Public sector ‘cannot rely on consent as a legal basis’ for GDPR compliance, warns ICO

Written by Sam Trendall on 29 November 2017 in News

Government entities urged to explore one of the four other options available for establishing the lawfulness of data processing

The Information Commissioner’s Office has warned public sector organisations that they “cannot rely on consent as a legal basis” for meeting their obligations under the incoming EU General Data Protection Regulation.

With the implementation of GDPR less than six months away, one of the key requirements facing public-sector data-controllers is establishing the lawfulness of their data-processing operations to a standard that satisfies regulators. The first option for doing so is to obtain the consent of the individual whose data is being processed – commonly referred to as a data subject.

Speaking today at the Implementing the GDPR in the Public Sector Summit, hosted in London by PublicTechnology parent company Dods, the ICO’s head of parliamentary and government affairs Jonathan Bamford claimed that, while consent may appear to be an attractive option in many ways, it would be a folly for public bodies to depend on consent as the sole basis for ensuring they process data lawfully.

“You need to be careful, because consent is a very high standard – it always has been. It has to be very specifically given, evidenced in some way – and it is capable of being withdrawn,” he said. “If you need to process people’s data irrespective of whether they say you can, you cannot rely on consent as a legal basis.”

Related content

The text of GDPR explains that “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data”. It says that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”, and adds that, “when the processing has multiple purposes”, consent must be given for each of those purposes individually.

Outside of consent, there are five other ways in which lawfulness can be proven – four of which are available to public-sector entities. 

The first is to demonstrate that data-processing is necessary for the purposes of the fulfilment or creation of contract between the data-processor and the subject. The second is to prove that processing data is necessary for the purposes of complying with another legal obligation.

Processing can also be deemed lawful under GDPR if it is done to “protect an interest which is essential for the life of the data subject or that of another natural person”. The fourth option available to public sector entities is to prove that processing is required to perform a task that is in the public interest, or forms part of “the exercise of official authority vested in the controller”.

The final option, which does not apply to public bodies, is to prove that the act of processing is done in the pursuit of the controller’s “legitimate interests”, so long as such interests do not override the data subject’s “fundamental rights and freedoms”.

With GDPR due to come into effect on 25 May, the ICO has already published a range of material on how best to ensure compliance, including this recent blog for PublicTechnology about the public sector’s requirements in three key areas.


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Government urged to commit to devolution to drive innovation and levelling-up
29 June 2022

Think tank report identifies benefits of city mayors, but finds many local officials are frustrated with current interactions with Whitehall

10 Downing St offers over £100k for data science whizz
23 June 2022

Prime minister’s in-house data science unit seeks senior manager to deliver ‘high-impact’ initiatives 

‘This lack of transparency could undermine trust’ – DWP scolded over failure to publish research data
21 June 2022

Parliamentary committee writes to department urging greater openness

Whitehall chief: ‘From AOs to perm secs – we all need to be data confident’
20 June 2022

Government operations leader wants departments to make better use of the ‘huge amounts of data’ at their disposal