Data processing a school is permitted to do
The lawful grounds for accessing, collecting, storing and using personal, special category and criminal offence data.
Under data protection legislation, there are a number of justifications that permit personal data to be processed. It’s important to remember that a justification relates to the processing activity and not to the data itself, so a justification has to be established for each activity.
Under UK General Data Protection Regulation (UK GDPR), there are 6 lawful bases on which personal data is permitted to be processed. You need to ensure at least one lawful basis for processing applies and identify which of the 6 bases is the most appropriate.
The lawful bases are:
- consent – where this basis is the most appropriate and you’re able to give the individual concerned a real choice in your use of their data
- contract – where your use of the data is necessary for a contract the school has or will have with the individual concerned
- legal obligation – where your use of the data is necessary to permit the school to comply with the law
- vital interests – where your use of the data is necessary to protect an individual’s life
- public interest – where your use of the data is necessary to permit the school to carry out a task in the public interest or its official functions, and that task or function has a clear basis in law
- legitimate interests – where your use of the data is necessary for the school’s or a third party’s legitimate interests (unless there’s a good reason to protect the individual’s personal data that overrides those legitimate interests)
You can read the Information Commissioner’s Office (ICO) guidance on the lawful basis for processing personal data.
Under UK GDPR, there are 10 additional conditions for processing special category data. You need to ensure that at least one lawful basis and one condition – which does not have to be linked to the lawful basis – applies.
The conditions are:
- explicit consent – the accessing or processing of this personal data has the written consent of the individual concerned
- employment, social security or social protection – it’s necessary for one of these 3 stated purposes and authorised by law
- vital interests – it’s necessary to protect an individual’s life
- not-for-profit body – it’s necessary for the legitimate internal-only purposes of a membership body with a political, philosophical, religious or trade-union aim
- manifestly made public – it relates to personal data the individual has themselves deliberately made public
- legal claims or judicial acts – it’s necessary for a legal case or required by a court of law
- substantial public interest – there’s a relevant basis in UK law and one of 23 specific public interest conditions has been met
- health or social care – it’s necessary for the provision of healthcare or treatment, or of social care, and there’s a basis in law
- public health – it’s necessary for reasons of public interest, and there’s a basis in law
- archiving, research and statistics – it’s necessary for reasons of public interest, and there’s a basis in law
The Data Protection Act 2018 (DPA), Schedule 1, Parts 1 and 2 has more information about the conditions that are authorised or have a basis in law and the further actions that might be necessary to permit you to process certain personal data.
You can read the ICO’s guidance on the lawful basis for processing special category data.
Criminal offence data is treated in a similar way to special category data. One of the 6 lawful bases must apply and your processing must also be covered by one of the conditions described in Schedule 1 of the DPA.
You can read the ICO’s guidance on the lawful basis for processing criminal offence data.
Use the ICO’s lawful basis interactive guidance tool to help you decide whether you have the legal right to process particular personal data items and on what grounds.
Assessing whether there’s a condition to support the processing of special category or criminal offence data - and, if there is, which one is most applicable - is not always obvious. The ICO offers further guidance on the lawful basis.
These examples may assist you in assessing which conditions might apply.
Example 1
Under UK GDPR Article 9(2)(b), a school can process special category data for people with whom it has a contract of employment. That processing is necessary to fulfil its legal obligations or those of its employees with regard to employment, social security or social protection. In such an instance, you’d need to check if the individual you wished to employ was entitled to work in the UK, and to maintain a record of any statutory sick pay.
Example 2
Under UK GDPR Article 9(2)(g), where there is a basis in law, a school can process special category data for reasons of substantial public interest. For instance, the governing body of a maintained school has a statutory duty under section 175 of the Education Act 2002 to safeguard and promote the welfare of children. This might include the processing of special category data, in line with paragraph 18 of Schedule 1 of the DPA, to safeguard children and individuals at risk.
When there is no legal obligation to process personal data for a particular purpose, it may be appropriate to obtain an individual’s consent. If the lawful basis of consent applies, the condition for processing any special category data within would be explicit consent - that is, consent that has been confirmed in a written statement.
UK GDPR defines consent as ‘any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’. For consent to be considered ‘freely given’, an individual must suffer no detriment if they refuse to give it.
These examples may assist you in assessing if the lawful basis of consent applies.
Example 1
Under the DPA, schools have a legal obligation to seek consent if they wish, for instance, to use pupils’ photos in printed material, such as the school magazine.
Example 2
Under the Privacy and Electronic Communications Regulations, schools have a legal obligation to seek consent if they wish, for instance, to contact parents and carers by email with news of a fundraising campaign or local holiday club.