Here’s why – and what the ICO has to say on the matter
As you’ll know if you’ve been taking an interest in GDPR (or, of course the DPA before that), if you’re going to process data, it has to be done lawfully. Come to think of it, that also applies if you’ve not much knowledge of the DPA / GDPR but want to run your business ethically and legally.
Not only is this a key principle (“Data must be processed lawfully, fairly and transparently” under point 1a of Article 5), but it’s also a requirement under Article 6 to determine exactly what your lawful basis is for processing data.
This is not something that you can always simply “look up” in a list (“if you’re doing X then your lawful basis will be Y”) – the controller has to exercise their judgement about why, exactly, they are allowed to do what they’re doing. Some of the lawful bases are pretty specific (necessary for the performance of a contract, necessary to protect vital interests of the data subject or another person) whereas others are more vague.
It’s the very vagueness of the last of the options provided – “f) processing is necessary for the purposes of the legitimate interests pursued by the controller” which makes it likely to be used by many controllers.
It’s my business, my business is legitimate, I need to do this processing to have a business, so it’s necessary for my legitimate interests.
Now that’s all well and good for most organisations. But the GDPR specifically excludes a very large set of organisations from being able to use this as their lawful basis. After listing the lawful bases from a to f, the Article then states:
Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.
Now this is new under GDPR. If you’re a Borough Council, wanting to process personal data as part of receiving council tax payments, you CANNOT use legitimate interest as your lawful basis. Similarly, if you’re a County Council, logging information about non-attendance in schools that you run, you can’t use legitimate interest either. Nor can a Parish Council processing planning applications nor a government department monitoring health records.
Now much of the time, that’s not really such a big issue – there are other lawful bases available – notably, of course, “e. processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
But sometimes that doesn’t work either. You see, as it says, processing must be necessary for the performance of that duty. In all the examples I’ve mentioned above, they’re pretty clearly necessary for the performance of a public duty. But that’s not always the case.
Data processing that’s not necessary for public duty
A client of ours – a Borough Council – contacted us recently to ask about their use of a database to store training records for their staff. At its simplest level, they wanted to record that Flo in HR has done a beginning PowerPoint course, that Kate in Accounts has done an Excel VBA course, and that Bob in IT has done a First Aid course which will need renewing on 1st May. Occasionally, they’d like to be able to share this information with other councils in the area, so that when Bob’s First Aid course is up for renewal, they can see whether there are other staff in other councils who would also benefit from the training at that time so that they can get them all done in one go and get a better deal.
All of that sounds perfectly reasonable. But it’s probably not a requirement for the council to do its civic duty that Flo does her PowerPoint training, so we can’t use processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller as a lawful basis.
So, what else might be an option?
Consent won’t wash
It may be that the employees in question would have no objection to this processing, but consent is not ideal here, given that under Article 7, subjects have the right to withdraw consent, which would then throw the integrity of the database into question (“Really? I could’ve sworn Bob was a First-Aider”), and that Recital 43 says that consent cannot be used “where there is a clear imbalance between the data subject and the controller” which is quite possibly the case where the subject is an employee of the controller.
So, that’s not going to work either. What are the other options?
None of the above?
Option B: Processing is necessary for the performance of a contract to which the data subject is party.
I don’t think so. There is, of course, an employment contract in place, and I’m not an employment lawyer, so please jump in if I’m wrong about this, but I can’t see logging the PowerPoint training being necessary for the performance of that contract.
Option C: Processing is necessary for compliance with a legal obligation to which the controller is subject
I can’t see how this would apply here… Nor can I with Option D – necessary in order to protect the vital interests of the data subject or of another natural person…. much though I’d love to say that everyone should attend our training as a matter of their vital interests, it seems a push.
And that leaves us with Option E – necessary for the performance of a task carried out in the public interest, which we’ve already said isn’t the case, or Option F – legitimate interest…. which can’t be used by public bodies.
Except…. the Regulation actually says that legitimate interests as a lawful basis “shall not apply to processing carried out by public authorities in the performance of their tasks.”
It seemed to me that running, and recording, training courses for staff didn’t really come under “the performance of their tasks” – at least not in the same way as taking away the rubbish, paying benefits, repairing roads and all the other great things Councils do. It’s part of their role as an employer, it’s part of developing staff and ensuring that they have the skills to do what they need to do, but “performance of their tasks”?
We raised this question with the Information Commissioner’s office, who, after some consideration, came back with the following answer:
If the processing by a public authority relates to an activity that falls outside of their ‘public task’, an alternative lawful basis, such as ‘legitimate interest’ could be considered. Therefore, if the processing of employee data, such as their training records, is not necessary for the performance of a public task, it is likely that ‘legitimate interest’ under Article 6 (1) (f) could be considered.
So there we have it. Councils and other public bodies CAN use legitimate interests as lawful basis under GDPR – as long as they’re not performing processing which forms part of their public duties.
Two things strike me, as I consider this episode.
Firstly is the importance of a really close reading of the GDPR. Article 6 and Recital 47 do NOT say that legitimate interest “shall not apply to processing carried out by public authorities” – there’s more to it than that. And frequently as you read the text of the GDPR, you see subtleties which are not apparent on an initial glance through.
Secondly, it’s the helpfulness of the ICO. We’ve contacted them on a few occasions, and they’ve always been helpful and responsive in answering questions. Given the stresses that they must be under as we move toward May and the implementation of GDPR, I think that’s quite impressive.
How can we help – training in the GDPR
Don’t forget, if you want further training or help with GDPR, we run publicly scheduled courses and in-house courses, from 90-minute awareness sessions for all staff to 4-day certified Practitioner courses. See www.theitservice.co.uk/gdpr for more information, or just give us a call on 020 3397 1333.