In practice, the ICO has a very simple test for fair processing:
Do data subjects know (i.e. have they been they fairly informed) what (processing of their data) you’re intending to do?
That’s it – is the organisation being completely honest?
If yes, that’s fair processing.
If no, that’s not “fair processing”.
It’s that simple. It’s not a high bar, and it’s not a complex bar.
If you end up in trouble, it’s because of surprises – you weren’t completely honest with the data subjects about what you were going to do.
With regard to fair processing, the ICO doesn’t make a distinction as to whether or not you should do something; it solely looks at whether you said you would. The ICO is often seen as facilitating data flows, because this test isn’t what people often seem to think it is.
The ICO considers itself to have one job in this regard, defined by the Data Protection Act, and that human rights are the remit of a Court. If someone is honest and informs you about using your data to breach your human rights, the ICO believes this is not a consideration for the data protection authorities. This may be an incomplete or incorrect reading of the law, but the current ICO has made its consideration.
In many controversial cases, organisations themselves – including the Government, Ministers, the NHS – all add additional requirements. These are not data protection constraints, they are moral constraints, they’re other legal constraints or they’re ‘ministerial gifts’ (e.g. the care.data opt out).
Remember, it’s only fair processing so long as what you tell people you’ll do matches what you actually do. (You can tell them you’ll do something and not do it – that’s still fair processing.)
When you want to do something new with data, if that wasn’t in the old rules, you need to tell people about the new rules. It is here that NHS England’s various data grabs have run into trouble, mainly because they don’t want to tell people quite what it is they want to do.
So in short, be completely honest.
No wonder the political machinations in the Department of Health and NHS England keep screwing it up…
P.S. Complaints about “fair processing” basically boil down to, “we don’t want to be honest with you”. Any fines simply show that you weren’t honest; one reason organisations get fined for losing data is because they’ve said that they won’t. If they didn’t say that, then losing your data mightn’t be a breach in those terms – but then no-one would do business with them. Which is why such promises get made in the first place.