GDPR – when is a public authority not a public authority?
As the General Data Protection Regulation (2016/679) (the “Regulation”) is now in force after many months of publicity, analysis and some scare mongering, it will be interesting to see how things develop in the next few months and what comes to be considered “market” and best practice when demonstrating compliance with the legislation.
Under Article 6(f) of the Regulation, one of the lawful bases for processing personal data is where processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party (“Legitimate Interests”). These Legitimate Interests need to be weighed against the interests or fundamental rights and freedoms of the data subject and such fundamental rights and freedoms can override the Legitimate Interests of the data controller or third party so a controller may not always be able to rely on Legitimate Interests as the basis for processing.
Legitimate Interests cannot be claimed for processing carried out by a public authority in the performance of their tasks. The idea being that there is a specific lawful basis for such processing under Article 6(e) of the Regulation where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (“Public Interest/Official Authority”).
This has led many to believe that there is a blanket prohibition on public authorities relying on Legitimate Interests for the purposes of processing personal data. However, the wording of Article 6 requires further consideration in light of the Data Protection Act 2018 (the “Act”).
The Act supplements the Regulation and provides that for the purposes of the Regulation, a public authority as defined by the Freedom of Information Act 2000 is a “public authority” for the purposes of GDPR. NHS trusts, NHS Foundation Trusts and certain other NHS bodies will be well aware of their status as public authorities from a freedom of information point of view. They are therefore considered to be a public authority from a GDPR point of view also. However, section 7(2) of the Act provides that a public authority is only a public authority when performing a task carried out in the public interest or in the exercise of official authority vested in it.
Section 8 of the Act further provides that for the purposes of Article 6(e) of the Regulation (Public Interest/Official Authority), the performance of a task in the public interest or in the exercise of official authority vested in the controller essentially means the exercise of any statutory function.
So when is a public authority not a public authority? When it is not performing a statutory function! There are many activities that NHS trusts, NHSFTs and other NHS bodies undertake in addition to their statutory functions. In such circumstances, they may not be able to rely on Article 6(e) (Public Interest/Official Authority) as the basis for processing personal data. They will need to consider another basis for processing such personal data, which can include Legitimate Interests.
Whether or not a public authority can rely on Article 6(e) (Public Interest/Official Authority) for processing personal data will require an analysis of the statutory functions of the relevant public authority in each case as the statutory functions of NHS trusts, NHS Foundation Trusts and other NHS bodies are all different. NHS bodies need to be mindful of this when considering the lawful basis for processing personal data.
If you require any further information or advice on GDPR, please contact the GDPR team.