When can data be processed legitimately?

Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:

at least one of the conditions in Schedule 2 to the Data Protection Act ("the Act") (see below) is met, and
in the case of sensitive data at least one of the conditions in Schedule 3 to the Act (see below) is also met.

Schedule 2:

Personal data may be processed:

with the consent of the data subject;
in the performance of a contract (for example to process a UCAS application as part of the admissions process);
if there is a legal obligation (for example under equal opportunities legislation);
for the protection of the vital interests of the data subject;
in the performance of public functions (for example in customs and excise matters);
in the legitimate interest of the data controller, unless it is prejudicial to the interests of the data subject.

Sensitive data may be processed:

with the explicit consent of the data subject. Although "explicit consent" has not been defined in the Act, the Information Commissioner's guidance on the requirements for "explicit consent" suggests that the consent of the data subject should be absolutely clear;
in performance of a legal obligation in the context of employment;
to protect the vital interests of the data subject where consent cannot be given or the data controller cannot reasonably be expected to obtain consent (the Information Commissioner advises that this should only take place if the situation is literally a matter of life or death);
to protect the vital interests of another person where the data subject has unreasonably withheld consent;
by some non profit-making bodies such as charities and trade unions;
where the sensitive data has been made public by the data subject;
where sensitive data is required for legal proceedings;
for certain public functions, such as the administration of justice;
for medical purposes.