An appropriate legal basis must be identified before processing any personal data.
This guidance applies to UCL employees who are looking to process personal data, i.e. information relating to an identified or identifiable living person, and are looking for a lawful basis to do so.
* Note that ‘processing’ means any operation - collecting, storing, using, transferring, disclosing or destroying - performed on personal data
Before processing any personal data, an appropriate legal basis must be identified.
Data protection regulation sets out the following six possible legal bases for processing personal data:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
As a public authority, most of UCL’s processing will be undertaken using Article 6(1)(e) above, the ‘public task’ condition. This applies when the processing is necessary for UCL to perform a task in the public interest. Examples include most of UCL’s research, teaching and learning activities – we can clearly demonstrate a ‘public task’ basis for these because performing such tasks is a core part of UCL’s Charter and Statutes.
It is important to understand where UCL’s processing falls under the ‘public task’ condition because you can only rely on ‘legitimate interests’ at Article 6(1)(f) above if you are processing for a legitimate reason other than performing UCL’s tasks as a public authority. UCL has produced a Statement of Tasks in the Public Interest, which sets out when the ‘public task’ condition can be used as a basis for processing.
* Please note that you cannot rely upon either the ‘public task’ basis or the ‘legitimate interests’ basis alone when processing:
- (a) special category personal data (e.g. data relating to ethnicity, health, religion etc.);
- or (b) personal data relating to criminal convictions or offences.
If you are processing data of this kind, you will need to establish an additional lawful condition.
For UCL ethically-approved research, the lawful basis for processing personal data will be 'public task' rather than 'consent'. It may be that researchers get consent from participants for ethical purposes, e.g. to confirm an individual's participation in a study, or perhaps to meet their obligations under the common law duty of confidentiality, but it will not be the lawful basis for processing under Data Protection Legislation.
While consent to participate in a project that is obtained for ethical purposes must be fully informed and freely given, in addition to meeting other requirements, researchers do not therefore need to obtain consent that meets the high standards set out in the GDPR, which is:
'any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data'.
Given the above, in the context of research and subject to ethical approval ‘opt-out’ consent is often acceptable.
We hope that you find this guidance helpful. If you require any further information on the issues raised in this document, please contact the Data protection team.