Legal Basis for Data Processing Guide¶
Whenever the university Processes Personal Data in any way, it must have a valid reason—a legal basis—for doing so. There are six legal bases for Processing Personal Data:
- the Data Subject has given consent to the Processing of their Personal Data for one or more specific purposes;
- the Processing is necessary for the performance of a contract to which the Data Subject is party;
- the Processing is necessary for compliance with a legal obligation to which The New School is subject;
- the Processing is necessary in order to protect the vital interests of the Data Subject or of another natural person;
- the Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in The New School; or
- the Processing is necessary for the purposes of the legitimate interests pursued by The New School or by a third party.
There are additional criteria that must be satisfied when processing Special Categories of Personal Data.
The majority of Personal Data Processing performed by The New School is justified under the basis of legitimate interests; some Processing is justified under the bases of performance of a contract or compliance with legal obligations. Consent is, for the most part, only used for marketing activities and in some research situations.
The following sections describe each of the legal bases for Processing, and the additional criteria for Processing Special Categories of Personal Data, in more detail.
In general, consent should be considered the “legal basis of last resort.” It should only be used if none of the other legal bases (such as legitimate interests, performance of a contract, or compliance with a legal obligation) are applicable (except for marketing and some research activities, where consent is always required). Contact the Information Security and Privacy Office if no other legal basis besides consent can be identified.
Consent should be given by a clear affirmative act establishing a
indication of the Data Subject’s agreement to the Processing of their Personal Data.
Consent is an inappropriate legal basis for Processing if Data Subjects do not have a genuine choice over how Personal Data about them is being used. This would be the case, for example, if the data could still be Processed under a different legal basis if consent were refused or withdrawn. In those circumstances, consent would be misleading and inherently unfair.
Freely given consent means that people have a genuine choice and control over how the Data Controller uses their Personal Data. This means that the Data Subject must be able to refuse to give consent without any detriment, and must be able to withdraw consent easily at any time. There must be no imbalance in the relationship between Data Controller and Data Subject. Consent must not be a prerequisite for provision of a service.
Imbalance of power¶
Consent is not an appropriate legal basis for Processing if there is a clear imbalance of power between the Data Controller and the Data Subject. This is because consent cannot be considered to be freely given if Data Subjects feel they have no choice but to agree to the Processing. For example Data Subjects may depend on a service or fear adverse consequences if they do not consent.
Condition of service¶
If a Data Controller arranges for a service to be dependent on the Data Subject consenting to Processing, then consent will not be valid as it won’t be freely given. However, providing incentives such as loyalty schemes, is possible to some extent.
Staff and students may be persuaded to sign up for Newcard Cash and as a reward for allowing participating retailers to send them special offers, they will receive coupons and a free cup of coffee on their birthday.
A lecturer asks students for consent to have their photos and contact details displayed on a public website linked to a project, and says otherwise they will not be able to participate in the project.
Human Resources asks potential employees for their consent to have their dates of birth, salaries, and private addresses transferred to the Newcard Cash system as otherwise they won’t be able to participate.
Specific and informed¶
For consent to be specific and informed, people must be informed of the identity of who is Processing their Personal Data. Both The New School and any third party Data Controllers relying on the consent will need to be expressly named. It is not enough to simply define a category of third parties.
You agree to The New School, and any recruitment agencies with whom we might consult, processing your personal data in order to help you with your career choice.
You agree for The New School to transfer your data to the university’s Careers Service to help you with your career choice.
People must also know what they are consenting to. This means information must be provided in the relevant privacy notice about all the purposes for which Personal Data is being processed.
Consent must be an unambiguous indication, which means that consent must be either a statement or a clear, affirmative action. Consent must be more than just confirmation that the person has read terms and conditions—there must be a clear signal that they agree to them.
Clear affirmative action means someone must take deliberate action to opt in. This could be through:
- checking an opt-in box
- signing a consent statement
- oral communication
- a binary choice presented with equal prominence (i.e., yes/no with neither option pre-selected)
- switching technical settings away from the default (the default must not result in opting in).
All consent must be “opt-in”—there is no such thing as “opt-out” consent.
Failure to opt out is not consent and silence, inactivity, default settings, pre-checked boxes, or general terms and conditions may not be relied on as indicators of consent. Implied consent, however, is still possible in circumstances where the individual has shown consent through an action. Again, mere silence or inactivity are insufficient.
“Would all those who want to be in the conference photo please make their way onto the stage. We’ll publish the photo on the conference website.”
