Common use of Legitimate interests Clause in Contracts

Legitimate interests. the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks) Please also be aware that these criteria must be supported by a written legitimate interest assessment. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject. Several of the lawful purpose criteria may relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. As a public authority, and if you can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the Data Protection law does restrict public authorities’ use of these two criteria. The majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e) GDPR, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas. As you can see, consent is just one of several possible lawful processing criteria. Consent has changed as a result of the GDPR and is now defined as: “in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data” This means that where a school is relying on consent as the basis for processing personal data that consent has to be clear, meaning that pre-ticked boxes, opt-out or implied consent are no longer suitable. The GDPR does not specify an age of consent for general processing but schools/academies should consider the capacity of pupils to freely give their informed consent. The Information Commissioner’s Office (ICO) gives clear advice on when it’s appropriate to use consent as a lawful base. It states: “Consent is appropriate if you can offer people real choice and control over how you use their data and want to – if your school requires learner details to be stored in an MIS, it would not be appropriate to rely on consent if the learner cannot opt out of this. In this case, you could apply the public task lawful base. Content of Privacy Notices Privacy Notices are a key compliance requirement as they ensure that each data subject is aware of the following points when data is collected/ processed by a data controller: ● Who the controller of the personal data is ● What personal data is being processed and the lawful purpose of this processing ● where and how the personal data was sourced ● to whom the personal data may be disclosed ● how long the personal data may be retained ● data subject’s rights and how to exercise them or make a complaint In order to comply with the fair processing requirements in data protection law, the school will inform parents/carers of all learners of the data they collect, process and hold on the learners, the purposes for which the data is held and the third parties (e.g. LA etc.) to whom it may be passed. This privacy notice will be passed to parents/carers for example in the prospectus, newsletters, reports or a specific letter / communication or you could publish it on your website and keep it updated there. Parents/carers of young people who are new to the school will be provided with the privacy notice through an appropriate mechanism. In some circumstances you may also require privacy notices for children / learners as data subjects as children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. The policies that explain this should be clear and age appropriate. Data subject’s right of access Data subjects have a number of rights in connection with their personal data. They have the right: ● to be informed – Privacy Notices ● of access – Subject Access Requests ● to rectification – correcting errors ● to erasure – deletion of data when there is no compelling reason to keep it ● to restrict processing – blocking or suppression of processing ● to portability – unlikely to be used in a school context ● to object – objection based on grounds pertaining to their situation ● related to automated decision making, including profiling Your school must provide the information free of charge. However, if the request is clearly unfounded or excessive – and especially if this is a repeat request – you may charge a reasonable fee. ▇▇▇▇▇▇▇▇ and how to manage a breach Recent publicity about data breaches suffered by organisations and individuals continues to make the area of personal data protection a current and high profile issue for schools, academies and other organisations. It is important that the school has a clear and well understood personal data handling policy in order to minimise the risk of personal data breaches.

Legitimate interests. the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks) Please also be aware that these criteria must be supported by a written legitimate interest assessment. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject. Several of the lawful purpose criteria may relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. As a public authority, and if you can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the Data Protection law does restrict public authorities’ use of these two criteria. The majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e) GDPR, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas. As you can see, consent is just one of several possible lawful processing criteria. Consent has changed as a result of the GDPR and is now defined as: “in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data” This means that where a school school/academy is relying on consent as the basis for processing personal data that consent has to be clear, meaning that pre-ticked boxes, opt-out or implied consent are no longer suitable. The GDPR does not specify an age of consent for general processing but schools/academies should consider the capacity of pupils to freely give their informed consent. The Information Commissioner’s Office (ICO) gives clear advice on when it’s appropriate to use consent as a lawful base. It states: “Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.” You should only use consent if none of the other lawful bases is appropriate. If you do so, you must be able to cope with people saying no (and/or changing their minds), so it’s important that you only use consent for optional extras, rather than for core information the school requires in order to function. Examples; – consent would be appropriate for considering whether a child's photo could be published in any way. – if your school or academy requires learner details to be stored in an MIS, it would not be appropriate to rely on consent if the learner cannot opt out of this. In this case, you could apply the public task lawful base. Content of Privacy Notices Privacy Notices are a key compliance requirement as they ensure that each data subject is aware of the following points when data is collected/ processed by a data controller: ● Who the controller of the personal data is ● What personal data is being processed and the lawful purpose of this processing ● where and how the personal data was sourced ● to whom the personal data may be disclosed ● how long the personal data may be retained ● data subject’s rights and how to exercise them or make a complaint In order to comply with the fair processing requirements in data protection law, the school school/academy will inform parents/carers of all learners of the data they collect, process and hold on the learners, the purposes for which the data is held and the third parties (e.g. LA etc.) to whom it may be passed. This privacy notice will be passed to parents/carers for example in the prospectus, newsletters, reports or a specific letter / communication or you could publish it on your website and keep it updated there. Parents/carers of young people who are new to the school school/academy will be provided with the privacy notice through an appropriate mechanism. In some circumstances you may also require privacy notices for children / learners as data subjects as children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. The policies that explain this should be clear and age appropriate. Data subject’s right of access Data subjects have a number of rights in connection with their personal data. They have the right: ● to be informed – Privacy Notices ● of access – Subject Access Requests ● to rectification – correcting errors ● to erasure – deletion of data when there is no compelling reason to keep it ● to restrict processing – blocking or suppression of processing ● to portability – unlikely to be used in a school school/academy context ● to object – objection based on grounds pertaining to their situation ● related to automated decision making, including profiling Several of these could impact schools and academies, such as the right of access. You need to put procedures in place to deal with Subject Access Requests. These are written or verbal requests to see all or a part of the personal data held by the Controller in connection with the data subject. Controllers normally have 1 calendar month to provide the information, unless the case is unusually complex in which case an extension can be obtained. A school/academy must not disclose personal data even if requested in a Subject Access Request; ● if doing so would cause serious harm to the individual ● child abuse data ● adoption records Your school or academy must provide the information free of charge. However, if the request is clearly unfounded or excessive – and especially if this is a repeat request – you may charge a reasonable fee. ▇▇▇▇▇▇▇▇ and how to manage a breach Recent publicity about data breaches suffered by organisations and individuals continues to make the area of personal data protection a current and high profile issue for schools, academies and other organisations. It is important that the school school/academy has a clear and well understood personal data handling policy in order to minimise the risk of personal data breaches.

