Public sector ‘cannot rely on consent as a legal basis’ for GDPR compliance, warns ICO
Government entities urged to explore one of the four other options available for establishing the lawfulness of data processing
The Information Commissioner’s Office has warned public sector organisations that they “cannot rely on consent as a legal basis” for meeting their obligations under the incoming EU General Data Protection Regulation.
With the implementation of GDPR less than six months away, one of the key requirements facing public-sector data-controllers is establishing the lawfulness of their data-processing operations to a standard that satisfies regulators. The first option for doing so is to obtain the consent of the individual whose data is being processed – commonly referred to as a data subject.
Speaking today at the Implementing the GDPR in the Public Sector Summit, hosted in London by PublicTechnology parent company Dods, the ICO’s head of parliamentary and government affairs Jonathan Bamford claimed that, while consent may appear to be an attractive option in many ways, it would be a folly for public bodies to depend on consent as the sole basis for ensuring they process data lawfully.
“You need to be careful, because consent is a very high standard – it always has been. It has to be very specifically given, evidenced in some way – and it is capable of being withdrawn,” he said. “If you need to process people’s data irrespective of whether they say you can, you cannot rely on consent as a legal basis.”
- Public sector bodies must appoint data-protection officer or risk huge fines
- ICO planning ‘three-tier system’ of data-processing fees as post-GDPR funding model
- Brexit and data regulation: what next for data sharing and the GDPR?
The text of GDPR explains that “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data”. It says that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”, and adds that, “when the processing has multiple purposes”, consent must be given for each of those purposes individually.
Outside of consent, there are five other ways in which lawfulness can be proven – four of which are available to public-sector entities.
The first is to demonstrate that data-processing is necessary for the purposes of the fulfilment or creation of contract between the data-processor and the subject. The second is to prove that processing data is necessary for the purposes of complying with another legal obligation.
Processing can also be deemed lawful under GDPR if it is done to “protect an interest which is essential for the life of the data subject or that of another natural person”. The fourth option available to public sector entities is to prove that processing is required to perform a task that is in the public interest, or forms part of “the exercise of official authority vested in the controller”.
The final option, which does not apply to public bodies, is to prove that the act of processing is done in the pursuit of the controller’s “legitimate interests”, so long as such interests do not override the data subject’s “fundamental rights and freedoms”.
With GDPR due to come into effect on 25 May, the ICO has already published a range of material on how best to ensure compliance, including this recent blog for PublicTechnology about the public sector’s requirements in three key areas.
James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity
Whitehall leader praises achievements of digital agency and points to the crucial role it will play in delivering Brexit
Sector organisation writes to Matt Hancock and other MPs to express concerns
Sadiq Khan unveils Digital Talent Programme to help plug the capital’s skills gap and address issues of underrepresentation