VeriFi EIDOS

3. Lawful Basis For Processing - Legitimate Interest Assessment

It is the responsibility of the data controller to establish the lawful ground for each processing activity it (and its data processors) carries out.

The lawful grounds are set out in Article 6 of the GDPR. You can read about them in detail here: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/

Legitimate Interests

Legitimate interests is the most flexible lawful basis for processing personal data, but you cannot assume it will always be the most appropriate.

It is likely to be most appropriate where you use people’s data in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.

Legitimate interest in the case of surveillance and security data can be summarised in a Privacy Policy as follows:-

Surveillance and security data may be used for the legitimate interest of:-

  • maintaining the security of property and premises;
  • preventing and investigating crime;
  • monitoring staff, and staff of tenants, when carrying out work duties on the premises; and providing evidence of health and safety issues

The information processed may include names, employment details, security clearance, vehicle registration numbers, images, sound recordings, records of personal appearance and behaviours. This information may concern staff and other workers present on the premises, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Subject to UK Data Protection Legislation, this information may be shared with the data subjects themselves, tenants and their agents, services providers, police forces and government security agencies and others who have entered into a Data Sharing Agreement with the data controller and where necessary to achieve the above purposes.

Legitimate Interest Assessments (LIAs)

The legitimate interest grounds for processing is only available to the extent that the data controller’s legitimate interest is not outweighed by the rights and freedoms of the individual whose personal data is being processed. The ICO states that data controllers should carry out a Legitimate Interest Assessment (LIA) in order to document this decision making process.

The following typical LIA has been produced by VeriFi and is applicable to commercial property applications where data processing equipment described in section 12 of this document are employed.

Typical Legitimate Interest Assessment (LIA)

IMPORTANT this LIA does not extend to Special Category Data and Criminal Offence Data.

Processing Special Category Data and Criminal Offence Data

If you are processing special category data then you will need to identify an additional condition for processing that data. The conditions are set out in Article 9 of the GDPR.

If you are processing criminal offence data then you will also need to identify an additional condition for processing that data. For criminal offence data, the conditions are set out in Schedule 1 of the Data Protection Act 2018. You cannot rely on an Article 9 condition to process criminal offence data. This is because the processing of criminal offence data is more restricted than special category data.

To illustrate this, you will need the following grounds/conditions for the following types of personal data:

Personal data (excluding special category and criminal offence data) – Article 6 lawful basis ONLY.

Special category dataArticle 6 lawful basis AND an Article 9 condition.

Criminal offence dataArticle 6 lawful basis AND a Schedule 1 condition.

The data controller’s Privacy Policy will need to identify any special category and criminal offence data being processed, the purposes for that processing, and the additional conditions relied upon for the processing. The conditions will need to be assessed on a case-by-case basis as they are facts-specific. Please refer to the ‘Detailed Reading’ section below for further information.

Once you have identified an appropriate condition, the following wording can be used in the data controller’s Privacy Policy:

Part 1 – Purpose 

Purpose of processing the data – Prevention and investigating crime; monitoring staff, and staff of tenants, when carrying out work duties on the premises; providing evidence of health and safety issues.

Benefit – Establishment and maintenance of a safe and secure environment.

Third parties benefiting from the processing – Occupiers and visitors to the premises.

Wider public benefits to the processing – Surveillance of and to the public perimeter of building provides assistance to law enforcement agencies.

Importance of identified benefits – Fundamental duty of care.

Impact if processing does not take place – Lack of evidence of breaches of security and safety.

Data compliance – The data controller is aware of its obligation to comply with the Data Protection Act 2019 and GDPR.

Law – The data controller is aware of its obligation to be comply with UK law.

Codes of practice – The data controller is aware of its obligation to comply with the SCA and ICO codes of practice relating to CCTV.

Ethical issues – Are governed by the code of conduct set by the business.

Part 2 – Necessity 

Efficacy – Past experience in similar situations has clearly demonstrated that the chosen method of securing the premises is effective.

