KB 2023 004108 - [2025] EWHC 1824 (KB)

As will be apparent from the recitation of the various provisions of the UK GDPR and DPA 2018 above, the necessity of the particular processing will often be key to determining whether there has been a relevant breach of personal data protections. Thus, in the present case, questions arise as to whether the processing involved in JS1 was limited to what was “necessary” for the purpose of the data minimisation requirements or storage limitation requirements of article 5(1); whether it was “necessary” for the obligation, task or purpose relied on under article 6(1)(c), (e) (as further clarified by section 2 DPA 2018) or (f); whether, in respect of information relating to the claimants’ health, that processing was “necessary” to the establishment, exercise or defence of legal claims, as provided by article 9(2)(f); and, similarly, whether it was “necessary” for the purposes identified under article 17(3) and/or paragraph 5 of Schedule 2 to the DPA 2018.

As is common ground between the parties, what is “necessary” in each of these respects is to be understood as meaning “more than desirable but less than indispensable or absolutely necessary”: Cooper v National Crime Agency [2019] EWCA Civ 16 at [89]-[90]. This imports a proportionality approach, which is familiar in the balancing of potentially conflicting rights and expressly acknowledged in recital (4) of the UK GDPR (and see the observations of Baroness Hale in South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55 at [25]-[27]).

More specifically, where a controller contends that processing was necessary for the purpose of a legitimate interest, pursuant to article 6(1)(f) UK GDPR, a three-fold test arises: the court will need to be satisfied not only (i) that the controller was indeed pursuing a legitimate interest, and (ii) that the personal data was processed for that purpose, but also (iii) that the interests or fundamental freedoms of the data subject did not take precedence over that legitimate interest, something that will require consideration of the reasonable expectations of the data subject as well as the scale of the processing and its impact on that person (see the observations of the Court of Justice in Meta Platforms Inc (Case C-252/21) [2023] 5 CMLR 22 at [106]-[110] and Koninklijke Nederlandse at [37]-[45] and [54]).