This would suffice for consent as conference participants have shown their consent through an action, i.e. going onto the stage.
At recruitment fairs or certain university functions, attendees may consent to receiving information material by providing their email address.
Conditions for consent¶
In addition to the main requirements for obtaining consent described above, the following conditions are also important.
If consent is used as the legal basis for Processing Data Subjects’ Personal Data, they have the right to withdraw their consent at any time. Therefore when consent is requested, details of how it can be withdrawn should also be provided. Withdrawing consent must be as easy as giving it. There should be an easily accessible one-step process which people can use on their own initiative at any time. If possible, people should be able to withdraw their consent using the same method as they gave it.
Once consent has been withdrawn, Processing must be stopped as soon as possible. However, if a person withdraws their consent it does not retroactively affect the Processing already undertaken. For example, if somebody has consented to participate in research, they will not be able to ask that data about them be removed from studies which have already been published, but they can change their mind about raw data about them being used in future studies.
An effective audit trail must be maintained to keep track of how and when consent was given, so that evidence can be provided if challenged. This means that records must be kept in order to demonstrate what the person has consented to, what information they were given, and when and in what way they consented.
Records must also be kept when people have withdrawn their consent. The consent record needs to be kept for as long as information about the Data Subject is kept for that purpose(s) covered by the consent.
The Information Security and Privacy Office requires the use of OneTrust’s “Universal Consent Manager” to obtain consent from Data Subjects and maintain consent records university-wide. Contact the ISPO for further information.
Consent requests must be clearly distinguishable from the rest of the text of the document or form being used; the request needs to be separate from other terms and conditions and easily identifiable as a request for consent. Either use a separate consent form or ensure that the consent request is kept separate at the bottom of a form.
Example of “bundled,” invalid consent
“We will collect your name, date of birth, and any medical conditions from you. We will process the information you have provided us in order to enable you to use the New School Recreation program and take part in classes. You agree to us passing your personal data on to our sponsor who will send you marketing material for sportswear with the university’s logo. We will also use the information you have provided us with to ensure you are kept informed of any new classes we offer. We will keep the information you have provided for as long as you are enrolled. We do not use automated decision-making or profiling.
Please sign here: ____________________.”
Wherever appropriate, Data Subjects should be provided with granular options to consent separately to different types of Processing. If consent is obtained for, say, processing Personal Data for displaying student photos on a website, separate consent should be obtained for using the photos for newsletters or for marketing purposes. Only if the activities are clearly interdependent or if providing a granular list of consent would be disruptive or confusing can a single option for consenting be used.
The most important factor is that clear, understandable explanations be given to people about what they are consenting to. Should the purposes for Processing the Personal Data change, it will be necessary to consider obtaining updated consent from people as there is no such thing as “evolving” consent.
How long does consent last?¶
There is no specific time limit for consent. Consent is likely to “degrade” over time, but the exact duration will depend on the context. Both the scope of the original consent and the Data Subjects’ expectations need to be taken into account.
Consent will need to be reviewed regularly to check that the relationship, Processing, and purposes have not changed. Processes must be in place to refresh consent at appropriate intervals.
A record of when and how consent was received and of the information provided to Data Subjects at the time of consenting must be kept.
Should Data Subjects withdraw their consent, suppression lists must be kept to manage the withdrawal of consent and ensure that these Data Subjects are not contacted and/or asked for consent again.
If Personal Data has been received from third party Data Controllers, it must be ensured that they have obtained consent from the Data Subjects before.
New School Recreation runs a promotion that gives members the opportunity to opt in to receiving emails with tips about healthy living to get in shape for the summer this year. As the consent request specifies a particular timeframe and end point—the summer break—the expectation will be that no more emails will be sent out once the summer is over. The consent will then expire.
Alumni & Development can, under the legal basis of legitimate interest, contact individuals who are not alumni of the university and ask them to become donors. If an individual refuses consent to any further communication, then that individual’s name and contact details must be entered into a suppression list to avoid any future contact.
Performance of a contract¶
Performance of a contract is an appropriate legal basis if
- Processing Personal Data is necessary for the performance of a contract, or
- if requested by the Data Subject, for the preparatory steps to enter into a contract.
This request does not have to be expressly worded—if prospective students submit an application to attend The New School, or prospective employees submit an application to work for the university, then their requests to process the data are implied.
It is important to note that the only requirement is for the Data Subject to be party to the contract. This means that if a Data Controller only acts as a facilitator to enable a Data Subject to enter into a contract with a third party, then this legal basis is applicable.
