Vital interest is one of the recognisable legal basis for the processing of special categories of personal data. From Article 7(1)(d) of the repealed Directive 95/46 to Article 6 (1)(d) of the GDPR, there is a provision for processing personal data on the grounds of protecting the vital interest of data subjects or any other persons.
In the wake of the COVID-19 pandemic, vital interest would have most likely been considered by some data controllers as a lawful basis for large-scale processing of personal data for humanitarian reasons like monitoring the spread of the virus or surveying and protecting the public during national disasters.
This article will examine the full scope of vital interest as a legal basis for processing personal data, and the jurisprudence behind this basis. It will also juxtapose the provision of the EU GDPR with those of other African jurisdictions; particularly Nigeria, South Africa, and Kenya.
Vital Interest under the EU GDPR
Vital interest as a legal basis for data processing may appear to give broad allowance for data processing without consent, however, under the GDPR, vital interest is meant to cover things essential for a person’s life. That is to say strictly, it refers to matters of life and death. The lawful basis of vital interest has proved to be quite vital (pun intended) in the sense that it serves to fill the lacuna that would have existed in instances where the life or health of a data subject was at stake and none of the other lawful basis would suffice for processing personal data necessary for handling such emergency. The GDPR provides as follows;”
“Processing shall be lawful only if and to the extent that at least one of the following applies:
- d) processing is necessary in order to protect the vital interests of the data subject or of another natural person”
Recital 46 of the GDPR establishes instances where vital interest will be regarded as a valid lawful basis for processing.
To explain the scope and instances where this lawful basis will be valid, two scenarios will be instructive.
Case Study 1: There has been a fatal accident along the Benin-Ore highway. Five passengers have been severely injured, lost a lot of blood, and are now unconscious. They have been taken to a hospital, but they need to get blood transfusions to survive. The hospital has no prior knowledge of the medical record of these patients to enable them to administer the proper blood type. They have now requested the medical history of the patients from their families to enable them to proceed.
The above scenario is the most typical occurrence that may raise privacy concerns, except that these kinds of cases have been captured in the GDPR to fall within the vital interest legal basis. This basis provides the one instance where it would be necessary to override the right to the confidentiality of a data subject’s personal data, in matters of life and death and proceed to process personal data without the consent of the data subject.
Usually, the personal data required in life and death situations are medical records. which are sensitive data and fall under the special category of personal data, and by the provisions of Art. 9(1) of the GDPR the processing of these special categories of data is prohibited. However, there are exceptions, one of which is captured within Art. 9(2)(c) that if the processing is for the protection of the vital interest of the data subject or any other person who is incapable of giving consent. However, the processing of personal data based on the vital interest of another natural person should only be applied where the processing cannot be manifestly based on another legal basis.
Case Study 2: In 2020 during the COVID-19 pandemic, based on the directive issued by Nigeria Centre for Disease Control (NCDC) mandating residents of Nigeria to know their COVID-19 status and employers to ensure their employees take the test, and if found to be positive, proceed with treatment/vaccine. On that basis, XYZ Ltd issued a memo informing all staff to present their COVID-19 status to the company upon onsite resumption, the essence being to curb the spread of the pandemic and save the lives of people.
Based on the above scenario, it may look as though XYZ Ltd. can rely on vital interest as a lawful basis for processing the medical record of its staff (they are saving lives, right?), it would not suffice because there is another lawful basis upon which the controller can rely upon—legal obligation, while NCDC would rely on public interest as its own basis for processing.
Now that we have understood the lawful basis of vital interest under the GDPR, let us juxtapose it with the relevant data protection legislation of some African States.
The Lawful Basis of Vital Interest under Various African Jurisdictions
The lawful basis of vital interest features in the data protection legislation of some African states; the focus of this paper is Kenya, Nigeria, and South Africa. With the GDPR being the gold standard for privacy protection, other jurisdictions are enjoined to mirror it. The point here is that the legislations of these states are very similar to the provisions of the GDPR, in fact, the provision on vital interest as a lawful basis is the same in the NDPR of Nigeria and DPA of Kenya. However, under South African jurisdiction, it is different. Vital interest lawful basis is referred to as “legitimate interest of data subject” lawful basis.
Under the POPIA, data protection covers not just natural persons, but legal entities as well. By section 1 POPIA, ‘‘data subject’’ means “the person to whom the personal information relates”. And ‘‘person’’ means “a natural person or a juristic person”. This is different under the GDPR, DPA, and NDPR where a data subject means a natural person only. By Section 11(1)(d) POPIA,
“personal information may only be processed if the processing protects the legitimate interest of the data subject”.
This means that one will be able to rely on the legitimate interest of the data subject as the lawful basis if one needs to process personal information to protect someone’s life (or the financial survival of a juristic person – business rescue). Under the GDPR, NDPR, and DPA Kenya, there is no provision for business rescue under the lawful basis of vital interest/legitimate interest of data subject.
Conclusion
The jurisprudence behind the provision of vital interest as a legal basis based on the protection of data subjects would be that in protecting the rights and fundamental freedoms of individuals, the law anticipated instances where it would be most expedient to process personal data even if no other basis would suffice. This basis is therefore a justification for going past a person’s right to confidentiality while attempting to save that life, but it has to be within the contemplated instances for applying vital interest.
Contributor(s):
Precious R. Nwadike
Victory A. Osehonmen
image source: www.vecteezy.com
