you can justify your reasoning.

You will need to review your existing processing so that you can document where you rely on this basis and inform individuals. But in practice, if you are confident that your existing approach complied with Data Protection Act 1998, you are unlikely to need to change your existing basis for processing.

Article 6.1.b states you have a lawful basis for processing if:

‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.’

You have a lawful basis for processing if:

• you have a contract with the individual and you need to process their personal data to comply with your obligations under the contract.

• you haven’t yet got a contract with the individual, but they have asked you to do something as a first step (e.g. provide a quote) and you need to process their personal data to do what they ask.

It does not apply if you need to process one person’s details, but the contract is with someone else.

It does not apply if you take pre-contractual steps on your own initiative or at the request of a third party.

In this context, a contract does not have to be a formal signed document, or even written down, as long as there is an agreement which meets the requirements of contract law. Broadly speaking, this means that the terms have been offered and accepted, you both intend them to be legally binding, and there is an element of exchange (usually an exchange of goods or services for money, but this can be anything of value). However, this is not a full explanation of contract law, and if in doubt you should seek your own legal advice.

Contract – Continued

‘Necessary’ does not mean that the processing must be essential for the purposes of performing a contract or taking relevant pre-contractual steps. However, it must be a targeted and proportionate way of achieving that purpose. This lawful basis does not apply if there are other reasonable and less intrusive ways to meet your contractual obligations, or take the steps requested.

The processing must be necessary to deliver your side of the contract with this particular person. If the processing is only necessary to maintain your business model more generally, this lawful basis will not apply, and you should consider another lawful basis, such as legitimate interests.

If the processing is necessary for a contract with the individual, processing is lawful on this basis and you do not need to get separate consent.

If processing of special category data is necessary for the contract, you also need to identify a separate condition for processing this data.

If the contract is with a child under 18, you need to consider whether they have the necessary competence to enter into a contract. If you have doubts about their competence, you may wish to consider an alternative basis such as legitimate interests, which can help you to demonstrate that the child’s rights and interests are properly considered and protected.

If the processing is not necessary for the contract, you need to consider another lawful basis such as legitimate interests or consent. Note that if you want to rely on consent you will not generally be able to make the processing a condition of the contract. Read our guidance on consent for more information.

If you are processing on the basis of contract, the individual’s right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability.

[Remember to document your decision that processing is necessary for the contract and include information about your purposes and lawful basis in your privacy notice.]

Legal Obligation

You can rely on Legal Obligation if you need to process the personal data to comply with a common law or statutory obligation. Although, this doesn’t apply to contractual obligations. The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply.

You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation. You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.

You need to review your existing processing so that you can document where you rely on this basis and inform individuals. But in practice, if you are confident that your existing approach complied with the Data Protection Act 1998, you are unlikely to need to change your existing basis for processing.

Article 6.1.C provides a lawful basis for processing where:

‘Processing is necessary for compliance with a legal obligation to which the controller is subject’

Article 6.3 requires that the legal obligation must be laid down by UK or EU law. Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. So, it includes clear common law obligations.

This does not mean that there must be a legal obligation specifically requiring the specific processing activity. The point is that your overall purpose must be to comply with a legal obligation which has a sufficiently clear basis in either common law or statute.

You should be able to identify the obligation in question, either by reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable legal obligations.

If you are processing on the basis of legal obligation, the individual has no right to erasure, right to data portability, or right to object.

Remember to:

• document your decision that processing is necessary for compliance with a legal obligation;

• identify an appropriate source for the obligation in question; and

• include information about your purposes and lawful basis in your privacy notice.

Vital Interests

The lawful basis for vital interests is very similar to the old condition for processing under the Data Protection Act 1998. One key difference is that anyone’s vital interests can now provide a basis for processing, not just those of the data subjects themselves.

You will need to review your existing processing policies to identify if you have any ongoing processing for this reason or are likely to need to process for this reason in the future. You should document where you rely on this basis and inform individuals if relevant.

Article 6.1.D provides a lawful basis for processing where:

‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.

