Kent Fire and Rescue Service
Data Protection and Information Security Policy

20. Before any processing activity starts for the first time, the purpose(s) for the processing activity and the most appropriate lawful basis (or bases) for that processing must be selected and logged within the Authority’s data inventory:

• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the Authority is subject
• processing is necessary in order to protect the vital interests of the data subject or of another natural person
• processing is necessary for the purposes of the legitimate interests pursued by the Authority or by a third party (The General Data Protection Regulation states that legitimate interests do not apply to processing carried out by public authorities in the performance of their tasks, Article 6(1)(f). However, the Information Commissioner’s Office indicates that where there are other legitimate purposes outside the scope of its tasks as a public authority, legitimate interests may be considered where appropriate (particularly relevant for public authorities with commercial interests), subject to an appropriate test. In practice this lawful basis has not been used by the Authority in assessing its data processing requirements.)
• the data subject has given consent to the processing of his or her personal information for one or more specific purposes. Agreement must be indicated clearly either by a statement or positive action to the processing. Consent requires affirmative action so silence, pre-ticked boxes or inactivity are unlikely to be sufficient. If consent is given in a document which deals with other matters, the consent must be kept separate from those other matters.

21. Where consent is relied on, data subjects must be easily able to withdraw consent to processing at any time and withdrawal must be promptly honoured. Consent may need to be refreshed if personal information is intended to be processed for a different and incompatible purpose which was not disclosed when the data subject first consented.

22. Staff must be satisfied that the processing is necessary for the purpose of the relevant lawful basis (and that there is no other reasonable way to achieve that purpose)

23. The decision as to which lawful bases or basis applies must be documented, to demonstrate compliance with the data protection principles. Information must be provided about both the purpose(s) of the processing and the lawful basis for it in the Authority’s relevant privacy notice(s). 

24. Where a significant privacy impact is identified, a data protection impact assessment (‘DPIA’) may also need to be conducted.