Blog

Apr 30, 2023

A guide to lawful basis

Search article

Search article

You might have noticed we've made some changes to our website. This includes changes to the Guide to the UK GDPR, which has been broken down into smaller guides such as this one.

07 October 2022 - We have updated our position on needing a new lawful basis when your purpose for processing changes. The update can be found under the ‘What happens if we have a new purpose?’ section. You now need to consider whether you need a new lawful basis if your purposes for processing personal data change.

☐ We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity.

☐ We have checked that the processing is necessary for the relevant purpose, and are satisfied that there is no other reasonable and less-intrusive way to achieve that purpose.

☐ We have documented our decision on which lawful basis applies to help us demonstrate compliance.

☐ We have included information about both the purposes of the processing and the lawful basis for the processing in our privacy notice.

☐ Where we process special category data, we have also identified a condition for processing special category data, and have documented this.

☐ Where we process criminal offence data, we have also identified a condition for processing this data, and have documented this.

The lawful bases for processing are set out in Article 6 of the UK GDPR. At least one of these must apply whenever you process personal data:

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone's life.

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

For more detail on each lawful basis, read the specific page of this guide.

External link

External link

This depends on your specific purposes and the context of the processing. You should think about why you want to process the data, and consider which lawful basis best fits the circumstances. You can use our interactive guidance tool to help you.

You might consider that more than one basis applies, in which case you should identify and document all of them from the start.

You must not adopt a one-size-fits-all approach. No one basis should be seen as always better, safer or more important than the others, and there is no hierarchy in the order of the list in the UK GDPR.

Several of the lawful bases relate to a particular specified purpose – a legal obligation, performing a contract with the individual, protecting someone's vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first.

In other cases you are likely to have a choice between using legitimate interests or consent. You need to give some thought to the wider context, including:

You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people's reasonable expectations and wouldn't have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.

In more detail

We have produced the lawful basis interactive guidance tool, to give more tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.

The basic approach is the same. You should think about your purposes, and choose whichever basis fits best. You can still use our lawful basis tool to help you.

The public task basis is more likely to be relevant to much of what you do. If you are a public authority and can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. But if it is for another purpose, you can still consider another basis.

In particular, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the individual. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, although there are some limitations. For more information, see the specific guidance page on each lawful basis.

The Data Protection Act 2018 says that ‘public authority’ here means a public authority under the Freedom of Information Act or Freedom of Information (Scotland) Act – with the exception of parish and community councils.

Example

A university that wants to process personal data may consider a variety of lawful bases depending on what it wants to do with the data.

Universities are classified as public authorities, so the public task basis is likely to apply to much of their processing, depending on the detail of their constitutions and legal powers. If the processing is separate from their tasks as a public authority, then the university may instead wish to consider whether consent or legitimate interests are appropriate in the particular circumstances. For example, a University might rely on public task for processing personal data for teaching and research purposes; but a mixture of legitimate interests and consent for alumni relations and fundraising purposes.

The university however needs to consider its basis carefully – it is the controller's responsibility to be able to demonstrate which lawful basis applies to the particular processing purpose.

External link

You must determine your lawful basis before starting to process personal data. It's important to get this right first time. If you find at a later date that your chosen basis was actually inappropriate, it will be difficult to simply swap to a different one. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements.

Example

A company decided to process on the basis of consent, and obtained consent from individuals. An individual subsequently decided to withdraw their consent to the processing of their data, as is their right. However, the company wanted to keep processing the data so decided to continue the processing on the basis of legitimate interests.

Even if it could have originally relied on legitimate interests, the company cannot do so at a later date – it cannot switch basis when it realised that the original chosen basis was inappropriate (in this case, because it did not want to offer the individual genuine ongoing control). It should have made clear to the individual from the start that it was processing on the basis of legitimate interests. Leading the individual to believe they had a choice is inherently unfair if that choice will be irrelevant. The company must therefore stop processing when the individual withdraws consent.