Recital 46 provides some further guidance:

‘The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…’

It’s clear from the above that vital interests are intended to cover only interests that are essential for someone’s life. So, this lawful basis is very limited in it’s scope, and generally only applies to matters of life and death.

This basis is likely to be particularly relevant for emergency medical care, when you need to process personal data for medical purposes, but the individual is incapable of giving consent to the processing. It is less likely to be appropriate for medical care that is planned in advance. Another lawful basis, such as public task or legitimate interests, is likely to be more appropriate in this case.

Processing of one individual’s personal data to protect the vital interests of others is likely to happen more rarely. It may be relevant, for example, if it is necessary to process a parent’s personal data to protect the vital interests of a child.

Vital interests as a lawful basis is also less likely to be the appropriate basis for processing on a larger scale. Recital 46 does suggest that vital interests might apply where you are processing on humanitarian grounds such as monitoring epidemics, or where there is a natural or man-made disaster causing a humanitarian emergency. However, if you are processing one person’s personal data to protect someone else’s life, Recital 46 also indicates that you should generally try to use an alternative lawful basis, unless none are obviously available. For example, in many cases you could consider legitimate interests, which will give you a framework to balance the rights and interests of the data subject(s) with the vital interests of the person or people you are trying to protect.

In most cases the protection of vital interests is likely to arise in the context of health data. This is one of the special categories of data, which means you will also need to identify a condition for processing special category data under Article 9.

There is a specific condition at Article 9(2)(c) for processing special category data where necessary to protect someone’s vital interests. However, this only applies if the data subject is physically or legally incapable of giving consent. This means explicit consent is more appropriate in many cases, and you cannot in practice rely on vital interests for special category data (including health data) if the data subject refuses consent, unless they are not competent to do so.

Public Task

The public task basis in Article 6.1.e may appear new, but it is similar to the old condition for processing the functions of a public nature in the Data Protection Act 1998. One key difference is that the GDPR says that the relevant task or function must have a clear basis in law.

The GDPR is also clear that public authorities can no longer rely on legitimate interests for data processing carried out in performance of their tasks. In the past, some of this type of processing may have been done on the basis of legitimate interests. If you are a public authority, this means you may now need to consider the public task basis for more of your processing.

The GDPR also brings in new accountability requirements. You should document your lawful basis so that you can demonstrate that it applies. You should be able to identify a clear basis in either statute or common law for the relevant task, function or power for which you are using the personal data. You must also update your privacy notice to include your lawful basis and communicate this to individuals.

Article 6.1.e gives you a lawful basis for processing where:

‘processing is necessary in order to protect the vital interests of the data subject or of another natural person’.

This can apply if you are either:

• carrying out a specific task in the public interest which is laid down by law; or

• exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.

If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is ‘necessary’ for that purpose.

‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.

Article 6.3 requires that the relevant task or authority must be laid down by domestic or EU law. This will most often be a statutory function. However, Recital 41 clarifies that this does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.

You do not need specific legal authority for the particular processing activity. The point is that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.

The focus is on the nature of the function, not the nature of the organisation. However, if you are a private sector organisation you are likely to be able to consider the legitimate interests basis as an alternative.

The Data Protection Bill includes a draft clause clarifying that the public task basis will cover processing necessary for:

• the administration of justice;

• parliamentary functions;

• statutory functions; or

• governmental functions.

However, this is not intended as an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public task basis, as long as the underlying legal basis for that function or task is clear and foreseeable.

For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.

Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of public task. However, individuals do have a right to object. See our guidance on individual rights for more information.

You should consider an alternative lawful basis if you are not confident that processing is necessary for a relevant task, function or power which is clearly set out in law.

If you are a public authority (as defined in the Data Protection Bill), your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests are still available for processing which falls outside your tasks as a public authority. Other lawful bases may also be relevant. We will publish more guidance on the definition of a public authority when the relevant Bill provisions are finalised.

Remember that the GDPR specifically says that further processing for certain purposes should be considered to be compatible with your original purpose. This means that if you originally processed the personal data for a relevant task or function, you do not need a separate lawful basis for any further processing for:

• archiving purposes in the public interest;

• scientific research purposes; or

• statistical purposes.

