Records Management

Legal basis for processing

How to determine the legal basis for processing personal data.

This guidance is for any member of University staff tasked with determining the legal basis for processing personal data.

You will need to use this guidance:

  • When customising a privacy notice to ensure it complies with current data protection legislation
  • When conducting a ‘data protection impact assessment’ (DPIA)
  • When otherwise collecting or receiving personal data for a new initiative

Definitions

To understand the technical data protection terminology used throughout this guidance see our definitions list.

Definitions list

The legal basis

Whenever we use personal data we must have a legal basis for doing so.

Data protection legislation gives us a list of possible legal bases we can choose from.

These are:

  • necessary for contractual arrangements
  • processing to comply with legal obligations
  • processing to protect vital interests
  • processing to perform a task in the public interest
  • processing necessary for legitimate interest
  • consent

If you are using special categories of (sensitive) personal data,  there are additional legal bases you must comply with. See the guidance on special categories.

Performance of contract

When to use the legal basis that processing personal data is necessary for the performance of a contract.

Legal obligation

Processing personal data where there is a legal obligation

Vital interests

Processing is necessary to protect life and death of an individual

Necessary for public tasks

Processing personal data on the basis of public tasks

Legitimate interest

Using legitimate interests as a legal basis for processing personal data.

Consent

How and when to use consent as the legal basis for processing personal data.

Special categories

Legal bases for processing special categories of personal data

The ‘necessary’ test

This guidance is for any member of University staff tasked with determining the legal basis for processing personal data.