Public sector ‘cannot rely on consent as a legal basis’ for GDPR compliance, warns ICO

Written by Sam Trendall on 29 November 2017 in News

Government entities urged to explore one of the four other options available for establishing the lawfulness of data processing

The Information Commissioner’s Office has warned public sector organisations that they “cannot rely on consent as a legal basis” for meeting their obligations under the incoming EU General Data Protection Regulation.

With the implementation of GDPR less than six months away, one of the key requirements facing public-sector data-controllers is establishing the lawfulness of their data-processing operations to a standard that satisfies regulators. The first option for doing so is to obtain the consent of the individual whose data is being processed – commonly referred to as a data subject.

Speaking today at the Implementing the GDPR in the Public Sector Summit, hosted in London by PublicTechnology parent company Dods, the ICO’s head of parliamentary and government affairs Jonathan Bamford claimed that, while consent may appear to be an attractive option in many ways, it would be a folly for public bodies to depend on consent as the sole basis for ensuring they process data lawfully.

“You need to be careful, because consent is a very high standard – it always has been. It has to be very specifically given, evidenced in some way – and it is capable of being withdrawn,” he said. “If you need to process people’s data irrespective of whether they say you can, you cannot rely on consent as a legal basis.”

Related content

The text of GDPR explains that “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data”. It says that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”, and adds that, “when the processing has multiple purposes”, consent must be given for each of those purposes individually.

Outside of consent, there are five other ways in which lawfulness can be proven – four of which are available to public-sector entities. 

The first is to demonstrate that data-processing is necessary for the purposes of the fulfilment or creation of contract between the data-processor and the subject. The second is to prove that processing data is necessary for the purposes of complying with another legal obligation.

Processing can also be deemed lawful under GDPR if it is done to “protect an interest which is essential for the life of the data subject or that of another natural person”. The fourth option available to public sector entities is to prove that processing is required to perform a task that is in the public interest, or forms part of “the exercise of official authority vested in the controller”.

The final option, which does not apply to public bodies, is to prove that the act of processing is done in the pursuit of the controller’s “legitimate interests”, so long as such interests do not override the data subject’s “fundamental rights and freedoms”.

With GDPR due to come into effect on 25 May, the ICO has already published a range of material on how best to ensure compliance, including this recent blog for PublicTechnology about the public sector’s requirements in three key areas.


About the author

Sam Trendall is editor of PublicTechnology

Share this page




Please login to post a comment or register for a free account.

Related Articles

Chatbots, free WiFi, and paperless councillors – Waltham Forest’s digital transformation
13 September 2018

Executive and political leadership at the east London council talk to PublicTechnology about their work to lead transformation in a way that benefits the entire borough 

US senators introduce legislation to boost government’s use of AI
2 October 2018

Although ‘C-3PO isn’t yet a reality’, cross-party quartet wants to make it easier for federal agencies to adopt new technologies

Whitehall suffers from ‘a culture of denial when a project is going badly’, says PAC chair Hillier
25 September 2018

The head of the Public Accounts Committee has lamented a lack of transparency and information sharing across the civil service