Fair and lawful processing of personal data
Whenever personal data is process it is the processor’s responsibility to ensure that this is undertaken in a fair and lawful manner.
‘Lawful’ relates to the method of obtaining that specific data. It is going to be evident that where data has been stolen, or obtained by duress, bribes or inducements, then this is going to have been collected in an unlawful manner.
‘Fair’ relates to how that data is processed once it has been obtained. For example a customer will provide personal data to purchase service, then this is a lawful collection of data, however, if that data is then used to send unsolicited spam mail, this will not be a fair processing.
To show fair and lawful processing then a list of guidelines should be followed:
- The individual has consented to the processing
- The processing is necessary to perform a contract with the individual, i.e. to meet orders or administer wages.
- The processing is necessary to comply with a legal obligation.
- The processing is necessary to protect the vital interests of the individual, i.e. their life.
- The processing is necessary for the administration of justice.
- The processing is necessary for the legitimate interests of the data controller unless this prejudices the data subject.
- Data must not be kept for longer than is necessary.
Although it is not mandatory in the UK to obtain the consent of data subjects before processing personal data, it is often the simplest way to justify processing. Consent needs to be clear, specific and freely given.
There are common ways of recording consent, and many business use the ‘opt-in’ or ‘opt-out’ tick boxes on emails or data capture forms. Consent only applies to the specific situations which are described to an individual. There is nothing which prevents consent from being withdrawn after it is given.