Created in collaboration with our GDPR expert.

 

Introduction

 

The GDPR is a wide ranging update to our current data protection laws and is pervasive across Europe. Other articles on TheSchoolBus explain the impact of the GDPR and provide advice on how best to prepare your school to ensure you are compliant.

This guidance explores the legal basis of legitimate interests and specifically answers the following questions to help guide you in choosing the right legal basis for data processing:

  • When is legitimate interests the most appropriate basis for processing and how does it apply to schools?
  • What assessments should be conducted to ensure it is the most appropriate basis for processing?

 

Legal basis

 

Under the GDPR you can only process personal data if you have a legal basis for doing so. This requirement is in place to ensure that personal data is protected and cannot be abused, and the determination of your basis for processing data needs to be made as part of your preparations for the GDPR.

The legislation details six clear bases which it determines to be legal bases for processing. These are:

  • Consent
  • Contract
  • Legal obligation
  • Public task
  • Legitimate interests
  • Vital interests

The legal basis upon which you are relying to process data is also central to the rights which the data subject can exercise.

Article 6(1)(f) of the GDPR gives you a lawful basis for processing where: “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

 

When is legitimate interests the most appropriate basis and how does it apply to schools?

 

This basis can be defined as processing personal data that is necessary for your own legitimate interests or those of a third party.

This is not carte blanche and if there is a better reason to protect the personal data than your legitimate interests, you cannot rely upon this basis. Despite this, it is the most flexible of the six and is the one which schools will rely on most of the time to justify their processing of personal data.

Schools process a huge amount of personal data and most of it is particularly sensitive as it is related to children who are often too young to give their own informed consent. Legitimate interests can be used when you are processing data in ways which most people would reasonably expect you to do, and that do not have a material impact on the data subject’s privacy, or if you have a compelling need to process that information.

Relying upon legitimate interests will automatically confer upon you an additional responsibility to consider and protect people’s rights and interests.

 

What assessments should be conducted?

 

To allow you to rely on legitimate interests, there are three control questions you must answer in advance of processing the data – these are as follows:

  • Purpose – do you have a legitimate interest in processing the data?
  • Necessity – is the processing necessary in achieving your legitimate interest?
  • Balance   – does an individual’s rights supersede your need to process the data?

These three steps are best encapsulated in a Legitimate Interests Assessment (LIA), which can be filed and kept as evidence of choosing this particular basis for processing.

These assessments do not need to be onerous, but doing them can greatly aid your thinking, your consideration of wider issues, as well as helping you document your compliance with the requirement for accountability under Articles 5(2) and 24.

A template LIA is available on our website – click here to download it. If, after conducting an LIA, you do not feel that you can rely on legitimate interests as your basis for processing data, then you must find an alternative legal basis you can rely upon.

 

Bibliography


ICO (2018) ‘Legitimate interests’ <https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/legitimate-interests/> [Accessed on: 11 April 2018]

;