I need your consent to process your personal information, right? It's the Data Protection Act

Most people think I need your consent to process your personal information, right? It's the Data Protection Act, isn't it? And it's right there in the first data protection principle which most people seem to think says:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless the individual who the personal data is about has consented to the processing

What it actually says is:

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

Which is not quite the same thing. The first part means that you must have legitimate grounds for collecting and using the personal data; not use the data in ways that have unjustified adverse effects on the individuals concerned; be transparent about how you intend to use the data; give individuals appropriate privacy notices when collecting their personal data; handle people’s personal data only in ways they would reasonably expect; and make sure you do not do anything unlawful with the data.
Its the other bit that people ignore.

What the Act actually means is that unless a relevant exemption applies, at least one of the following conditions must be met whenever you process personal data:

The individual who the personal data is about has consented to the processing or (and this is the bit people miss!)the processing is necessary for one of the following reasons:

  1. It is necessary in relation to a contract which the individual has entered into; or
  2. It is necessary because the individual has asked for something to be done so they can enter into a contract; or
  3. It is necessary because of a legal obligation that applies to you (except an obligation imposed by a contract); or
  4. It is necessary to protect the individual’s “vital interests”. (This condition only applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident.); or
  5. It is necessary for administering justice, or for exercising statutory, governmental, or other public functions; or
  6. It is in accordance with the “legitimate interests” condition.

This means that where any of these 6 cases apply, you don't need to ask for consent.

So what is the “legitimate interests” condition? Sounds like legal mumbo jumbo?

The Data Protection Act recognises that The “legitimate interests” condition is intended to permit processing, where you may have legitimate reasons for processing personal data that the other conditions for processing do not specifically deal with, but only if you meet certain condirions.

The first condition is that you must need to process the information for the purposes of your legitimate interests or for those of a third party to whom you disclose it.

The second condition , once the first has been established, is that these interests must be balanced against the interests of the individual(s) concerned. The “legitimate interests” condition will not be met if the processing is unwarranted because of its prejudicial effect on the rights and freedoms, or legitimate interests, of the individual. Where there is a serious mismatch between competing interests, the individual’s legitimate interests will come first.

Finally, the processing of information under the legitimate interests condition must be fair and lawful and must comply with all the data protection principles.

Maybe you think it' safer just to get consent, but asking for consent when you don't need to can create more work for you and the subject of the information and this can in turn lead to the implementation of the Act becoming more bureaucratic.