Basis for processing
In a privacy context, a legal basis is what The General Data Protection Regulation (GDPR) refers to as a basis for processing. The requirement for a basis for processing follows from the provisions of the GDPR, article 6 (lovdata.no, in Norwegian).
All processing og personal data must have a primary legal basis in these provisions. If sensitive information is to be processed, there are further requirements for both the processing and the legal basis.
The General Data Protection Regulation, article 6
For each processing of personal data, for each purpose, there has to be grounds for processing. At least one of the provisions in the GDPR, article 6 number 1, must be met to start a processing:
- the registered has consented
- the processing is necessary to fulfill an agreement of which the registered is a part of
- the processing is necessary to fulfill a legal obligation which is incombent on the controller
- the processing is necessary to safeguard the registered or another persons vital interests
- the processing is necessary to perform a task in public interest or to perform the public authority which is imposed on the controller.
- the processing is necessary for purposes attached to the interests of the legitimate interests which is pursued by the controller or a third party, unless the registrant's interests or basic rights and freedoms procedes
As the list in article 6 is exhaustive, it is no longer enough for statutory access to processing. This will be a supplementary legal basis for either article 6 number 1, letter c or e.
-
Consent
For a consent to be valid and work as a basis for processing, it must be:
- voluntary
- specific
- informed
- unequivocal
- given actively
- documentable
- possible to withdraw as easily as it was given
If UiO wishes to use the data for a new/different purpose, a new consent must be obtained from the data subject.
Voluntary
To make sure that consent is given voluntary, a real choice must be given. This means that there can be no negative consequences if a person does not wish to give consent. In assessing whether a consent is voluntary, one must also look at the power balance between the individual and the institution.
For example: UiO as an employer would normally not be able to use consent as a processing basis for employees, as the employees has a dependent relationship with UiO.
Specific
It has to be completely clear what the individual is giving their consent to. The purpose of the processing must be clearly and presisely articulated. Personal information that is procecced based on consent can only be used for the purpose which was given at the time of consent. This means that one has to ask for consent for each purpose separately.
Informed
A consent is only valid if one know what one is consenting to. The language in a consent form must be clear, simple and easy to understand, and the information about what the individuals are consenting to must be clearly stated in writing.
The data subject shall be informed about the following:
- Name and address of the data controller
- The purpose of each of the processes requested
- What kind of personal information that is being collected
- Whether the data will be provided to others and who may be the recipients
- Whether giving the information is voluntary
- Information about the right to withdraw consent
- Anything else that will enable the person being asked for consent to use his or her rights under the privacy laws in the best possible way.
Unequivocal and given actively
For the consent to be valid, each individual giving their consent must do an active act. This could for example be clicking a button, check a box, or sign a form. Passitivity, silence or prechecked boxes will never be accepted as valid consent. There must be no doubt that the individual knowingly gave their consent.
Documentable
There are no requirements as to which form the consent is given. It can be given in writing, orally, thorugh movements or in other ways. The only requirement is taht the consent must be documented to ensure verifiability. The obligation for documentability also states that you must be able to prove that the consent is valid.
Possibility to withdraw as easily as it was given
The data subject must be informed about the right to withdraw consent and that consent can be withdrawn with no negative consequences. It can not be harder to withdraw a consent than it was to give it in the first place. When consent is withdrawn all the relevant personal information will normally be erased.
-
Necessary to fulfill an agreement
You can process personal information if the processing is necessary to fulfill an agreement in which you are a party in. One example of this is where an employer needs information about the employees bank to be able to pay them their wages. The same thing applies if the processing is necessary to implement measures that the individual has asked for prior to signing the agreement.
-
Necessary to fulfill a legal obligation
UiO can process personal information if it is necessary to fulfill a legal obligation which is the responsibility of the institution. The legal obligation must be pursuant to law or regulation, and the processing basis must be determined in a law under which UiO is subject. It must also be made clear that this is a duty and there is therefore no freedom of choice when it comes to the processing of personal information.