If you are processing special category data, you also need to identify an additional condition for processing this type of data. Read our guidance on special category data for more information. The Data Protection Bill includes specific draft conditions for parliamentary, statutory or governmental functions in the substantial public interest – more guidance on this and other conditions will follow when the Bill is finalised.

To help you meet your accountability and transparency obligations, remember to:

• document your decision that the processing is necessary for you to perform a task in the public interest or exercise your official authority;

• identify the relevant task or authority and its basis in common law or statute; and

• include basic information about your purposes and lawful basis in your privacy notice.

Legitimate Interests

The concept of legitimate interests as a lawful basis for processing is essentially the same as the equivalent condition in the Data Protection Act 1998, with some changes in the detail. In the run up to 25 May 2018, you need to review your existing processing to identify your lawful basis and document where you rely on legitimate interests, update your privacy information and communicate it to individuals.

Article 6.1.f gives you a lawful basis for processing where:

‘processing is necessary for the purpose of the legitimate interests pursed by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which requires protection of personal data, in particular where the data subject is a child’

This can be broken down into a three-part test:

Purpose test: are you pursuing a legitimate interest?

Necessity test: is the processing necessary for that purpose?

Balancing test: do the individual’s interests override the legitimate interest?

We will look at this test in more detail in a later slide.

If you choose to rely on legitimate interests, you take on extra responsibility for ensuring people’s rights and interests are fully considered and protected.

Legitimate interests are most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified.

You can rely on legitimate interests for marketing activities if you can show that how you use people’s data is proportionate, has a minimal privacy impact, and people would not be surprised or likely to object.

You may be able to rely on legitimate interests in order to lawfully disclose personal data to a third party. You should consider why they want the information, whether they actually need it, and what they will do with it. You need to demonstrate that the disclosure is justified, but it will be their responsibility to determine the lawful basis for their own processing.

You should avoid using legitimate interests if you are using personal data in ways people do not understand and would not reasonably expect, or if you think some people would object if you explained it to them. You should also avoid this basis for processing that could cause harm, unless you are confident there is nevertheless a compelling reason to go ahead which justifies the impact.

If you are a public authority, you cannot rely on legitimate interests for any processing you do to perform your tasks as a public authority. However, if you have other legitimate purposes outside the scope of your tasks as a public authority, you can consider legitimate interests where appropriate. This will be particularly relevant for public authorities with commercial interests.

When it comes to Legitimate Interests there are certain things you should know and do.

• You have checked that legitimate interests is the most appropriate basis.

• You understand your responsibility to protect the individual’s interests.

• You have conducted a legitimate interests assessment and kept a record of it to ensure that you can justify your decision.

• You have identified the relevant legitimate interests.

• You have checked that the processing is necessary and there is no less intrusive way to achieve the same results.

• You have done a balancing test and are confident that the individual’s interests do not override those legitimate interests

• You only use individual’s data in ways they would reasonably expect, unless you have a very good reason.

• You are not using people’s data in ways they would find intrusive or which would cause them harm, unless you have a very good reason.

• If you process children’s data, you take extra care to make sure you protect their interests.

• You have considered safeguards to reduce the impact and have considered whether you also need to conduct a DPIA.

• You have considered whether you can offer an opt out.

• You keep your LIA under review and repeat it if circumstances change.

• If your LIA identifies a significant privacy impact, you have considered whether you need to conduct a DPIA.

• You include information about your legitimate interests in your privacy information.

Legitimate Interests Assessment (LIA)

If you want to rely on legitimate interests, you can use the three-part test to assess whether it applies. We refer to this as a Legitimate Interest’s Assessment (LIA) and you should do it before you start the processing.

A Legitimate Interests Assessment is a type of light-touch risk assessment based on the specific context and circumstances. It will help you ensure that your processing is lawful. Recording your LIA will also help you demonstrate compliance in line with your accountability obligations under Articles 5.2 and 24. In some cases an LIA will be quite short but in others there will be more to consider.

