Conditions for processing personal and 'sensitive personal' data
Introduction
Conditions for processing personal data
1. The individual who the personal data is about has consented to the processing. The processing is necessary:
- in relation to a contract which the individual has entered into
- because the individual has asked for something to be done so they can enter into a contract
2. The processing is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract).
3. The processing is necessary to protect the individual’s “vital interests”:
- this condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident
4. The processing is necessary for:
- administering justice
- exercising statutory, governmental or other public functions
5. The processing is necessary for:
- the legitimate interests of the data controller
- the third party or parties to whom the data are disclosed
Except where the processing is unwarrented by reason of prejudice to the rights and freedoms or legitimate interests of the data subject (i.e. you)
Conditions for processing 'sensitive personal' data
1. The individual who the sensitive personal data is about has given explicit consent to the processing.
2. The processing is necessary so that the University can comply with employment law.
3. The processing is necessary to protect the vital interests of:
- the individual (in a case where the individual’s consent cannot be given or reasonably obtained)
- another person (in a case where the individual’s consent has been unreasonably withheld)
4. The processing is carried out by a not-for-profit organisation and does not involve disclosing personal data to a third party, unless the individual consents. Extra limitations apply to this condition.
5. The individual has deliberately made the information public.
6. The processing is necessary in relation to legal proceedings; for obtaining legal advice; or otherwise for establishing, exercising or defending legal rights.
7. The processing is necessary for medical purposes, and is undertaken by a health professional or by someone who is subject to an equivalent duty of confidentiality.
8. The processing is necessary for monitoring equality of opportunity, and is carried out with appropriate safeguards for the rights of individuals.
9. The processing is in the substantial public interest, and is necessary for:
- prevention or detection of any unlawful act; and
- must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice those purposes
10. The processing is in the substantial public interest, and is necessary for:
- the discharge of any function which is designed for protecting members of the public against (i) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person, or (ii) (ii) mismanagement in the administration of, or failures in services provided by, anybody or association; and
- must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the discharge of that function.
11. The disclosure of personal data is in the substantial public interest in connection with:
- (i) the commission by any person of any unlawful act (whether alleged or established), (ii) dishonesty, malpractice, or other seriously improper conduct by, or the unfitness or incompetence of, any person (whether alleged or established), or (iii) mismanagement in the administration of, or failures in services provided by, anybody or association (whether alleged or established)
- is for journalism, artistic or literary purposes
- is made with a view to the publication of those data by any person and the data controller reasonably believes that such publication would be in the public interest.
12. The processing is in the substantial public interest and is necessary for the discharge of any function which is designed for the provision of confidential counselling, advice, support or any other service; and carried out without the explicit consent of the data subject because the processing:
- is necessary in a case where consent cannot be given by the data subject
- is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of the data subject
- must necessarily be carried out without the explicit consent of the data subject being sought so as not to prejudice the provision of that counselling, advice, support or other service
13. The processing is necessary for the purpose of:
- carrying on insurance business, or making determinations in connection with eligibility for, and benefits payable under, an occupational pension scheme
- is of sensitive personal data consisting of information falling within section 2(e) of the Act relating to a data subject who is the parent, grandparent, great grandparent or sibling of the insured person, or (ii)in the case of paragraph (a)(ii), the member of the scheme
- is necessary in a case where the data controller cannot reasonably be expected to obtain the explicit consent of that data subject and the data controller is not aware of the data subject withholding his consent
- does not support measures or decisions with respect to that data subject
14. The processing is in the substantial public interest and is:
- necessary for research purposes
- does not support measures or decisions with respect to any particular data subject otherwise than with the explicit consent of that data subject
- does not cause, nor is likely to cause, substantial damage or substantial distress to the data subject or any other person