Lawful basis for processing personal data at IIED
The General Data Protection Regulations (GDPR) sets out six lawful grounds for processing personal data. These are:
(i) For the performance of a contract
(ii) Function of a public task
(iii) Legal obligation
(iv) Legitimate interest
(v) Vital interest
The Information Commissioner’s Office (ICO) guidance on lawful basis states that no single basis is “better” or more important than the others, all are equally valid; when choosing which to rely on, the most appropriate basis to use depends on the purpose for which the data is being processed and the relationship with the individual. The lawful basis must be determined before processing begins and be necessary for achieving the purpose for which it was processed.
By ‘personal data’ we mean any information relating to a living person ('data subject') that directly or indirectly (i.e. several pieces of information in combination) identifies that person; under the law.
‘Special Category data’ that requires even greater care when handling includes: genetic and biometric personal data, racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health details, sexual life. Personal data relating to criminal offices shall also be treated with a high degree of sensitivity and requires particularly careful handling.
If data is fully anonymised (i.e. the data does not allow an individual to be identified even if combined with other information) then it is no longer classified as personal data and data protection legislation will not apply. IIED will seek to anonymise personal data wherever possible.
By “processing” we mean doing any of the following with personal data either by IIED staff or by partners we’ve contracted to carry out work on our behalf as part of IIED’s work:
- Disseminating, and
IIED will rely on five of the six lawful bases for processing personal data and special category personal data:
- For the performance of a contract (“Contractual”)
- Legal obligation
- Public task
- Legitimate interest
IIED does not envisage relying on the lawful basis of ‘vital interests’.
For special category data, IIED will rely on the following conditions for processing under Article 9(2) GDPR and Schedule 1 Part 1 of the Data Protection Act 2018:
a. Explicit consent of the data subject
b. Necessary for employment law or social security law purposes, and
j. Archive, statistical and research purposes.
The following table shows the category of lawful basis under which IIED processes personal data and the relevant condition for processing special category personal data:
|Category of personal data
|Special category data condition article
|Contractors/sub-grantees/existing funders and suppliers of research and non-research services
|Subscribers (e.g. to e-newsletters)
|Research subjects (over the age of 16)
|Members of the public with no evidenced interest in sustainable development
|Children between the ages of 13 and 15 are considered able to give consent with age-appropriate information if a parent or guardian also gives their consent. IIED does not usually directly work with children. Data collected on children will only be permitted with parent/guardian consent and if a risk assessment has been carried out in the context of a data management plan
|Business to business (professionals and students operating in or around the field of sustainable development; environment; human rights; whether public, private or not-for-profit sector)
|Prospective funders (high net worth individuals who by virtue of their philanthropic activities may be interested in funding IIED’s work)
|Members of the public, with evidenced interested in sustainable development (e.g. past event sign up)
Article 6(1)(b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract”
Where IIED has a contract in place, IIED will rely on the contractual legal basis to process the personal data of the parties to the contract.
All employment contracts and subcontractor agreements contain data protection clauses that give explicit authorisation for IIED to process data for the purposes of performing the contact. Where IIED is a Joint Controller of personal data, roles and responsibilities will be clearly laid out in a collaboration agreement.
Purpose: IIED processes personal data for the administration and performance of a contract.
Article 6(1)(c) provides for the processing of personal that is “necessary for compliance with a legal obligation to which the controller is subject”.
Purpose: Where the processing is necessary to comply with the law (not including contractual obligations) we will rely on the 'Legal obligation' basis. At IIED this lawful basis will not be routinely used; the processing we carry out under the 'Contractual' lawful basis is sufficient for our purposes. The 'Legal obligation' will therefore only be used where we are compelled to process personal data under the law, such as for tax purposes.
Article 6(1)(a) the data subject has given consent to the processing of their personal data for one or more specific purposes.
IIED will obtain legal consent to process two categories of data: for processing the personal data of newsletter subscribers (direct marketing); or when processing criminal offence data relating to research subjects.
Purpose: IIED processes subscriber’s personal data in order to send people the newsletter(s) or publications they have signed up to receive.
Criminal offence data in research
IIED’s research sometimes records personal data pertaining to criminal activity or offences as defined in Article 10 GDPR. Where it is necessary to record this category of data, IIED will rely on the provision in the Data Protection Act 2018 Schedule 1 Part 3 s29, which allows the processing of criminal office data with consent from the data subject. Explicit consent will be obtained and where possible we will seek to anonymise the data at source.
