The ICO has given further guidance on the lawful basis of “processing in the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” (Art. 6(1)(e)
You can rely on this lawful basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law.
- It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
- You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
- The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
- Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
- Update privacy notice accordingly – specifying the lawful basis.
“Laid down by EU or domestic law”
Art 6(3) states that the task or authority in 6(1)(e) must be laid down by EU or domestic law.
This will most often be a statutory function. However, Recital 41 clarifies that this does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.
- ICO states that you do not need specific legal authority for the particular processing activity but that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.
Who can rely on this basis?
The ICO note that this includes any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation. Eg. Private water companies, even if they don’t fall within the definition of a public authority, because they’re considered to be carrying out functions of public administration and they exercise special legal powers to carry out utility services in the public interest. (but note that private sector organisations are likely to rely on the legitimate interests basis as an alternative).
When can we rely on this basis?
The Data Protection Bill includes a draft clause clarifying that the public task basis will cover processing necessary for:
- the administration of justice;
- parliamentary functions;
- statutory functions; or
- governmental functions.
However, this is not intended as an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public task basis, as long as the underlying legal basis for that function or task is clear and foreseeable.
For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.
- Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of public task, but they do have a right to object.
- If you are a public authority (as defined in the Data Protection Bill), your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests is still available for processing which falls outside your tasks as a public authority.
- If you are processing special category data, you also need to identify an additional condition for processing this type of data. The Data Protection Bill includes specific draft conditions for parliamentary, statutory or governmental functions in the substantial public interest – more guidance on this and other conditions will follow when the Bill is finalised.
ICO Commissioner outlines what public bodies can expect from the regulator and what she expects in return (at the Association of Chief Executives and Public Chairs Forum joint event, 2nd Feb 2018)
Main points from her speech:
- The ICO will soon be publishing an overview/roadmap to help organisations navigate the Data Protection Bill
- Organisations must also take into account the NIS directive (reporting rules for organisations that suffer a cyber attack) and the e-Privacy Directive.
- This is a critical time to refresh policies and processes, upgrade staff training and revisit the organisations approach to data protection
- ICO are more focused on commitment over compliance
- Must foster a culture of transparency and accountability as to how you use your personal data
- Must equip staff with the training and tools they need to get data protection right.
- She believes that accountability is the most important aspect of the GDPR
- Organisations should be working on a framework that can be used to build a culture of privacy that pervades the entire organisation. Putting people in the centre of the design of your services and particularly in the adoption of new technologies.
- She will soon be publishing a blog setting out the essential steps for developing accountability in organisations.
- She notes that the GDPR mandates organisations to put into place comprehensive but proportionate governance measures .
- She also notes that good practice tools that the ICO has championed such as data protection impact assessments and privacy by design are now legally required in certain circumstances.
- ICO are soon going to launch their first ever technology strategy that sets out their plans for the future.
- They will also soon be publishing new guidance that they’ve written with the National Centre for Cyber Security
- She emphasises that the ICO’s power of enforcement comes after their desire for education, engagement and empowerment
- She points out that the ICO runs voluntary audits to check that organisations are on the right track and to identify weaknesses or red flags before they cause real problems – a free service.
- The ICO are also developing a “sandbox” – a safe place for companies and public bodies to test the data durability of their innovations
- She concludes by stating that if you self-report breaches, engage with the ICO to resolve issues and can demonstrate effective accountability arrangements then you will find the ICO to be fair – enforcement will be proportionate and a last resort.