09 March 2023 - We have shortened a description of “strictly necessary” in the “At a glance” section for “Conditions for sensitive processing”. Further detail can now be found under the “What about sensitive processing?” section instead.
The conditions for sensitive processing in Schedule 8 of the Act are:
Again, you must be able to demonstrate that the processing is strictly necessary and satisfy one of the conditions in Schedule 8 or is based on consent.
When undertaking ‘sensitive processing’, in order to comply with the first principle, you must either have consent for processing or be able to satisfy one of the conditions in Schedule 8. Consent should not always be a default condition as it may not be appropriate in the circumstances. You will also need an appropriate policy document in place.
An appropriate policy document must explain:
(a) your procedures for ensuring compliance with the law enforcement data protection principles; and
(b) your policies on the retention and erasure of this data.
Our template appropriate policy document shows the kind of information this should contain.
The sensitive processing must be necessary for the administration of justice, or the exercise of a function conferred ‘on a person’ by enactment. This covers a constable and other competent authorities.
In addition, in order to satisfy this condition, you must be able to demonstrate that the processing is necessary for reasons of substantial public interest.
This condition only applies in cases of life or death, such as if you disclose an individual’s medical history to a hospital’s A&E department who are treating them after a serious road accident. Data protection law should not be a barrier to processing data in these circumstances.
This condition is met in cases where consent is not appropriate because the individual is under 18 or at risk, but the processing is necessary for reasons of substantial public interest, and is to protect them from harm or to protect their well-being.
This condition applies if the data subject has deliberately made the information public.
This condition is met if the processing is necessary for the establishment, exercise or defence of a legal claim or whenever a court is acting in its judicial capacity.
You should use this condition if the processing is necessary for the purposes of preventing fraud. If it involves sharing data with organisations that do not fall within the definition of a competent authority, the processing needs to comply with the UK GDPR, and you need to have a lawful basis for sharing the data.
You can use this condition if processing is necessary for archiving in the public interest; for scientific or historical research purposes, or for statistical purposes. However, you cannot use it if it will result in decisions being made that effect a particular individual, or is likely to cause substantial damage or substantial distress to an individual.