The ICO exists to empower you through information.

Latest updates - 18 December 2023

18 December 2023 - We have amended the example given, based on feedback received from stakeholders to help clarify when this lawful basis is likely applicable.

At a glance

  • You are likely to be able to rely on vital interests as your lawful basis if you need to process the personal data to protect someone’s life.
  • The processing must be necessary. If you can reasonably protect the person’s vital interests in another less intrusive way, this basis will not apply.
  • You cannot rely on vital interests for health data or other special category data if the individual is capable of giving consent, even if they refuse their consent.
  • You should consider whether you are likely to rely on this basis, and if so document the circumstances where it will be relevant and ensure you can justify your reasoning.

In brief

What does the UK GDPR say?

Article 6(1)(d) provides a lawful basis for processing where:

“processing is necessary in order to protect the vital interests of the data subject or of another natural person”.

Recital 46 provides some further guidance:

“The processing of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another natural person should in principle take place only where the processing cannot be manifestly based on another legal basis…”

What are ‘vital interests’?

It’s clear from Recital 46 that vital interests are intended to cover only interests that are essential for someone’s life. So this lawful basis is very limited in its scope, and generally only applies to matters of life and death.

When is the vital interests basis likely to apply?

It is likely to be particularly relevant when you need to use a person’s personal data for emergency medical care, but they are unconscious or otherwise incapable of giving consent to the processing.

Example

A member of staff has experienced a severe, life-threatening allergic reaction at work and has fallen unconscious. Their employer calls for an ambulance and provides details of the employee’s health information to the ambulance crew. The disclosure is necessary in order to protect their vital interests.

It is less likely to be appropriate for medical care that is planned in advance. Another lawful basis such as public task or legitimate interests is likely to be more appropriate in that case.

Processing of one individual’s personal data to protect the vital interests of others is likely to happen more rarely. It may be relevant, for example, if it is necessary to process a parent’s personal data to protect the vital interests of a child.

Vital interests is also less likely to be the appropriate basis for processing on a larger scale.  Recital 46 does suggest that vital interests might apply where you are processing on humanitarian grounds such as monitoring epidemics, or where there is a natural or man-made disaster causing a humanitarian emergency.

However, if you are processing one person’s personal data to protect someone else’s life, Recital 46 also indicates that you should generally try to use an alternative lawful basis, unless none is obviously available. For example, in many cases you could consider legitimate interests, which will give you a framework to balance the rights and interests of the data subject(s) with the vital interests of the person or people you are trying to protect.

What else should we consider?

In most cases the protection of vital interests is likely to arise in the context of health data. This is one of the special categories of data, which means you will also need to identify a condition for processing special category data under Article 9.

There is a specific condition at Article 9(2)(c) for processing special category data where necessary to protect someone’s vital interests. However, this only applies if the data subject is physically or legally incapable of giving consent. This means explicit consent is more appropriate in many cases, and you cannot in practice rely on vital interests for special category data (including health data) if the data subject refuses consent, unless they are not competent to do so.

In more detail - ICO guidance

We have produced the lawful basis interactive guidance tool, to give tailored guidance on which lawful basis is likely to be most appropriate for your processing activities.