-
Necessary to protect vital interests
UiO can process personal information if it is necessary to protect the data subject's or another persons vital interests. The processing of personal data in this case must be in connection with life or death situations or a danger to someones health.
-
Necessary to perform a task of public interest or exercising public authority
UiO can process personal information if it is necessary to perform a task of public interest. The same applies if the processing is necessary to exercise the public authority of which is imposed upon UiO. To process personal information on this processing basis, it also has to have a legal basis. This means that the processing basis must be determined in a law under which UiO is subject.
-
Necessary to maintain legitimate interests
UiO can process personal information if it is necessary to guard a legitimate interest which weighs heavier that the privacy of the individual. The legitimate interest which is sought must be legal, clearly defined in advance, real and justified in the business.
The processing of personal data must be necessary for this interest. This implies that one must assess whether the purpose can be achieved in a way that guards privacy. One must choose the least interventional processing.
Thereafter, an interest arbitration must be made to determine whether the individual's privacy outweighs UiO's legitimate interest. This weighing is done step by step:
- Interest of the company
- Consideration of privacy
- Measures done to minimize the privacy implications
- Balance test
Purpose assessment
When a new processing of personal data shall start up, as well as performing an assessment of the legal basis, the purpose of the processing shall also be stated. This is pursuant to the GDPR, article 5, number one letter b, which states that personal information shall be collected for "specific, expressly stated and legitimate purposes".
Specifying a purpose of a processing is often a simple exercise, as the purpose of the processing is often the very reason the processing is undertaken. For research projects it will often be the project description which is the purpose. For ecample: "The purpose of the processing of personal information is to investigate if x is y in relation to z". In the case of administrative processing the same applies – we are collecting personal data for purposes such as study administration, personnel administration or security purposes.
What is important to note is that personal data obtained for a specific purpose cannot later be used for any purpose that is incompatible with the original purpose of the processing. If so, a new assessment as to whether there exists a processing basis for the new purpose must be done.
Processing sensitive personal data
Handling sensitive personal data is essentially prohibited, cf. the GDPR Article 9, No.1.
Sensitive personal data is information about:
- racial or ethnic origin
- political views
- religion
- philosophical convictions
- union memberships
- genetic information
- biometric information with the purpose of uniquely identifying someone
- health information
- information about sexual relationships
- information about sexual orientation
The ban on processing this kind of information is not absolute, and there are many exceptions. There must be a specific legal basis in addition to the primary processing basis to be able to process this kind of information.
In the GDPR Article 9, No. 2 and 3, the exemptions, which make it legitimate to process such information, are exhaustively listed:
- The data subject has given consent.
- The processing is necessary for the Data Controller or the data subject to be able to fulfill and exercise their his labor, social and legal obligations and rights to the extent that the processing is permitted by law or tariff agreement.
- The processing is necessary to guard the data subject's, or any other persons, vital interests if the data subject is not able to give consent.
- The processing is conducted by a foundation, association or non profit organization that has political or religious goals or goals pertaining to trade unions, as long as it concerns personal information about members and the like, and the information is not disclosed without consent.
- The processing pertains to information that the data subject obviously has published themselves.
- The processing is necessary in connection with legal requirements or if the courts act within the framework of their jurisdiction.
- The processing is necessary for the purposes of important public interests and has a legal basis.
- The processing is necessary in connection with preventetive medicine, occupational medicine, the assessment of an employee's wirh capacity, medical diagnostics, health or social services, social wok or medical treatment or management of heatlh or social services and systems. This, however, applies only if the information is processed by a professional subject to confidentiality and the processing of personal data must have a legal basis or follow an agreement with healthcare professionals.
- The processing is necessary for general public health concern.
- The processing is necessary for archival purposes in public interest, for purposes related to scientific or historical research or for statistical purposes, as long as there are certain measures taken and the processing has a legal basis.
More on consent in research:
- Research containing personal data (in Norwegian)
- Medical and health research (in Norwegian)