GLD Vacancies

Staying legit

Data processing 46495068 xl 146In what circumstances will a public authority be able to disclose personal data for Freedom of Information purposes following the introduction of the GDPR? Jon Baines investigates.

Data protection law requires that for personal data to be processed there must be at least one legitimising basis - for instance that the data subject has given consent, or that the processing is necessary for the performance of a task carried out in the public interest, or that processing is necessary for the purposes of the legitimate interests of the data controller (or a third party to whom the data is disclosed) except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject.

This last is generally known as the "legitimate interests" condition, and is the one which will usually, for instance, permit a public authority to disclose low-risk personal data under freedom of information (FOI) law.

The disclosure of personal data under FOI will, as a matter of course, involve a balancing of the interests of the data subject and of the data controller or the third party or parties to whom the data are disclosed.

There has been considerable analysis of the exercise of the relevant existing provision (in  Schedule 2 of the Data Protection Act 1998 and Article 7(f) of Directive 95/46/EC) - see in particular the judgment of the Upper Tribunal in Goldsmith International Business School v IC and Home Office (GIA/1643/2014).

However, the General Data Protection Regulation (GDPR), made on 27 April 2016 and which will apply directly across the European Union from 25 May 2018, purports to prevent any public authority from relying on the legitimate interests condition: article 6(1) says the condition "shall not apply to processing carried out by public authorities in the performance of their tasks" and recital 47 provides the gloss that this is because "it is for the legislator to provide by law for the legal basis for public authorities to process personal data".

This would appear to tie, of course, to long-established concepts surrounding public authority vires, and the general position that such bodies were permitted only to do things that they had specific statutory powers to do. But is the position quite so straightforward as it appears?

In a specific local government context, the Local Government Act 2000 gave local authorities the power to do anything which they considered was likely to promote or improve the economic, social or environmental well-being of their area, and then the Localism Act 2011 extended this yet further to a "general power of competence" to "do anything that individuals generally may do".

The result of the exercise of these powers has been, in some areas, the setting up of companies to trade for commercial purposes or for spending local authority funds on particular purposes. Furthermore, there are some things which public authorities do which, in effect, all organisations need to do - such as employ and manage staff, manage buildings or other property and operate IT systems.

Some or all of these functions will necessarily involve the processing of personal data and may not be able to avail themselves of the other legitimising conditions in data protection law - if so, is GDPR proposing that public authorities might not be able to do these things?

Surely not, and the answer to the conundrum may lie in closer analysis of GDPR's wording. In its 2014 Opinion on "the notion of the legitimate interests of the data controller" the Article 29 Working Party (the representative body of data protection authorities of the EU) alluded to “the general principle that public authorities, as a rule, should only process data in performance of their tasks if they have appropriate authorisation by law to do so”

But it also noted the wording of the then draft GDPR, and the fact that what became article 6(1) ousted public authorities from relying on a legitimate interests condition. And it offered two differing interpretations.

First, if article 6(1) were to be interpreted strictly, as not permitting public authorities ever to rely on the legitimate interest condition, then other conditions in article 6 would have to be construed more expansively.

Specifically: “If this provision is enacted and will be interpreted broadly, so as to altogether exclude public authorities from using legitimate interest as a legal ground, then the ‘public interest’ and ‘official authority’ grounds of Article 7(e) would need to be interpreted in a way as to allow public authorities some degree of flexibility, at least to ensure their proper management and functioning”

Second, in the alternative, “the terms 'processing carried out by public authorities in the performance of their tasks' [could] be interpreted narrowly.

This narrow interpretation would mean that processing for proper management and functioning of these public authorities would fall outside the scope of 'processing carried out by public authorities in the performance of their tasks'. As a result, processing for proper management and functioning of these public authorities could still be possible under the legitimate interest ground”

The finalised text of article 6(1) of the GDPR does not differ in any substance from that of the original draft. So on the basis of that 2014 Working Party Opinion, there might be a lack of certainty or clarity.

However, the domestic Data Protection Bill, introduced in the House of Lords in September, suggests that the UK may be taking the latter of the Working Party's options (despite the fact that at the Bill’s initial reading the opposite view obtained).

In recent debate the Lords agreed an amendment to the effect that an authority or body is only to be considered a public authority (and thus constrained from relying on the “legitimate interests” condition) when it is performing a task carried out in the public interest or in the exercise of official authority vested in it.

This amendment, and the debate which led up to its agreement, largely focused on the status of higher education bodies, and their ability to undertake processing activities which could not obviously avail themselves of the “public interest” and “official authority” grounds.

Notwithstanding this, the position under FOIA would remain problematic: responding to a FOIA request clearly is performing a task carried out in the public interest or in the exercise of official authority vested in a data controller.

So how might public authorities effect disclosure of personal data under FOI? The answer here lies in Schedule 18 to the Data Protection Bill, which deals with "minor and consequential amendments".

Paragraph 7 of that Schedule proposes to amend the Freedom of Information Act 2000 (FOIA) so that, when determining the lawfulness of FOI disclosure of personal data, a public authority can (and only in those circumstances) in fact rely on the legitimate interests condition.

Such a proposed amendment would presumably help to meet the UK's obligation under GDPR to reconcile the right to the protection of personal data with the right to freedom of expression and information (Article 85), although query whether it is a permissible variation to the GDPR (which the Bill effectively seeks to incorporate into domestic law, as a precursor to a desired finding by the European Commission of data protection adequacy, once the UK becomes a "third country" under Brexit).

Such an apparently small detail might not trouble the Commission greatly, but too wide a divergence in the Bill from the GDPR’s provisions may have the effect of making an adequacy determination less likely.

Jon Baines is Chair of NADPO, the National Association of Data Protection Officers.

Insight 2 Cover 450 300dpi

This article was first published in the February edition of Local Government Lawyer Insight, which can be accessed at http://www.localgovernmentlawyer.co.uk/insight

Insight is published four times a year and is circulated free-of-charge to all Local Government Lawyer newsletter subscribers (click here to subscribe) in electronic format. A single hard copy is also circulated to all local authority legal departments in England and Wales.

Additional printed copies are available for just £49.95 for four issues. Multiple copies are also available at £149.95 for five or £249.95 for 10. Payment can be made by purchase order/invoice or by credit/debit card. To order, please call 0207 239 4917 or email This email address is being protected from spambots. You need JavaScript enabled to view it..