While the majority of the provisions contained in the GDPR apply to all data processors or data controllers, some requirements will be different for a public authority.
One of the first questions that data processors and data controllers will need to address is whether they are a public authority for the purpose of the GDPR.
The GDPR does not contain a definition of public authority and it has been left to national legislators to address this gap. This is an approach which will almost inevitably lead to differences in practice across Europe.
Currently, the UK’s Data Protection Bill (the Bill) at section 6 defines public authorities:
- by reference to the definitions in the Freedom of Information Act 2000 and the Scottish Freedom of Information Act 2002 (the FOIAs); or
- as otherwise designated by the Secretary of State.
As the Information Commissioner has already highlighted, (in the ICO consultation response click here, see pages 73-80) the definitions of a public authority in the FOIAs are wide and this approach may lead to the imposition of onerous burdens on many smaller entities.
It is apparent that in making an assessment of whether it is a public authority, an entity will need to carefully consider the FOIAs and any regulations made under section 6 before it can determine its status.
Once an entity establishes that it is a public authority under the GDPR, it will become much more difficult rely upon the consent of a data subject as a ground for processing data.
Under the GDPR, consent can only be relied upon as a processing ground, where consent is specific, informed, unambiguous and freely given. Guidance issued by the Information Commissioner’s Office confirms that it will not usually be appropriate for public authorities to rely upon consent as a processing ground. This is because there is likely to be a clear imbalance of power between the public authority and the individual.
Public authorities will also no longer be able to rely upon the legitimate interests ground for processing. These changes mean that where consent has previously been given for processing data, or a public authority has been processing personal data in reliance upon the legitimate interests ground, it will need to consider whether there is another ground that would entitle it to process or to continue processing data.
While the GDPR will affect the ability of public authorities to rely upon consent and legitimate interests as processing grounds, it does confirm that action taken in the public interest will continue to be a ground for processing data available to public authorities.
This ground will apply when the processing of data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority held by the controller. A public interest justification may therefore, give public authorities a relatively wide discretion to process data which may previously have been processed under the legitimate interest or consent grounds.
Finally, the GDPR requires a public authority to appoint a data protection officer. This person (who does not need to be an employee of the public authority) must have an expert knowledge of data protection law and practices and the ability to fulfil a number of tasks referred to in the GDPR. These tasks include:
- advising the public authority on its data protection obligations;
- monitoring compliance;
- training staff; and
- engaging with the Information Commissioner’s Office.
This is an important role and one that must be staffed by someone with appropriate data protection expertise otherwise the public authority will expose itself to the risk of a large fine for non-compliance with the GDPR.