A valid lawful basis?

27th July 2022 Business Crime

On the 13th June 2022 the Information Commissioner’s Office published an opinion on the lawful basis the DVLA have been using to process the data they control. This opinion is directed solely at the DVLA, but it should be a reminder to all data controllers to ensure they use a valid lawful basis for the data they process.

In short, the findings of the ICO were that the DVLA had incorrectly relied on the “legal obligation” justification for their lawful basis for processing registered keeper details. The DVLA hold the registered keeper details for each vehicle with a registered Vehicle Registration Mark in the UK and this information extends to a name and an address.

Article 6(1) of UK GDPR provides 6 lawful bases to process data and if you are a data controller you must rely on at least one basis for processing the data you hold. Whether you are a government department or a business of 2 employees, a valid basis must be selected. Legal obligation is a basis to rely on if you are subject to a statutory or common law obligation to process that data, for example, an employer is under an obligation to disclose their employees’ details to HMRC for tax purposes or to disclose personal details to the Health and Safety Executive should an accident at work occur, following which a RIDDOR report must be made.

The DVLA carries out a public function by administering, maintaining and providing access to a data base holding all registered keeper details in the UK. Under the Vehicle (Registration and Licensing) Regulations 2002, specifically s.27(1)(e), the DVLA are allowed to provide information of the registered keeper of a specific vehicle should a requestor have reasonable cause. The DVLA had interpreted this as a legal obligation to process data in that they were subject to this Regulation and had to provide the information should the requestor provide reasonable cause. However, the ICO have disagreed and indicated that the correct basis in their view is “public task,” a basis for processing that allows you to do so if you perform a public function. The ICO also go a step further to disagree with the DVLA’s interpretation of the Regulation to state s.27(1)(e) confers a power and not a legal obligation to disclose registered keeper details.

Choosing a valid basis

The ICO maintain that any lawful basis to be relied on must be correctly selected at the outset of any processing and below we have set out each basis and a short description of each.

  1. Consent – the data subject provides you consent to process their data.
  2. Contract – processing is necessary under a contract you are party to.
  3. Legal Obligation – common law or statute compels you to process the data.
  4. Vital Interest – processing is necessary to protect someone’s life.
  5. Public Task – the processing is necessary for you to perform a task in the public interest or as a public function.
  6. Legitimate interest – processing is necessary for your legitimate interest or a legitimate interest of a third party unless there is a good reason to protect the data subject’s data.

In considering these bases, a business should consider their relationship with the data subject. If you want to rely on consent, can you legitimately provide the data subject with the option to withdraw consent at any time? If you rely on a contract, when does this contract end and to what extent are you processing data under performance of the contract? If you rely on legitimate interest, you must balance the purpose of the interest, necessity and if the data subject has an overriding interest that trumps your legitimate one.

The ICO finding is a helpful reminder to those processing personal data to ensure the appropriate lawful bases are assessed, referenced and regularly reviewed. Should a business attempt to change a lawful basis whilst data processing is on-going, this will automatically breach the transparency principles that are central to UK GDPR. 

JMW have advised and guided businesses on how to comply with UK GDPR and defining the correct lawful basis for processing is your first step to ensuring compliance. As businesses become increasingly data driven considering this area of law is becoming more and more crucial. Our advice then flows from the basis of your processing to your company’s Data Protection Impact Assessment, Privacy Policy and if your company needs to make restricted transfers out of the European Economic Area.​​​​​​

We're Social

James Harvey is a Trainee Solicitor located in Manchesterin our Trainee Solicitors department

View other posts by James Harvey

Let us contact you

View our Privacy Policy