In many cases it may be possible, for an institution, to provide online services without the release of information that identifies a particular person, and in this case, no data protection issues arise. However, in other circumstances, identity will be necessary to the provision of access or personalisation. The processing of personal information will only be legal if done in compliance with the principles laid down by the Data Protection Act 1998. The first, core principle requires processing (including transfer) to be fair and lawful. In order to meet this requirement, one of the "Schedule 2" conditions for processing must be met. The most commonly relied on condition is "consent", in other words, that the data subject has agreed to the processing after having reasonable notice of what processing is proposed.