Lawful processing 1
In order to process personal data lawfully, you must be able to rely on one of the following bases for processing. Under the UK GDPR, consent is not easy to obtain and maintain and therefore law firms will usually be relying on one of the other lawful bases. Solicitors must process the personal data of individuals in order to provide legal services.; As a regulated profession, there are legal obligations to process certain information; and sometimes because it is in the legitimate interests of the firm and/or client.
Personal Data (Article 6)
a. The data subject has given consent to the processing of their personal data for one or more specific purposes
b. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
c. Processing is necessary for compliance with a legal obligation to which the controller is subject
d. Processing is necessary in order to protect the vital interests of the data subject or of another natural person
e. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
f. Processing is necessary for the purposes of the legitimate interests condition – this is where you (or a third party) have a legitimate interest in processing the data which is not outweighed by any detriment caused to the data subject
Special category
If you are processing special category data on behalf of your client, you need additional justification from at least one of the following -
a. The data subject has given explicit consent to the processing of this personal data for one or more specified purpose
b. Processing is necessary for employment and social security and social protection law if required to comply with a legal obligation and there is an appropriate policy in place which explains the procedures for securing compliance with the data protection principles and, in particular, explains the employer’s policies on retention periods and erasure of data
c. Processing is necessary to protect the vital interests of the data subject or of another person where the data subject is physically or legally incapable of giving consent
d. Certain activities carried out by not-for-profit bodies with a political, philosophical, religious or trade union aim, provided appropriate safeguards are in place and the processing takes place in relation to members or former members who have regular contact in connection with its purposes and the information is not disclosed beyond the organisation
e. The processing relates to personal data which are manifestly made public by the data subject
f. Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity
g. Processing is necessary for reasons of substantial public interest on the basis of EU or UK law which sets out the relevant safeguards, which in the UK cover the following areas: parliamentary, statutory or governmental purposes; equality of opportunity or treatment; preventing or detecting unlawful acts; protecting the public against dishonesty; journalism in connection with unlawful acts or dishonesty; preventing fraud; suspicion of terrorist financing or money laundering; counselling; insurance; third-party data processing for group insurance and insurance on the life of another; occupational pensions; political parties; elected representatives responding to requests; informing elected members about prisoners; and, provided an appropriate policy is in place
h. Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems if by or under the responsibility of a health professional, social worker or anyone else who owes a duty of confidentiality under an enactment or rule of law and as long as an appropriate policy is in place, or
i. Processing is necessary for reasons of public interest in the area of public health which is carried out under the supervision of a health professional or by another person who owes a duty of confidentiality under an enactment or rule of law, or
j. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes with appropriate safeguards in place including data minimisation and pseudonymisation – data should not be processed using this legal basis if it has an impact on a particular data subject or it is likely to cause substantial damage or substantial distress to an individual
Case study - lawful processing
Our high street firm has determined a number of bases for processing personal data.
Firstly, it is necessary to process the personal data of clients to provide a legal service then second legal basis can be relied upon (Art 6(b)).
Additionally, to meet anti-money laundering obligations, they will at times, rely on the third legal basis (Art6(c)). If the law firm is using any special category data, most likely biometric data, for AML purposes there is a lawful basis set out in schedule 1 part 2 of the Data Protection Act 2018 which sets out the list of substantial public interests for processing. This includes at paragraph 12, processing that is necessary for the purposes of complying with a regulatory requirement to establish whether someone has been involved in an unlawful act or act of dishonesty, such as laundering money etc.
Finally in relation to third parties’ (individuals who are not clients and do not have a contract) our firm will rely on the sixth legal basis listed, as it is in the firm’s legitimate interests, or their clients’ legitimate interests, to process this data (Art 6(f)).
Because our law firm handles special category data, it is generally relying on the basis that processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity (Art 9(f)) from the special category list).
The processing must be necessary for these purposes.
The firm recorded their lawful bases in their Record of Data processing.