For the processing of personal data to be lawful, it must be processed on a ‘lawful basis’.1
This includes:
Legal obligation: the processing is necessary to comply with the law (not including contractual obligations); or
Public task: the processing is necessary to perform a task in the public interest or in the exercise of official authority vested in you as the data controller; or
Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks); or
Consent: the individual has given clear consent for you to process their personal data for a specific purpose. For further information see the ICO’s guidance on consent.
Processing personal data without a lawful basis runs the risk of enforcement activity, including substantial fines, issued by the ICO, for further information see our guidance on data protection breaches and sanctions.
The ICO have advised that in the main, the processing of personal data by EROs and ROs is likely to fall under the lawful basis that it is necessary for the performance of a task carried out in the public interest or in the exercise of the official authority vested in the controller.
As RO, you may determine that there are areas where you are required to process personal data as part of your statutory functions for the safe and proper conduct of an election. For example, through the sharing of candidate contact details (such as phone numbers and email addresses) with your police force elected-official adviser (FEOA) to enable them to share security guidance updates directly with candidates. In this instance, you will need to ensure that you can demonstrate the lawful basis for processing this personal data, and that candidates are given the ability to opt-out of their data being shared. You should ensure your privacy notice is up to date and suitable for this purpose.
It is for you to determine what the lawful basis for processing the data is, and to document your approach.
You must clearly set out in your privacy notice which lawful basis you are relying on for processing and cite the relevant UK law where applicable. You may rely on more than one legal basis if you consider it appropriate.