IIED works on issues where criminality may be apparent, for example when working in areas where poaching, trespass or illegal logging take place. In our work it can sometimes be necessary to collect data of this nature to evidence illegal activity as it reflects reality on the ground to inform policymaking.
NB: IIED will always obtain ethical consent from data subjects when carrying out any research involving human data subjects (see 'Public task' and 'Special Category Data').
The public task basis in Article 6(1)(e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
The ICO has confirmed that the 'Public task' lawful basis can apply to any organisation that exercises official authority or carries out tasks in the public interest that is laid down by law.
In IIED's case, we carry out research tasks in the public interest. Action research is our core purpose and allows us to work towards achieving our mission as a charity. Research data collected by us and our contracted partners is used to provide robust evidence for use in formulating policy, brokering interactions between stakeholders and building capacity to engage with sustainable development discourse and practice.
Our statutory function is that of a charity promoting sustainable development and the reduction of poverty through evidenced-based research. IIED is governed by the Charities Act 2006 and regulated by the Charity Commission. The combination of activities regulated by statute, along with our status as an independent research organisation, gives us a reasonable assumption that the research component of our work satisfies the test for 'Public task'.
IIED will rely on 'Public task' for its processing of personal data for research purposes. Subjects of, or participants in, research must give their prior informed consent to taking part in the research for ethical reasons, but this will not constitute legal 'Consent' to process personal data. This is because legal 'Consent' is not appropriate given the nature of IIED’s research work.
IIED will seek to anonymise personal data collected at source, but it is not always possible to do this, for example, in longitudinal studies returning to identifiable participants over time is essential; the job titles and places of work of key informants might be required to make it possible to draw conclusions from a study, but IIED will seek to pseudonymise personal data wherever possible.
Exceptions: In some cases, for research to be meaningful it needs to be conducted covertly and collecting any consent is not possible. It is highly unlikely that IIED projects will use covert methods and if any work includes covert research is will be raised prominently as part of the project’s Ethics and Data Protection Review process prior to any processing and require Research Ethic Committee approval.
Ethical consent will be recorded/documented in a way that is appropriate and meaningful given the context. Appropriate methods may include signed consent forms and third-party verification of a consent process having been followed and consent being given by individual subjects.
The consent process will always be clearly set out, prominent in the research process, concise, separate from other terms and conditions, and easy to understand. Consent will be given by affirmative action – silence, pre-ticked boxes or inactivity will not be sufficient.
IIED will keep records to evidence consent – who consented, when, how, and what they were told – or (if these records are held by a partner collecting the data) will record where these records are held in the project’s data management plan.
Data subjects will be given contact details of someone local so that they can withdraw their consent to processing at any time and have that withdrawal request promptly honoured.
Consent may need to be refreshed if personal data will be processed for a purpose which was not disclosed when the data subject first consented. However, fresh consent is not required when further processing for a compatible purpose, such as further related research.
IIED will securely store research data (including 'Special Category Data') for an indefinite period for use in research purposes relying on Article 9(2)(j) Archiving, scientific or historical research.
Article6(1)(f) processing is necessary for the purposes of the legitimate interests pursued by a controller, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.
Where public task, consent or a contract are not appropriate, IIED will rely on legitimate interest to process personal data of individuals who we categorise as having an interest in, or connection to, IIED’s work; or from whom IIED can derive benefit to furthering IIED’s mission.The GDPR (Recital 47) refers to a ‘relevant and appropriate relationship’ with respect to processing of Personal Data under the Legitimate Interest provision, which we interpret and apply as a ‘business to business’ relationship, or that which the data subject would reasonably expect given their status in a position of influence or authority, and/or their philanthropic activities.
IIED processes personal data of individuals that fall into one of two categories on this basis:
- Those who have a pre-existing connection with IIED: for example, individuals who have participated in IIED-led events, joined online discussions hosted by IIED; are or have been recipients of IIED newsletters; have worked with IIED in the past; or who have provided their contact details to IIED staff. They are known to IIED and the relationship already is established.
- Those who we identify as necessary to further IIED’s charitable objects and its mission: professionals working in the field of sustainable development; people in positions of influence in the spaces we seek to inform and influence; people who may have an interest in funding IIED’s work. These people may or may not be known to IIED, but our processing of their data is necessary for IIED to further its charitable objectives.
