Skip to main content
MyOIA

PERSONAL DATA - The lawful bases for processing personal data

The lawful bases for processing personal data

The lawful basis we rely on for processing personal data when we are reviewing student complaints is Article 6 (1)(e) of the UK GDPR: that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The OIA is the designated operator of the student complaints scheme established under the Higher Education Act 2004. This gives us official authority to operate a scheme for the review of student complaints.

We may also rely on UK GDPR Article 6 (1) (f): that processing is necessary for the purpose of our legitimate interests. We rely on this lawful basis when carrying out analysis of trends and themes in complaints to support our good practice work, and when asking for feedback to help us improve our service.

When we process special category data as part of our review of a student’s complaint, we rely on Article 9 (2) (g) of the UK GDPR, that processing is necessary for reasons of substantial public interest. The charitable purpose of the OIA is the advancement of education through the independent, impartial and transparent review of unresolved student complaints and the active promotion of good practice in preventing and handling complaints. It is in the public interest that students are able to seek an independent review of their complaints, and that the entire higher education sector should benefit from the learning derived from those reviews.

In some circumstances, we may also rely upon Article 9 (2) (e): Processing relates to personal data which are manifestly made public by the data subject.

When we are using special category data to carry out analysis of trends and themes in complaints, we rely on Article 9 (2) (j), archiving, research and statistics.

When we process personal data about criminal offences as part of our review of a student complaint, we rely on the conditions set out in the Data Protection Act 2018 Schedule 1 Part 2 paragraph 11( protecting members of the public against failures in service) and paragraph 12 (regulatory requirements).