An amendment to the Data Protection Bill, adopted by the House of Lords on 11 December, will diverge from the General Data Protection Regulation (GDPR) by allowing public sector bodies to rely on legitimate interest grounds when carrying out non-public tasks.
The amendment was made after much debate on the range of activities of public authorities and how these are regulated under UK data protection legislation. The amendment to the Bill provided much sought after clarity on the restriction placed on public authorities' use of the legitimate interests' exception for data processing under the GDPR.
Cause for amendment?
When the GDPR was announced, it restricted public authorities from relying upon legitimate interests as a legal basis for processing in cases where processing is carried out by a public authority in "the performance of its tasks".
The restriction caused concern for public authorities, particularly large organisations and universities who operate a portfolio of processing activities (public and non-public), outside of the usual performance of its tasks.
In these circumstances organisations rely on the legitimate interests exception as the legal basis for its processing activities and being unable to rely on it would have been problematic.
In addition, for GDPR purposes, the UK Data Protection Bill states than an organisation will be deemed a public authority where it is a public authority for the purposes of the Freedom of Information Act 2000 or Freedom of Information (Scotland) Act 2002.
This means that a commercial entity that is owned by a local authority or other public bodies (including universities) is also subject to FOI laws. It would seem, particularly in the case for universities, difficult to argue that commercial activities such as alumni fundraising are tasks in the public interest and would therefore not benefit from the exception.
The amendment to the Data Protection Bill adopted by the House of Lords on 11 December 2017 makes it clear that all public sector bodies will only be treated as public authorities for data protection purposes (and therefore subject to the restriction on legitimate interests in the GDPR) "when performing a task carried out in the public interest or in the exercise of official authority vested in it".
Who does the amendment affect and how?
The amendment affects the public sector, particularly public authorities and other large organisations that carry out a range of activities; some of which are in the public interest and some of which are not.
The amendment allows public sector bodies to rely on the legitimate interest exception when carrying out non-public tasks and therefore other organisations with a range of activities will also benefit from the amendment.
The amendment is particularly useful for universities, schools and colleges who, prior to the amendment, were concerned that they could not process the personal data of alumni for fundraising purposes. The amendment changes this and permits use of the legitimate interests' exception for processing of personal data in these circumstances.
The GDPR obliges data controllers to keep a log of all data that is processed and the legal basis for such processing. In light of this, all organisations carrying out a range of activities will need to be able to readily identify which activities are carried out in the public interest in "the performance of its tasks" and which are not to ensure they are able to keep an accurate log of the legal basis used for such each processing activity.