Human Resources evaluating a job applicant’s Personal Data to decide whether to make a job offer will be “steps taken at the request of the Data Subject prior to entering into a contract.”
Housing & Residential Education helping a student apply for an off-campus apartment to rent during the academic year even though they are not party to the contract.
Compliance with a legal obligation¶
Processing Personal Data for any statutory or legal obligation imposed on the university is legitimate if the Processing is necessary to comply with that obligation.
Sending employee data to the Internal Revenue Service for tax purposes, or sending student data to the Department of Homeland Security regarding visa applications.
Processing is necessary to protect the vital interests of the Data Subject or another natural person. Vital interests are only ever those relating to life and death issues. This legal basis will cover any emergency medical situation.
A student collapses during a lecture and is unconscious. The lecturer calls for an ambulance and gives the paramedics the student’s name and address.
This legal basis will apply only where the task carried out, or the authority of the Data Controller, is established by federal, state, or local law. This might include, for example, providing information about individuals to a public health authority during an epidemic or pandemic.
If Personal Data is to be used for purposes that do not relate to The New School's core functions (the ones described in the university's mission statement), processing may still be possible if it is necessary for the legitimate interests of the university or a third party, and does not negatively affect the rights and freedoms of the people whose Personal Data will be Processed. Thus, this legal basis requires a balancing of the legitimate interests of the university and/or the third party against the interests and fundamental rights of the Data Subject. When performing this balancing test, the Data Subject’s reasonable expectation of what is likely to happen to their Personal Data must always be considered. Processing must also meet the strict requirements of being “necessary.”
Moreover, to rely on legitimate interests as a legal basis, it is necessary to be aware of and make provisions for Data Subjects’ right to object to the processing. This means that if somebody can prove that their own rights and freedoms outweigh the university’s, then their objection to Processing must be taken into account and they must be opted out of the Processing. Data Subjects must be informed of this in every Processing communication they receive.
What are interests?¶
An “interest” is the broad stake The New School may have in the Processing, or the benefit that the university derives, or which society might derive, from the Processing. It must be real and not too vague.
Some interests are likely to be legitimate because they are “strictly necessary” for university administration or related legal compliance issues, particularly where there is no legal obligation to comply with, but the Processing is essential to ensure the university meets external or internal governance obligations.
Identity theft prevention—where the Processing is strictly necessary for the purpose of preventing identity theft. This could include verifying that an individual's name and address provided on a financial aid application are consistent with external information sources and other elements of the university's Red Flags Program.
Other interests are legitimate because they are a routine part of the activities of the university but other lawful reasons for processing are not practical or are not available.
Alumni newsletter—a regular newsletter to alumni could be sent with consent as the legal basis. However, since consent requires a positive indication, an opt-in, it is not practical to ask for consent. Experience has shown that the return is minimal. It is also unlikely that alumni’s rights and freedoms would outweigh the university’s interest in sending regular updates. (It would be appropriate, however, for the newsletter to provide instructions for unsubscribing.)
Regardless of the importance of the Processing activity to The New School, an assessment must be made to ensure the Processing meets the threshold required to rely on legitimate interests as a legal basis.
When is Processing in the university’s legitimate interests?¶
Below are some generic examples of Processing that will usually be in The New School's legitimate interests:
- Reasonable expectations—the fact that individuals have a reasonable expectation that the university will process their Personal Data for this purpose will help the make the case for legitimate interests to apply when conducting the balancing test.
- Relevant & appropriate relationship—where there is a relevant and appropriate relationship between the individual and the university, such as between the university and its alumni.
- Network & information security—where the Processing of Personal Data is strictly necessary and proportionate for the purposes of ensuring network and information security.
- Suppression lists—once somebody has opted out of receiving communications, the university will keep a suppression list to ensure that the individual will not be contacted again. Keeping this suppression list is in the legitimate interest of the university.
Carrying out the legitimate interests assessment¶
In order to rely on its legitimate interests as a legal basis for Processing, The New School has to perform a three stage assessment:
- identifying a legitimate interest,
- establishing that the Processing is “necessary,” and
- conducting a balancing test.
The legitimate interests can be those of the university or of a third party to whom the data may be disclosed, as long as the three stage test is passed.
The Information Security and Privacy Office has created a Legitimate Interests Assessment in the OneTrust tool that should be used to perform this assessment. Contact the ISPO for further information.