Legitimate interests. the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks) Please also be aware that these criteria must be supported by a written legitimate interest assessment. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the data subject. Several of the lawful purpose criteria may relate to a particular specified purpose – a legal obligation, a contract with the individual, protecting someone’s vital interests, or performing your public tasks. If you are processing for these purposes then the appropriate lawful basis may well be obvious, so it is helpful to consider these first. As a public authority, and if you can demonstrate that the processing is to perform your tasks as set down in UK law, then you are able to use the public task basis. If not, you may still be able to consider consent or legitimate interests in some cases, depending on the nature of the processing and your relationship with the data subject. There is no absolute ban on public authorities using consent or legitimate interests as their lawful basis, but the Data Protection law does restrict public authorities’ use of these two criteria. The majority of processing of personal data conducted by public authorities will fall within Article 6(1)(e) GDPR, that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller” however careful consideration must be given to any processing, especially in more novel areas. As you can see, consent is just one of several possible lawful processing criteria. Consent has changed as a result of the GDPR and is now defined as: “in relation to the processing of personal data relating to an individual, means a freely given, specific, informed and unambiguous indication of the individual’s wishes by which the individual, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data” This means that where a school school/academy is relying on consent as the basis for processing personal data that consent has to be clear, meaning that pre-ticked boxes, opt-out or implied consent are no longer suitable. The GDPR does not specify an age of consent for general processing but schools/academies should consider the capacity of pupils to freely give their informed consent. The Information Commissioner’s Office (ICO) gives clear advice on when it’s appropriate to use consent as a lawful base. It states: “Consent is appropriate if you can offer people real choice and control over how you use their data and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.” You should only use consent if none of the other lawful bases is appropriate. If you do so, you must be able to cope with people saying no (and/or changing their minds), so it’s important that you only use consent for optional extras, rather than for core information the school requires in order to function. Examples; – consent would be appropriate for considering whether a child's photo could be published in any way. – if your the school requires learner details to be stored in an MIS, it would not be appropriate to rely on consent if the learner cannot opt out of this. In this case, you could apply the public task lawful base. Content of Privacy Notices Privacy Notices are a key compliance requirement as they ensure that each data subject is aware of the following points when data is collected/ processed by a data controller: ● Who the controller of the personal data is ● What personal data is being processed and the lawful purpose of this processing ● where and how the personal data was sourced ● to whom the personal data may be disclosed ● how long the personal data may be retained ● data subject’s rights and how to exercise them or make a complaint In order to comply with the fair processing requirements in data protection law, the school will inform parents/carers of all learners of the data they collect, process and hold on the learners, the purposes for which the data is held and the third parties (e.g. LA etc.) to whom it may be passed. This privacy notice will be passed to parents/carers for example in the prospectus, newsletters, reports or a specific letter / communication or you could publish it on your website and keep it updated there. Parents/carers of young people who are new to the school will be provided with the privacy notice through an appropriate mechanism. In some circumstances you may also require privacy notices for children / learners as data subjects as children have the same rights as adults over their personal data. These include the rights to access their personal data; request rectification; object to processing and have their personal data erased. The policies that explain this should be clear and age appropriate. Data subject’s right of access Data subjects have a number of rights in connection with their personal data. They have the right: ● to be informed – Privacy Notices ● of access – Subject Access Requests ● to rectification – correcting errors ● to erasure – deletion of data when there is no compelling reason to keep it ● to restrict processing – blocking or suppression of processing ● to portability – unlikely to be used in a school school/academy context ● to object – objection based on grounds pertaining to their situation ● related to automated decision making, including profiling Your school must Several of these could impact schools and academies, such as the right of access. You need to put procedures in place to deal with Subject Access Requests. These are written or verbal requests to see all or a part of the personal data held by the Controller in connection with the data subject. Controllers normally have 1 calendar month to provide the information free information, unless the case is unusually complex in which case an extension can be obtained. A school/academy must not disclose personal data even if requested in a Subject Access Request; ● if doing so would cause serious harm to the individual ● child abuse data ● adoption records ● statements of charge. However, if the request is clearly unfounded or excessive – and especially if this is a repeat request – you may charge a reasonable fee. special educational needs ▇▇▇▇▇▇▇▇ and how to manage a breach Recent publicity about data breaches suffered by organisations and individuals continues to make the area of personal data protection a current and high profile issue for schools, academies and other organisations. It is important that the school school/academy has a clear and well understood personal data handling policy in order to minimise the risk of personal data breaches.