GDPR – when is a public authority not a public authority?


As the General Data Protection Regulation (2016/679) (the “Regulation”) is now in force after many months of publicity, analysis and some scare mongering, it will be interesting to see how things develop in the next few months and what comes to be considered “market” and best practice when demonstrating compliance with the legislation.

Under Article 6(f) of the Regulation, one of the lawful bases for processing personal data is where processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party (“Legitimate Interests”).  These Legitimate Interests need to be weighed against the interests or fundamental rights and freedoms of the data subject and such fundamental rights and freedoms can override the Legitimate Interests of the data controller or third party so a controller may not always be able to rely on Legitimate Interests as the basis for processing.

Legitimate Interests cannot be claimed for processing carried out by a public authority in the performance of their tasks.  The idea being that there is a specific lawful basis for such processing under Article 6(e) of the Regulation where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (“Public Interest/Official Authority”).

This has led many to believe that there is a blanket prohibition on public authorities relying on Legitimate Interests for the purposes of processing personal data. However, the wording of Article 6 requires further consideration in light of the Data Protection Act 2018 (the “Act”).

The Act supplements the Regulation and provides that for the purposes of the Regulation, a public authority as defined by the Freedom of Information Act 2000 is a “public authority” for the purposes of GDPR. NHS trusts, NHS Foundation Trusts and certain other NHS bodies will be well aware of their status as public authorities from a freedom of information point of view. They are therefore considered to be a public authority from a GDPR point of view also.  However, section 7(2) of the Act provides that a public authority is only a public authority when performing a task carried out in the public interest or in the exercise of official authority vested in it. 

Section 8 of the Act further provides that for the purposes of Article 6(e) of the Regulation (Public Interest/Official Authority), the performance of a task in the public interest or in the exercise of official authority vested in the controller essentially means the exercise of any statutory function.

So when is a public authority not a public authority? When it is not performing a statutory function!  There are many activities that NHS trusts, NHSFTs and other NHS bodies undertake in addition to their statutory functions. In such circumstances, they may not be able to rely on Article 6(e) (Public Interest/Official Authority) as the basis for processing personal data. They will need to consider another basis for processing such personal data, which can include Legitimate Interests.

Whether or not a public authority can rely on Article 6(e) (Public Interest/Official Authority) for processing personal data will require an analysis of the statutory functions of the relevant public authority in each case as the statutory functions of NHS trusts, NHS Foundation Trusts and other NHS bodies are all different.  NHS bodies need to be mindful of this when considering the lawful basis for processing personal data.

If you require any further information or advice on GDPR, please contact the GDPR team.


Contact Us






    Sintons LLP would like to contact you about the services that we have to offer. We would like to keep you informed of any important legal updates that may affect you, your organisation or business, such as our newsletters, legal bulletins and details of relevant training courses or other events you may be interested in attending.

    Please confirm that you are happy for Sintons LLP to contact you by:



    For further details on how your data is used and stored click here to see our Privacy Policy.

    You can always change your mind by unsubscribing here.

    We will only use your information to handle your enquiry and won’t share it with any third parties without your permission.