Under the current Data Protection Act (“DPA”), controllers need a Schedule 2 legal basis/ground to process personal data. Schedule 2 lists six main groupings and a controller has to select at least one from the list. If a controller does not have a legal basis/ground for the processing, then the controller cannot process the personal data – end of argument.
So, it is surprising to discover that Clause 8 of the Data Protection Bill (“DPBill”), through the use of the word “includes”, can legitimise public sector processing of personal data via a basis/ground not listed in the DPBill. Such a basis/ground might be, for instance, “not necessary’ for controller’s statutory functions.
To understand how this position is reached consider Clause 8 of the DPBill which states that:
In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for—
(a) the administration of justice,
(b) the exercise of a function of either House of Parliament,
(c) the exercise of a function conferred on a person by an enactment, or
(d) the exercise of a function of the Crown, a Minister of the Crown or a government department. (my emphasis on “includes”).
It can be seen that by comparison with Schedule 2, paragraph 5 of the DPA, the only missing basis/ground for the processing is “for the exercise of any other functions of a public nature exercised in the public interest by any person”. It can also be seen that the effect of all of the paragraphs (a) to (d) of Schedule 2, paragraph 5 are replicated in paragraphs (a) to (d) in Clause 8 above. So far, so good.
However, the Explanatory Notes concerning Clause 8 states:
“85 ….. Article 6(2) of the GDPR enables Member States to, amongst other things, set out more specific provisions in respect of Article 6(1)(c) and (e).
86 This clause provides a non-exhaustive list of examples of processing under Article 6(1)(e). This includes processing of personal data that is necessary for the administration of justice, the exercise of a function of a Government department, either House of Parliament, the Crown, a Minister of the Crown or a function conferred on a person by enactment. The list is similar to that contained in paragraph 5 of Schedule 2 to the 1998 Act”.
So, the intent, as explained in paragraphs 85 and 86, is for the Government to use the flexibility in Article 6(1)(c) and (e) to take an exhaustive list of legal bases/grounds for the processing of personal data (listed in paragraph 5 of Schedule 2 of the DPA) and create a non-exhaustive list of bases/grounds that public bodies can use in the DPBill in Clause 8.
The difference between exhaustive and non-exhaustive list is profound. An exhaustive list requires that the legal basis/ground associated with the processing must be one of those listed; a non-exhaustive list says the legal basis can be one of those listed but there may be another legal basis/ground that is not listed that applies to the processing of personal data.
In other words, the legal bases/grounds in Clause 8 that allow a public-sector controller to process personal data extend beyond paragraphs (a) to (d) above and includes other unspecified grounds.
So, what are these other grounds? How many are there? Who defines them? What is the Government thinking of here? Answer: I haven’t a clue.
Indeed, how can Clause 8 be enforced by the ICO if a public sector controller such as a Local Authority can argue that the processing of personal data, although not “necessary for the exercise of a function conferred on the authority by an enactment” the processing is “necessary for the exercise of a function agreed at a Council meeting”. Who knows whether this ground is valid when the list of possible grounds is in Clause 8 is non-exhaustive?
The role of Clause 8 in the DPBill is to allow for the processing of personal data by public bodies in circumstances where processing is:
- “not necessary for the exercise of a function conferred on a person by an enactment”
- “not necessary for the exercise of a function of the Crown, a Minister of the Crown or a government department”
- not with “data subject consent” or
- “not necessary for a contract with the data subject”.
When seen like this, the non-exhaustive list has the potential to undermine the premise that public bodies only process personal data for the statutory functions that Parliament has identified as being necessary and where those functions are specified in legislation enacted by Parliament.
The effect is also to undermine the prohibition on use of Article 6(1)(f) “legitimate interest” basis/ground which cannot be used for public sector controllers for their public tasks (see last sentence of Article 6(1)(f)). Instead such public-sector controllers have the potential to create their own unspecified basis/grounds by using the non-exhaustive flexibility in Clause 8.
Finally, the non-exhaustive list of grounds available for public-sector controllers reduces the protection for individuals if public bodies are no longer restricted to that processing which is necessary for their statutory functions.
This is not a happy outcome for data subjects, is it?
If the Government wants the flexibility to add to the grounds for the processing in the DPBill, then it should take powers to do so which then can be fully justified and approved by a Parliamentary process. It should not sneak in flexibility, unexplained, via the use of a word like “includes”.
{Change: The Blog has been updated 19/1/2018 to refer to Clause 8 of the DPBill before the House of Commons (rather than Clause 7 - which was the Clause reference when the DPBill was debated by the House of Lords)}
Courses (London)
- We are gearing up to deliver BCS Data Protection Foundation and Practitioner Qualifications in 2018; if interested email me
- DATA PROTECTION BCS PRACTITIONER QUALIFICATION: The next intensive DP courses is in London (starts 13 November); we will indicate where the GDPR changes are.
- NEW DATA PROTECTION BILL ALL DAY UPDATE: London (20 November)
- NEW DATA PROTECTION BILL/GDPR Workshop: London (13
Comments
You can follow this conversation by subscribing to the comment feed for this post.