First, identify the legitimate interest(s). Consider:

• Why do you want to process the data – what are you trying to achieve?

• Who benefits from the processing? In what way?

• Are there any wider public benefits to the processing?

• How important are those benefits?

• What would the impact be if you couldn’t go ahead?

• Would your use of the data be unethical or unlawful in anyway?

Second, apply the necessity test. Consider:

• Does this processing actually help to further that interest?

• Is it a reasonable way to go about it?

• Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

• What is the nature of your relationship with the individual?

• Is any of the data particularly sensitive or private?

• Would people expect you to use their data in this way?

• Are you happy to explain it to them?

• Are some people likely to object or find it intrusive?

• What is the possible impact on the individual?

• How big an impact might it have on them?

• Are you processing children’s data?

• Can you adopt any safeguards to minimise the impact?

• Can you offer an opt-out?

You then need to make a decision about whether you still think legitimate interests is an appropriate basis. There’s no fool proof formula for the outcome of the balancing test – but you must be confident that your legitimate interests are not overridden by the risks you have identified.

Keep a record of your LIA and the outcome. There is no standard format for this, but it’s important to record your thinking to help show you have proper decision-making processes in place and to justify the outcome.

Keep your LIA under review and refresh it if there is a significant change in the purpose, nature or context of the processing.

If you are not sure about the outcome of the balancing test, it may be safer to look for another lawful basis. Legitimate interests will not often be the most appropriate basis for processing which is unexpected or high risk.

If your LIA identifies significant risks, consider whether you need to do a DPIA to assess the risk and potential mitigation in more detail.

Special Category Data

Special category data is broadly similar to the concept of sensitive personal data under the Data Protection Act 1998. The requirement to identify a specific condition for processing this type of data is also very similar.

You must still have a lawful basis for your processing under Article 6, in exactly the same way as for any other personal data. The difference is that you will also need to satisfy a specific condition under Article 9.

This is because special category data is more sensitive and so needs more protection. For example, information about an individual’s:

• Race;

• Ethnic origin;

• Politics;

• Religion;

• Trade Union Membership

• Genetics

• Biometrics (where used for ID purposes);

• Health

• Sex life; or

• Sexual orientation

In particular, this type of data could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination.

Your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two.

For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate.

The conditions are listed in Article 9(2) of the GDPR:

a) The data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to paragraph 1 may not be lifted by the data subject;

b) Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;

c) Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

d) Processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

e) Processing relates to personal data which are manifestly made public by the data subject;

f) Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

g) Processing is necessary for the reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

h) Processing is necessary for the purposes of preventive or occupational medicines, for the assessment of the working capacity of the employee, medical diagnosis, the provision of heal or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;

i) Processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;

j) Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89.1based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Some of these conditions make reference to UK law and the GDPR also gives member states the scope to add more conditions. The Data Protection Bill includes proposals for additional conditions and safeguards which we will add to the course once finalised.

Criminal Offence Data

Article 10 applies to personal data relating to criminal convictions and offences, or related security measures.

This concept of criminal offence data includes the type of data about criminal allegations, proceedings or convictions that would have been sensitive personal data under the Data Protection Act 1998. However, it is potentially broader than this. Article 10 specifically extends to personal data linked to related security measures.

You must still have a lawful basis for your processing under Article 6, in exactly the same way as for any other personal data. The difference is that if you are processing personal criminal offence data, you will also need to comply with Article 10.

Article 10 says:

‘Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6.1 shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority’

This means you must either be processing the data in an official capacity or have specific legal authorisation – which in the UK, is likely to mean a condition under the Data Protection Bill and compliance with the additional safeguards set out in the Bill. Even if you have a condition for processing offence data, you can only keep a comprehensive register of criminal convictions if you are doing so in an official capacity.

• You can also process this type of data if you have official authority to do so because you are processing the data in an official capacity.

• You cannot keep a comprehensive register of criminal convictions unless you do so in an official capacity.

• You must determine your condition for lawful processing of offence data (or identify your official authority for the processing) before you begin the processing, and you should document this.