GDPR sets out six lawful basis for processing data. Unless an exemption applies, at least one of these will apply in all cases. It is possible for more than one to apply at the same time. One of the new requirements for Privacy Notices is that you must set out in the Privacy Notice the Lawful Basis you are relying on. Often as a Council you will be performing tasks in the public interest, under a legal obligation - a good example is personal data contained in a planning application. You are handling that because you are complying with a legal obligation. So the activity you are undertaking using personal data is a requirement of legislation. Councils are also likely to be handling data whilst undertaking a statutory power or as a result of contractual necessity. Your data audit will help you understand this better.

For most Councils, the relevant ones will be:

  • consent (but not for staff, councillors and other role holders).
  • Compliance with a legal obligation which includes performance of statutory obligations.
  • Contractual necessity (eg with contractors).

Check out the ICO website to increase your knowledge further.

***SALC has published a helpful leaflet which can be shared with the council***