It is therefore important to thoroughly assess upfront which basis is appropriate and document this. It may be possible that more than one basis applies to the processing because you have more than one purpose, and if this is the case then you should make this clear from the start.

If there is a genuine change in circumstances or you have a new and unanticipated purpose which means there is a good reason to review your lawful basis and make a change, you need to inform the individual and document the change.

External link

If your purposes change over time or you have a new purpose which you did not originally anticipate, you need to comply with the purpose limitation principle. In summary, you can only go ahead if:

For more information on compatibility, see our purpose limitation guidance.

All processing must be lawful, so you also need to identify a lawful basis. The original basis you used to collect the data may not always be appropriate for your new use of the data.

In most cases, the appropriate basis for your new use of the data is likely to be fairly obvious. For example, if you are getting specific consent for the new purpose, your lawful basis will be consent. If you are relying on a legal provision requiring the new processing in the public interest, your lawful basis will be legal obligation. If you are relying on a legal provision allowing the new use of data in the public interest, your lawful basis will be public task.

Where the purpose for your new processing activity is compatible with the original purpose for the processing, you are likely to be able to rely on "legitimate interests" as the lawful basis for the new processing, provided your use of the personal data is necessary for that purpose.

We consider a compatibility assessment is likely to look at similar factors to a legitimate interests assessment (LIA). Although there's no requirement to do so, you could therefore use our LIA template to help you assess compatibility.This will also help demonstrate your lawful basis at the same time.

If your new processing is for research purposes, you do not need to carry out a compatibility assessment, and in most circumstances you can be confident that your lawful basis is likely to be either public task or legitimate interests. See our guidance on the research provisions for more detail on this.

However, if you originally collected the data on the basis of consent, you should get fresh consent which specifically covers the new purpose (unless you are relying on a clear legal provision specifically permitting your reuse of the data). This is because consent means giving individuals real choice and control over how their data is used. This means that consent must always be specific and informed. People can only give valid consent when they know and understand what you are going to do with their data. If you do get specific consent for the new purpose, you do not need to show it is compatible.

If you are processing special category data, you will also need to ensure that you can identify an appropriate condition which applies to your new processing.

External link

The principle of accountability requires you to be able to demonstrate that you are complying with the UK GDPR, and have appropriate policies and processes. This means that you need to be able to show that you have properly considered which lawful basis applies to each processing purpose and can justify your decision.

You need therefore to keep a record of which basis you are relying on for each processing purpose, and a justification for why you believe it applies. There is no standard form for this, as long as you ensure that what you record is sufficient to demonstrate that a lawful basis applies. This will help you comply with accountability obligations, and will also help you when writing your privacy notices.

It is your responsibility to ensure that you can demonstrate which lawful basis applies to the particular processing purpose.

Read the accountability section of this guide for more on this topic. There is also further guidance on documenting consent or legitimate interests assessments in the relevant pages of the guide.

External link

You need to include information about your lawful basis (or bases, if more than one applies) in your privacy notice. Under the transparency provisions of the UK GDPR, the information you need to give people includes:

This applies whether you collect the personal data directly from the individual or you collect their data from another source.

Read the ‘right to be informed’ section of this guide for more on the transparency requirements of the GDPR.

External link

If you are processing special category data, you need to identify both a lawful basis for processing and a special category condition for processing in compliance with Article 9. You should document both your lawful basis for processing and your special category condition so that you can demonstrate compliance and accountability.

Further guidance can be found in the section on special category data.

If you are processing data about criminal convictions, criminal offences or related security measures, you need both a lawful basis for processing, and either ‘official authority’ or a separate condition for processing this data in compliance with Article 10. You should document both your lawful basis for processing and your criminal offence data condition so that you can demonstrate compliance and accountability.

Further guidance can be found in the section on criminal offence data.

Further reading – ICO guidance

The Accountability Framework looks at the ICO's expectations in relation to lawful basis.