Identifying a legitimate interest¶
The first stage is to identify a legitimate interest—what is the purpose for Processing the Personal Data and why is it important to the university?
Legitimate interests may be elective or business critical and can be those of the university or a third party to whom the Personal Data may be disclosed. It is possible that a number of parties may have a legitimate interest in processing the Personal Data. While it is only necessary to identify one legitimate interest, all relevant interests should be considered.
Performing a “necessary” test¶
It must be determined whether the Processing of Personal Data is “necessary” to achieve the objective(s). The adjective “necessary” is not synonymous with “indispensable,” but neither is it as broad as “useful” or “desirable.”
The Processing is not necessary if the purpose can be achieved by a less privacy invasive method or by some other reasonable means. If there is no other way, then clearly the Processing is necessary. It is not, however, enough to argue that Processing is necessary only because the university has decided to operate its business in a particular way.
The New School Processes Personal Data about staff in order to employ them. It does so on the basis that the Processing is necessary to meet staff expectations and to comply with the university’s legal obligations as an employer.
However, if The New School were considering outsourcing its Human Resources functions to an overseas company and transferring staff data to that company, it is very unlikely the overseas transfer would meet the necessity test.
If there is another way to achieve the purpose but it would require disproportionate effort, then it may be possible to determine that the Processing is still necessary. If there are multiple ways of achieving the objective, then a Data Protection Impact Assessment (DPIA) should be used to identify the least intrusive Processing activity.
Finally, if the Processing is not necessary, then “legitimate interests” cannot be relied on as a legal basis for that Processing activity.
Performing a balancing test¶
The New School can only rely on a genuine legitimate interest where the rights and freedoms of the individual whose Personal Data will be Processed have been evaluated, and these interests do not override the university’s legitimate interest. This is determined by performing a balancing test.
The balancing test must always be conducted fairly, which means that due regard and weighting to the rights and freedoms of individuals must always be given.
There are several factors to consider when making a decision regarding whether an individual’s rights would override the university’s legitimate interest. These include:
- the nature of the interests;
- the impact of Processing;
- any safeguards which are or could be put in place.
The nature of the interests includes:
- The reasonable expectations of the individual: would or should they expect the Processing to take place? If they would, then the impact of the Processing is likely to have already been considered by them and accepted. If they have no expectation, then the impact is greater and is given more weight in the balancing test;
- The type of data: Special Categories of Personal Data is subject to stricter rules on its use. This must be a consideration in a balancing test; and
- The nature of the interests of the university: for example, is it a fundamental right, public, or other type of interest:
- Does it add value or convenience?
- Is it also in the interests of the individual?
- If there may be harm as a result of the Processing, is it unwarranted?
The impact of Processing includes:
- any positive or negative impacts on the individual.
- any bias or prejudice to the university, third party, or to society of not conducting the Processing.
- the university needs to carefully consider the likelihood of impact on the individual and the severity of that impact. Is it justified? A much more compelling justification will be required if there is the likelihood of unwarranted harm occurring.
- the status of the individual—a customer, a child, an employee, or other.
- the ways in which data is processed, e.g., does the Processing involve profiling or data mining? Publication or disclosure to a large number of people? Is the processing on a large scale?
Any safeguards which are or could be put in place include:
- a range of compensating controls or measures which may be put in place to protect the individual, or to reduce any risks or potentially negative impacts of processing, identified through a DPIA, for example:
- data minimization
- additional layers of encryption
- data retention limits
- restricted access
- opt-out options
- Anonymization / Pseudonymization
- encryption, hashing, salting
When the university is Processing Personal Data relating to children, or Special Categories of Personal Data, special care should be taken with the balancing test, as it may need to give additional weight to the rights of the individual.
For Special Categories of Personal Data, at least one of the following conditions must also be met.
Explicit consent of the Data Subject¶
To rely on explicit consent for Special Categories of Personal Data, the same basic requirements as those for consenting to the Processing of regular Personal Data apply. However, the requirements for explicit consent extend beyond that, which means that implied consent is not acceptable and the “clear affirmative actions” that meet the requirements for ordinary consent are not sufficient.
The key differences are that “explicit” consent must be affirmed in a clear statement (oral or written); it must specify the nature of the Special Categories of Personal Data; and the consent should be separate from any other consent.
A “clear statement” of explicit consent will be:
- A signature from the Data Subject
- A checkmark placed in an unchecked box by the Data Subject to say “I consent”
- An oral statement, “Yes, I agree”
Even in written context, not all consent will be explicit.
