Data Protection Act 2018 and legal basis for processing

All the personal information that we collect and use is handled in accordance with the Data Protection Act principles. These state that personal data processing must be:

  1. lawful and fair
  2. specified, explicit and legitimate
  3. adequate, relevant and not excessive
  4. accurate and kept up to date
  5. kept for no longer than is necessary
  6. held securely

Under GDPR our legal basis for processing staff information is :

Article (6) (1) (e), the performance of a task carried out in the public interest or in the exercise of the controller’s official authority,

Article 9 (2) (b), necessary for the carrying out of obligations under employment, social security or social protection law, and

Article 9 (2) (h), necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services.

Last updated: April 30, 2020