SCHEDULE 2 CONDITIONS (FOR PERSONAL DATA AND SENSITIVE PERSONAL DATA)
The conditions in Schedule 2 to the DPA apply to both personal data and sensitive personal data, whereas the Schedule 3 conditions apply only to sensitive personal data. This is because sensitive personal data can only be processed if a Schedule 3 condition is met in addition to a Schedule 2 condition.
The necessity test
In five of the six conditions contained in Schedule 2 there is a requirement to show that the processing is ‘necessary’, which will referred to as the ‘necessity test’. It is only the first condition, the data subject’s consent, that does not contain the necessity test.
The ordinary meaning of the word necessity indicates that something more than desirable is required to justify processing for contractual purposes. At its highest it means that the processing is essential or indispensable to the performance of the contract or to the creation of the contract. The Information Commissioner’s ‘Legal Guidance’111 on the meaning of necessity points to there being a high burden to overcome to reliance upon contractual necessity:
|
The Commissioner takes the view that data controllers will need to consider objectively whether:
|
The data subject has given consent
The first condition says:
|
1. The data subject has given his consent to the processing. |
The data subject’s consent was discussed in Chapter 2, but to recap the Data Protection Directive describes consent as meaning ‘any freely given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’. This is expanded upon by Article 7(b) of the Data Protection Directive, which says that consent for these purposes must be given unambiguously. The essential components of this definition are:
The consent must be freely given. Consent that is obtained through coercion or duress is not freely given.
The consent must be specific. This means that the data controller cannot rely upon consent given for one purpose to justify another distinct processing purpose. Of course, due to the construction of the second data protection principle a data controller may process personal data for a second, compatible purpose.
The consent must be informed. This requires the data controller to furnish the data subject with information about the processing purposes, unless the purposes are obvious, prior to the data subject making their decision whether or not to give consent.
The data subject must communicate their agreement to the data controller. This means that the data controller cannot rely upon the data subject’s silence.
The consent must be unambiguous. This suggests that if there is any ambiguity the consent will not of sufficient quality, hence unreliable.
Contractual necessity
The second condition says:
|
2. The processing is necessary – (a) for the performance of a contract to which the data subject is a party, or (b) for the taking of steps at the request of the data subject with a view to entering into a contract. |
Two scenarios are envisaged within this condition. The first scenario applies where the data subject has entered into a contract, although it is not a requirement of this condition that the contract is with the data controller. The second scenario applies prior to the creation of a contract between the data subject and some other person.
Non-contractual legal necessity
|
3. The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract. |
This condition covers the situation where the data controller is required by law to process personal data. This obligation can arise under many circumstances, for example under an Act of Parliament or pursuant to a court order.
Vital interests necessity
The fourth condition says:
|
4. The processing is necessary in order to protect the vital interests of the data subject. |
It is easy to think of scenarios where the data subject’s vital interests are at stake, with an obvious example being the emergency medical situation where the data subject’s physical or mental condition prevents them from giving consent, perhaps within the context of a serious accident or a sudden collapse. However, the meaning and implications of this condition are not absolutely clear. On the one hand the vital interests condition might be said to be referring to life or death situations, such as serious road traffic accidents, which is the restrictive meaning. On the other hand it could be referring to matters significantly less serious than life or death situations, but which are vital to life itself nonetheless, such as the need for food, or the need for water or the need for good health.
Many commentators point to Recital 31 within the Data Protection Directive to support the restrictive construction. This says:
|
Whereas the processing of personal data must equally be regarded as lawful where it is carried out in order to protect an interest which is essential for the data subject’s life. |
It is moot whether this recital takes matters much further, but for now the consensus would seem to be that a restrictive interpretation is required. The Information Commissioner’s ‘Legal Guidance’ says:
|
The Commissioner considers that reliance on this condition may only be claimed where the processing is necessary for matters of life and death, for example, the disclosure of a data subject’s medical history to a hospital casualty department treating the data subject after a serious road accident. |
Of course, even with the restrictive meaning there is still the question of at what point does the data subject’s vital interests become engaged? Are they engaged in truly emergency situations, where the data subject’s life could be in the balance with death an imminent likelihood? Or, alternatively, are they engaged when a chain of events could lead ultimately to death albeit after a much longer period of time than in the true emergency situation? These questions are unresolved.
Public functions necessity
The fifth condition says:
|
5. The processing is necessary – (a) for the administration of justice, (aa) for the exercise of any functions of either House of Parliament, (b) for the exercise of any functions conferred on any person by or under any enactment, (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person. |
There is obviously a very close connection with the public functions covered by this condition and the obligations covered by the non-contractual legal necessity condition. However, they are not dealing with the same things.
First, the non-contractual legal necessity condition is relevant to both the private and public sectors, whereas this condition is concerned with public functions only. Of course, public functions can be performed by private sector entities, meaning that this condition is applicable to the private sector also, but the non-contractual legal necessity condition is not limited by a public function criterion.
Second, the non-contractual legal necessity condition is concerned with processing done pursuant to an obligation, whereas this condition is not so limited. The distinction, if there is one, is that this condition refers to processing done under a power, rather than processing done under an obligation.
Legitimate interests necessity
The first part of the sixth condition says:
|
6. – (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject. |
This condition contains two tests, which require the data controller to perform a balancing exercise:
Is the processing for the purpose of the data controller’s legitimate interests? If the answer is yes, the processing must be necessary, raising the same issues as discussed under the second condition.
Is the processing unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject?
The DPA does not provide any assistance with the meaning of the phrase ‘legitimate interests’, but it is obvious that it requires the interests to be lawful. The balancing exercise also implies that the data controller’s legitimate interests are reasonable ones, as measured against the data subject’s interests.
This condition is a powerful condition for data controllers, particularly those in the private sector engaged in commercial activity. However, private sector data controllers choosing to rely on this condition must be warned that it is highly vulnerable to challenge, due to the specific reference to the competing interests of the data subject. In the most basic of terms this condition identifies the real challenge at the heart of data protection laws, namely the need to find balance between competing legitimate interests.
EXAMPLEA business is considering launching a new product and as part of its due diligence procedures it wishes to use the services of a market analysis company with expertise in discerning future buying trends of potential customers. Therefore, it discloses details of its customers and their purchasing history to the market analysis company. In this example the data controller is clearly pursuing a legitimate interest, but its actions are susceptible to challenge as they may be in breach of the data subjects’ rights under the second data protection principle. |
Secretary of State powers
The second part of the sixth condition says:
|
6. – (2) The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied. |
At the date of publication of this book the Secretary of State has not made any order under the second part of the sixth condition.