Q&A: personal data handling and processing in United Kingdom

Legitimate processing of PI

Does the law require that the processing of PI be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

The UK General Data Protection Regulation (the UK GDPR) requires data controllers to rely on a legal ground outlined in the UK GDPR for all processing of personal information (PI). Additional conditions must also be satisfied when processing sensitive PI.

The grounds for processing non-sensitive PI are:

• consent of the individual;
• performance of a contract to which the individual is party or to take steps at the request of the data subject before entering into a contract;
• compliance with a legal obligation, other than a contractual obligation (a legal obligation arising under the laws of a non-UK jurisdiction is not sufficient for the purposes of this ground);
• protection of the vital interests of the individual (ie, a life or death situation);
• the processing is necessary for carrying out public functions; or
• the processing is necessary for the legitimate interests of the data controller (or third parties to whom the PI is disclosed) unless overridden by the individual’s fundamental rights, freedoms and legitimate interests.

Does the law impose more stringent rules for processing specific categories and types of PI?

Distinct grounds for legitimate processing apply to the processing of sensitive PI (also known as ‘special categories of PI’). ‘Sensitive PI’ is defined as PI relating to a data subject’s:

• racial or ethnic origin;
• political opinions;
• religious or similar beliefs;
• trade union membership;
• physical or mental health;
• sex life or sexual orientation;
• genetic data;
• biometric data (when processed to uniquely identify a natural person);
• commissioning or alleged commissioning of any offence; or
• any proceedings for committed or alleged offences, the disposal of such proceedings of sentence of any court.

Where a controller processes sensitive PI it must establish a ground for processing both non-sensitive PI (eg, consent and the performance of a contract) and a separate condition for processing sensitive PI. The UK GDPR sets forth several conditions that may be considered in connection with the processing of sensitive PI, including:

• explicit consent of the individual;
• performance of employment law obligations;
• protection of the vital interests of the individual (ie, a life or death situation);
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim, and the processing relates solely to the members or former members of the body or to persons who have regular contact with it in connection with its purposes, and that the PI is not disclosed outside that body without the consent of the data subjects;
• the processing relates to PI, which is manifestly made public by the data subject;
• the exercise of public functions;
• processing in connection with legal proceedings, legal advice or to exercise legal rights;
• processing for medical purposes;
• processing necessary for reasons of public interest in certain specific areas; or
• processing necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

In addition to the conditions outlined in the UK GDPR, the Data Protection Act 2018 sets forth several additional conditions that also may be relied upon, including:

• processing necessary for monitoring and ensuring equality of opportunity or treatment;
• preventing or detecting unlawful acts;
• preventing fraud;
• processing to comply with regulatory requirements relating to establishing whether a person has committed unlawful acts or has been involved in dishonesty, malpractice or other seriously improper conduct; and
• in connection with administering claims under insurance contracts or exercising rights and complying with obligations arising in connection with insurance contracts.

Data handling responsibilities of owners of PI

Does the law require owners of PI to provide information to individuals about how they process PI? What must the notice contain and when must it be provided?

Data controllers are obliged to notify individuals of:

• the data controller’s identity and contact information and, where applicable, the identity and contact information of its representative;
• the contact details of the data controller’s data protection officer, if it has appointed one;
• the purposes for which the personal information (PI) will be processed and the legal basis for processing;
• the legitimate interests pursued by the data controller, if applicable;
• the recipients or categories of recipients of the PI;
• the fact that the data controller intends to transfer the PI to a third country and the existence or absence of an adequacy decision by the UK Secretary of State, and a description of any safeguards (eg, UK International Data Transfer Agreement) relied upon and how individuals may obtain a copy of them;
• the period for which PI will be stored or the criteria used to determine that period;
• a description of the rights available to individuals;
• the existence of the right to withdraw consent at any time;
• the right to lodge a complaint with the UK Information Commissioner's Office;
• whether the provision of PI is a statutory or contractual requirement or is necessary to enter into a contract, as well as whether the individual is obliged to provide the PI and of the consequences of failure to provide such PI; and
• the existence of automated decision-making and, if so, meaningful information about the logic involved as well as the significance and envisaged consequences of the processing for the individual.

When PI is obtained from a source other than the individual concerned, the data controller must also inform individuals of the source from which the PI originated and the categories of PI obtained.

Notice must be provided at the time the PI is collected from the data subject. When PI is obtained from a source other than the data subject it relates to, the data controller must provide the data subject with the notice:

• within a reasonable period of obtaining the PI and no later than one month;
• if the data controller uses the data to communicate with the data subject, at the latest, when the first communication takes place; or
• if the data controller envisages disclosure to someone else, at the latest, when the data controller discloses the data.

When is notice not required?

Where PI is obtained from a source other than the data subject, then provision of notice is not required if:

• the individual already has the information;
• the provision of such information would be impossible or require disproportionate effort (in which case the data controller shall take appropriate measures to protect data subjects, including making the relevant information publicly available);
• the provision of the information would render impossible or seriously impair the achievement of the objectives of the processing;
• obtaining or disclosure of the PI is required by UK law to which the data controller is subject; or
• where the PI is subject to an obligation of professional secrecy under UK law.

Does the law impose standards in relation to the quality, currency and accuracy of PI?

The data controller must ensure that PI is relevant, accurate and, where necessary, kept up to date concerning the purpose for which it is held.

Does the law restrict the types or volume of PI that may be collected?

The data controller must ensure that PI is adequate, relevant and not excessive concerning the purpose for which it is held. This means that the data controller should not collect or process unnecessary or irrelevant PI. The Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (the UK GDPR) do not impose any specified retention periods. PI may be held only for as long as is necessary for the purposes for which it is processed.

Are there any restrictions on the purposes for which PI can be used by owners? If there are purpose limitations built into the law, how do they apply?

PI may only be used for specified and lawful purposes, and may not be processed in any manner incompatible with those purposes. The purposes must be specified in the notice given to the individual.

In addition, recent case law has confirmed the existence of a tort of misuse of private information. Under this doctrine, the use of private information about an individual for purposes to which the individual has not consented may give rise to a separate action in tort against the data controller, independent of any action taken under DPA 2018 or the UK GDPR.

PI may not be processed for new purposes unless the further purposes are lawful (ie, based on a lawful ground). It may be processed for a new purpose as long as that purpose is not incompatible with the original purpose, but notice of the new purpose must be provided to the individual. Where a new purpose would be incompatible with the original purpose, it must be legitimised by the consent of the individual unless an exemption applies. For example, PI may be further processed for certain specified public interest purposes, including the prevention of crime or prosecution of offenders and processing for research, historical or statistical purposes.