The 'necessary' test

This guidance is for any member of University staff tasked with determining the legal basis for processing personal data

1. The legal bases

If you decide that you are processing personal data under any of the following legal basis, you will need to ensure that processing is indeed ‘necessary’ for its purpose:

(b)

processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c)

processing is necessary for compliance with a legal obligation to which the controller is subject;

(d)

processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e)

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f)

processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

2. What does ‘necessary’ mean in a data protection context?

Before processing personal data, we will often need to show that doing so is ‘necessary’ to fulfil a specific requirement.  For example, we may need to show that processing personal data is necessary to protect someone’s vital interests.

‘Necessary’ means the data processing is a reasonable and proportionate necessity.  It is more than desirable or convenient, but less than indispensable.  The data processing is not necessary if the purpose can be achieved by a less privacy invasive method, by some other reasonable means or if the processing is necessary only because the University has decided to operate its business in a particular way.

Example

The University processes personal data about staff in order to employ them.  The University does so on the basis the data processing is necessary to fulfil staff contracts of employment and to comply with the University’s legal obligations as an employer.  

However, if the University were considering outsourcing its HR functions to an overseas company and transferring staff data to that company, it is very unlikely the overseas transfer would meet the necessity test.

Reference

Goldsmith International Business School v IC and Home Office (GIA/1643/2014) (Word document)

See paragraph 39