Organisations will need to be explicit about which lawful basis they are using. The intention of the new legislation is to allow organisations that need to hold and use personal data to support their legitimate activities, to do so. The lawful bases available depend on whether your organisation is a public authority or not.
Public authorities (e.g. universities, NHS, research council institutes) are funded by the public purse in order to conduct tasks that are considered to be in the public interest. Therefore the legal reason that public authorities will have to hold and use personal data is most likely to be:
Article 6(1) (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested the controller;
The Explanatory Note to the Data Protection Bill clearly states that research in universities should be able to rely on this lawful basis (‘task in public interest’). As does the ICO. DPO’s need to evidence this by reference to their public research purpose as established by a university’s constitution (e.g. University Charter) and legal powers; or relevant statute (e.g. Higher Education and Research Act, 2017).
For research conducted by other organisations, such as charity research institutes that are not public authorities, and commercial companies, the most appropriate lawful basis is likely to be:
Article 6(1)
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
By using either ‘task in the public interest’ or ‘legitimate interest’ you assure research participants that your organisation has a genuine reason to hold and use personal data. This is in addition to the control you give participants through the normal consent (to participate in research) process.