Proportionality – The chosen method of securing the premises is proportionate to the perceived risk.

Consideration given to alternatives – This LIA was undertaken retrospectively to the installation of the equipment, it is assumed that alternative methods were considered.

Minimisation of processing – The amount of data processed is adequate but no more than is actually required to achieve the purpose.

Part 3 – Balancing Test

Nature of Data

Special category data or criminal offence data – None.

Private Data – None.

Children’s or vulnerable people data – None.

Personal or professional data – None.

Reasonable Expectations

Existing Relationships – Limited to occupiers of the location, their staff and visitors to the location.

Nature of the relationship and past use of data – Employees of the data controller, building occupiers, their visitors and contractors.

Collection of data – Individuals are informed of the collection of surveillance data by public information CCTV signs located in and around the premises. Electronic access control and visitor data is obtained by the data controller directly from the individual or their employer.

Reuse of personal data from third parties – Personal data obtained from building occupiers is limited to their employees, visitors and contractors. The use of this data is limited to the operation of access control equipment, visitor logging and issue and use of the data controllers assets.

Archive retention – The data controller recognises the necessity for the minimisation of data and has adopted the archive retention periods stated elsewhere in this document.

Changes in technology or context – Where such changes would affect expectations these will be communicated to the affected individuals.

Communications of intentions – The data controllers privacy statement describes intentions for the use of data.

Future innovations – Innovations and changes that may impact on expectations of individuals will be communicated to the various stakeholders before being implemented.

Market research and focus groups – The data controller will consult with building occupiers if changes to data processing may, in the opinion of the data controller, adversely impact on individuals expectations.

Unexpected processing – It is not foreseen that there would be circumstances outside the data controllers stated purposes that the controller would permit processing

Likely impact

Possible impacts of the processing on people – It is not foreseen that there would be any negative impact provided that the data controllers policy is followed.

Control over the use of a persons data – Personal data will only be shared with organisations that are allowed access under UK law or if the disclosing data controller has entered into a data sharing agreement with a receiving data controller who has demonstrated a reasonable and lawful requirement for having access to the data.

Likelihood and severity of any potential impact – Provided that the purposes of the processing and principles embodied in the data controllers privacy statement are adhered to the likelihood and severity of impact is low.

Objections to the processing – The processing is of types common throughout the commercial property sector and objections are proven to be extremely rare.

Explanation of the processing – Individuals may contact the data controller for clarification of processes and procedures via the contact details shown on the public information CCTV signs located in and around the premises.

Safeguards to minimise impact – The data controllers processes and procedures provide adequate safeguards to minimise the impact of any operational data breach.

Opt out – The necessity for maintaining a safe and secure environment does not allow for opting out of the use of personal data.

We may also process special category data about you, including [list of types of special category data] and criminal offence data, including [give details of criminal offence data]. We process this data for the legitimate interest of:-

  • [list the legitimate interests pursued by processing these types of data. The legitimate interests may be the same or similar to those listed in the ‘Legitimate Interests’ section above for non-sensitive personal data].

The conditions we rely upon for processing this data are:

  • for special categories of data – [list chosen condition(s) from Article 9]; and
  • for criminal offence data – [list chosen condition(s) from Schedule 1 of the Data Protection Act 2018].

Detailed Reading

Due to the particular sensitivity of special category data and criminal offence data, we recommend that you read the ICO’s detailed guidance before deciding on a condition to rely upon. Your decision making should be documented in writing. Whether a condition is available to you will depend on the facts of the processing. However, in most cases the condition of explicit consent (in Article 9 of the GDPR) is unlikely to be appropriate for surveillance and security processing of special category data.

You can read more about the requirements for processing special category data (including an explanation of the conditions) here:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/special-category-data/

The ICO has also published a separate detailed guide to processing special category data, which you can access here:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/special-category-data/

You can read more about the requirements for processing criminal offence data (including an explanation of the conditions from Schedule 1 of the Data Protection Act 2018) here:

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/criminal-offence-data/