We are confident that both these categories of individuals, by virtue of their professional position or philanthropic activities, would consider our processing of their personal data to be appropriate.
For this category, we will limit our processing to personal data that is available in the public domain.
Legitimate interest assessment
The GDPR requires that an assessment be carried out where the data controller relies on the legitimate interest basis. The following test covers all processing that IIED will carry out under the 'Legitimate interest' basis.
This assessment has three parts, all of which must be satisified to justify process on this basis:
- Purpose test: are you pursuing a legitimate interest?
- Necessity test: is the processing necessary for that purpose?
- Balancing test: do the individual’s interests override the legitimate interest?
IIED justifies processing the personal data of individuals under the 'Legitimate interest' basis for the categories of data subjects in the above table using the following rationale:
|Legitimate interest rationale
Why does IIED process personal data?
Does this processing enable IIED to meet its lawful objects as a charity?
Yes. IIED’s charitable objects are:
In order to meet its objects, IIED needs to process personal data to communicate and influence people from relevant agencies, organisations and companies and to fundraise.
Is the processing necessary?
Without processing peoples’ personal data, we would not be able to maintain a relationship with them in a way that was necessary for the viable operation of the charity or carry out the research necessary to further our mission. We only capture the personal data that is necessary for research purposes, to fundraise or to develop and maintain a professional relationship. We will acquire consent or enter into a contract for anything that required processing 'Special Category Personal Data' or involved a financial transaction.
Is there another way to achieve this objective?
Processing personal data of our business-to-business contacts is the only way to maintain relationships and other communication methods would be too onerous (face-to-face meetings for example with overseas attendees to an event would be costly and unsustainable); we would not be able to identify, contact and build a relationship with potential funders without processing personal data.
Would the individual expect their personal data to be processed?
Yes, the people whose data we process under this category would expect IIED to capture and store personal data in the way that we do and for the purposes laid out above.
Is any of the data sensitive or private?
No. The data we capture under 'Legitimate interest' is never sensitive or private. IIED would rely on contract, consent with a relevant condition for processing to process data of a sensitive (special category) or private nature.
Is IIED happy to explain this processing to the person?
Is the processing in the interests of the person whose data it relates to?
Yes. IIED only processes data to communicate with audiences who have expressed an interest in the work that we do; either because this is relevant to their work or because they have an interest in the subject matter.
Would the processing violate or in any way undermine the individual’s ability to exercise their rights?
No. The processing of data under legitimate interest basis would not expose the person to any rights violation or prevent them from exercising their rights.
How would IIED suffer harm if this processing does not happen?
If we could not process personal data we would not be able to meet our charitable objectives.
Are the legitimate interests of the data subject aligned with IIED?
Yes. We would only process data of people who have in some way are connected to the work IIED does. This could be because they work in the field of sustainable development or related sector or have a business interest in IIED and they have been in contact with us or provided us with a business card or via attending an event or workshop or have funded work similar to that of IIED. We would not process data of individuals who had no connection with IIED or its work under this legal basis.
What is the nature of the relationship between the data subject and IIED?
The relationship can be characterised as business to business. Where it is not, the relationship will be one of interested party. We would no buy personal data or make unsolicited contact to an individual not related to IIED’s work.
Would the individual expect IIED to use their data in the way it is being used?
Yes. IIED only processes personal data under this basis to facilitate business to business relationships.
What category of data is being processed under 'Legitimate interest'?
Contact data (name, address, email address)
Does IIED offer an opt out?
Yes. Anyone can request that we cease to process their personal data.
Special Category personal data
Personal data is classified as belonging to "special categories" under current data protection legislation if it includes any of the following types of information about an identifiable, living individual:
- racial or ethnic origin
- political opinions
- religious beliefs
- trade union membership
- physical or mental health
- sexual life or sexual orientation
- commission of offences or alleged offences
- genetic data, or
- biometric data.
Processing special category personal data requires a lawful basis plus a condition for processing. At IIED we will rely on the following:
- Public task
Condition for processing:
c. Explicit consent of the data subject
d. Necessary for employment law or social security law purposes, and
j. Archive, statistical and research purposes.
The grid above shows the type of special category data we will process.