Student Counseling Services provides the following to students registering for the service:
Email address (optional)—We will share your file with selected therapy centers and have them send you information to help you further.
Student Counseling Services provides the following to students registering for the service:
I consent to you sharing my file with selected therapy centers and receive emails from them.
In the first example, the students, while actively entering their email, still give implied rather than explicit consent. In the second example, they are giving a clear statement by checking the box.
If you intend to use explicit consent as your legal basis, see the guidance on consent.
Necessary for employment, social security, and social protection law¶
This legal basis is likely to be used in a Human Resources context where an employee’s sensitive Personal Data might be used to, for example, adapt a workstation. To rely on this legal basis, The New School must be able to identify a specific legal obligation or right, either by “reference to the specific legal provision or else by pointing to an appropriate source of advice or guidance” such as a government website or industry guidance.
Changing an employee’s status to part-time after an illness.
Necessary to protect the individual’s vital interests¶
This replicates broadly the legal basis for processing ordinary Personal Data—if a person is incapable of giving consent due to, for example, unconsciousness, medical data can be provided to the paramedics. This basis is very limited in scope; most data protection authorities agree that it only covers interests that are essential to someone's life, generally meaning matters of life and death.
Processing by not-for-profit bodies or associations¶
This condition does not apply to The New School; it only applies to bodies or associations existing for political, philosophical, religious or trade union purposes.
Manifestly made public by the Data Subject¶
Sensitive Personal Data can, for example, be considered to have been made public by the Data Subject through a media interview published in a newspaper or broadcast on television.
This legal basis can only be relied upon where there is a “deliberate act by the individual” to make the information public. Just because the information is in the public domain is not enough. Particularly in the case of publishing through social media, this will need to be considered on a case-by-case basis, where the following questions should be considered:
- Is the sensitive data in the public domain?
- Was the data made public by the individual themselves?
- Did the individual deliberately make the data public?
Where an individual has made data accidentally or unintentionally public, this legal basis cannot be used.
This does not include photographs, even though they might show the racial group or even the sexual orientation of an individual. Neither does it include information that a Data Subject has announced to a gathering of friends.
Establishment, exercise or defense of legal claims¶
This will cover most activities of attorneys (in-house and outside counsel) acting on behalf of the university and carrying out the university’s instructions.
Human Resources processes an employee’s sickness absence information with a view to seeking legal advice on an unfair dismissal allegation.
A School passes a student’s information about the student’s dyslexia on to the Office of the General Counsel as the student has threatened legal action, insisting that there was not enough extra time during an exam.
Substantial public interest¶
This legal basis allows for Processing of Special Categories of Personal Data for a variety of purposes in the public interest. Some of the purposes require a substantial public interest, whereas others require only that there is a public interest at stake. Public interest covers a wide range of values and principles relating to the public good, or what is in the best interests of society, rather than the best interests of a commercial entity. Substantial public interest means that the public interest must be genuine and of substance, it is not enough to make a vague or generic public interest argument.
Medical purposes and the provision of health or social care¶
This legal basis will be used in situations where the Processing is necessary for the purposes of occupational medicine and social care as well as preventative medicine and diagnosis, the provision of health care and treatment and also the management of health or social care systems and services.
The data processing must be carried out by a professional who is subject to the duty of confidentiality, or a non-professional who is subject to the same standards.
This covers medical professionals in Student Health Services and will also cover medical and genetic researchers.
In order to rely on this legal basis, the Processing must be necessary for reasons of public interest in the area of public health, and must be carried out by a health professional or someone else who owes a legal duty of confidentiality. Public interest requires there to be a “benefit to the wider public or society as a whole.”
The most likely area in which The New School might rely on this legal basis would be the Processing of sensitive Personal Data in cases of threats to health from infectious diseases. Should a case of, for example, COVID-19 or tuberculosis occur at the university, then the university will have the legal duty to notify the government to prevent the spread of the disease.
Archival, statistical and research purposes¶
If at all possible, all Personal Data—both Special Categories of Personal Data and ordinary Personal Data—should be Anonymized for archiving, research, and statistics. If that is not possible, then data protection legislation allows the activities to be carried out under suitable safeguards.
Archiving material from a conference by a School.
Conducting a longitudinal study that requires regular data from patients’ health records to be fed in. Complete anonymization would not be possible.
Providing information to the U.S. Department of Education.
|Jul 2020||D. Curry||
Parts of this guideline are adapted from the University of Edinburgh’s guidance on the legal basis for data processing, the contents of which are used with permission.