Legal basis according to British data protection law

The British Data Protection Act (DPA) 1998 (ENG) contains the 8 data protection principles in Schedule 1.

In accordance with the first principle, processing personal data vis-à-vis data subjects must take place fairly and lawfully. Fair and lawful processing means transparency during processing, especially vis-à-vis data subjects. This means that this principle entails the data controller’s obligation to keep the data subjects informed about the use of their data.

The conditions for legal processing are listed in schedules II and III of the DPA.

Legally processing non-sensitive data (Schedule 2)

When processing non-sensitive personal data, at least one of the following condition must be met:

  • the data subject has given his/her consent to the processing;
  • processing is necessary
    • for the performance of a contract to which the data subject is party, or
    • for the taking of steps at the request of the data subject with a view to entering into a contract;
  • for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract;
  • processing is necessary in order to protect the vital interests of the data subject.
  • processing is necessary for the administration of justice, for meeting legal, state or other duties that are in the public interest;
  • processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject interest.

Legally processing non-sensitive data (Schedule 3)

According to Part I Article 2 of the DPA, sensitive data refers to data revealing:

  • racial and ethnic origin,
  • political opinions,
  • religions or philosophical beliefs,
  • trade union membership,
  • physical or mental health or condition,
  • sexual life,
  • commission or alleged commission by him of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

When processing sensitive personal data, at least one condition must be met:

  • The data subject has given his explicit consent to the processing of the personal data.
  • Processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.
  • The processing is necessary—
    • in order to protect the vital interests of the data subject or another person, in a case where—
    • consent cannot be given by or on behalf of the data subject, or
    • the data controller cannot reasonably be expected to obtain the consent of the data subject, or in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
  • The processing—
    • is carried out in the course of its legitimate activities by any body or association which—
      • is not established or conducted for profit, and
      • exists for political, philosophical, religious or trade-union purposes,
    • is carried out with appropriate safeguards for the rights and freedoms of data subjects,
    • relates only to individuals who either are members of the body or association or have regular contact with it in connection with its purposes, and
    • does not involve disclosure of the personal data to a third party without the consent of the data subject.
  • The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.
  • The processing—
    • is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),
    • is necessary for the purpose of obtaining legal advice, or
    • is otherwise necessary for the purposes of establishing, exercising or defending legal rights.
  • The processing is necessary—
    • for the administration of justice,
    • for the exercise of any functions of either House of Parliament,
    • for the exercise of any functions conferred on any person by or under an enactment, or
    • for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
  • The processing is necessary for medical purposes and is undertaken by—
    • a health professional, or
    • a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

[“medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services]

  • The processing—
    • is of sensitive personal data consisting of information as to racial or ethnic origin,
    • is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and
    • is carried out with appropriate safeguards for the rights and freedoms of data subjects

Link to the data protection order: Data Protection (Processing of Sensitive Personal Data) Order 2000


The concept of consent is not defined in the DPA. The Information Commissioner (ICO) refers to Article 2(h) of Data Protection Directive 95/46/EC, as the DPA implements the directive.

Subsequently, consent is “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.”

Since the data subject must “signify” their agreement means that there must be some active communication between the parties. Consent does not need to be given in writing, but passive behaviour on the part of the data subject cannot be deemed to be consent.

Consent must be adapted to the data subject’s age and abilities, as well as the circumstances. Any consent given shall not be for an unlimited period. In most cases, consent has to cover the period for the data processing in question, although the data subject must have the right to revoke his/her consent.

The ICO recommends that any consent obtained is verified if a long-term, ongoing relationship with the data subject is involved in order to ensure that consent is obtained according to the circumstances.

The DPA differentiates between:

  • the nature of the consent required to satisfy the first condition for processing; and
  • the nature of the consent required to satisfy the condition for processing sensitive personal data, which must be “explicit”.

To receive valid consent, consent must be absolutely clear; i.e. it should cover the specific processing details; the type of information (or even the specific information); the purposes of the processing; and any special aspects that may affect the individual, such as any disclosures that may be made.

Consent obtained under duress or on the basis of misleading information does not adequately satisfy the condition for processing. For this to be guaranteed, the data subject must individual must have a real choice about giving it.

When is processing necessary?

Many of the conditions for processing personal data depend on whether the processing is – in brief – necessary. For this reason, a “necessity test” is essential whereby the interests and rights at stake are balanced.


The British Data Protection Authority (ICO, provides in-depth information on the legal foundations and, most importantly, consent: