consider these first.
If you are a public authority and can demonstrate that the processing is to perform your tasks as set
down in UK law, then you are able to use the public task basis. If not, you may still be able to consider
consent or legitimate interests in some cases, depending on the nature of the processing and your
relationship with the individual. There is no absolute ban on public authorities using consent or legitimate
interests as their lawful basis, but the GDPR does restrict public authorities’ use of these two bases.
The Data Protection Act 2018 says that ‘public authority’ here means a public authority under the
Freedom of Information Act or Freedom of Information (Scotland) Act – with the exception of parish and
community councils.
If you are processing for purposes other than legal obligation, contract, vital interests or public task,
then the appropriate lawful basis may not be so clear cut. In many cases you are likely to have a choice
between using legitimate interests or consent. You need to give some thought to the wider context,
including:
Who does the processing benefit?
Would individuals expect this processing to take place?
What is your relationship with the individual?
Are you in a position of power over them?
What is the impact of the processing on the individual?
Are they vulnerable?
Are some of the individuals concerned likely to object?
Are you able to stop the processing at any time on request?
You may prefer to consider legitimate interests as your lawful basis if you wish to keep control over the
processing and take responsibility for demonstrating that it is in line with people’s reasonable
expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to
give individuals full control over and responsibility for their data (including the ability to change their
Example
A university that wants to process personal data may consider a variety of lawful bases depending
on what it wants to do with the data.
Universities are classified as public authorities, so the public task basis is likely to apply to much of
their processing, depending on the detail of their constitutions and legal powers. If the processing is
separate from their tasks as a public authority, then the university may instead wish to consider
whether consent or legitimate interests are appropriate in the particular circumstances, considering
the factors set out below. For example, a University might rely on public task for processing
personal data for teaching and research purposes; but a mixture of legitimate interests and consent
for alumni relations and fundraising purposes.
The university however needs to consider its basis carefully – it is the controller’s responsibility to
be able to demonstrate which lawful basis applies to the particular processing purpose.