What finer way to send blog readers on their happy way to the end of year’s festivities but to pose two questions for post-Xmas dinner debate. The first question is: “Does ‘processing personal data in the public interest’ include that ‘processing in the interest of the Government of the day’?”.
The reason for asking this question is that the GDPR is stuffed with Articles and Recitals that refer to “the public interest”, “important reasons of public interest” or “substantial public interest”? Nobody, as far as I can discover, has asked what do these terms mean in practice?
Because most of Europe does not have a common law tradition, “in the public interest” cannot be interpreted as solely being in the context of the law of confidence (e.g. “public interest” disclosures of confidential personal data in relation to crime, safeguarding the vulnerable etc). In the “public interest” has to mean something else.
In the 1980s, I remember the prosecution of Clive Ponting, a senior civil servant who was facing a considerable period in prison because he disclosed classified information about the location of the General Belgrano to Tam Dalyell MP; the ageing Argentinian cruiser was controversially sunk by a British submarine at the beginning of the Falklands War.
Ponting ran a “public interest” defence to the Official Secrets Act prosecution saying Parliament needed to know the truth; hence his disclosures were to a single MP and not to the press.
In his summing up, the Judge dismissed Pontin’s defence and stated that "the interest of the State” equated to the interests “the government of the day”. In particular, the Judge stated that the policies of the State were the policies of the political party when it was elected as the Government.
The jury quickly returned a not guilty verdict (and were subsequently vetted on the orders of the judge for their “perverse” verdict).
So, expanding the Judge’s idea: a Government is elected to pursue its policies, then because it has a majority it can claim majority public backing for their policies. Hence is it in the “public interest” that these policies are implemented (e.g. in accordance with its manifesto)?
In the answer is “yes”, processing necessary in the “public interest” can indeed be equated with “processing in the interests of the Government of the day”.
Processing “in the public interest”?
The equation between “public interest” with “interests of the Government of the day” exists in Clause 7 of the DPBill.
Clause 7 states that public bodies have a ground for processing personal data where that processing….”is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority” and that such grounds for the processing “includes processing of personal data that is necessary for—….
...(c) the exercise of a function conferred on a person by an enactment, or
(d) the exercise of a function of the Crown, a Minister of the Crown or a government department.”
Note that the combination of emphasised words (“includes” and “or”) provide for three conclusions:
- processing of personal data “in the public interest” includes that processing which is necessary for ..."the function of a Minister of the Crown” or for a “function conferred on a person by an enactment”;
- processing of personal data “in the public interest” does not have to be processing which is necessary for .."the function of a Minister of the Crown” or for a “function conferred on a person by an enactment” (this is a consequence of the non-exhaustive list of grounds in Clause 7);
- processing that “is necessary for ..the function of a Minister of the Crown” (e.g. by the Government of the day) can therefore be “in the public interest” (this is the corollary of bullet 1 which is the Pontin conclusions derived by the Judge; see above).
Special Personal Data processed in the public interest
It emerges this equation also arises with the Government’s modification of Article 9(2)(g) which provides a ground for processing of special (“sensitive”) personal data in the public interest.
Article 9(2)(g) of the GDPR reads:
“the processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject” (my emphasis)
However, Article 9(2)(g) is replaced by the text Schedule 6, paragraph 12(c) with a provision which does not contain any reference to “suitable and specific measures…” to protect data subjects interests.
The revised provision merely says:
“the processing (of special personal data) is necessary for reasons of substantial public interest and is authorised by domestic law (see section 9 of the 2018 Act)”
For completeness, the reference to “section 9” does not contain any safeguards for data subject; it refers the reader to provisions in Schedule 1 of the DPBill which then requires that “the substantial public interest” has to be “authorised by domestic law” (e.g. authorised by “the exercise of a function conferred on a person by an enactment”, or “the exercise of a function of the Crown, a Minister of the Crown or a government department”).
As enacting legislation or changing the functions of Government Departments is not usually a problem if a Government has a Commons majority, we get back to the proposition that any law enacted “in the interests of the Government of the day” will usually be “in the substantial public interest” as the Government has been elected.
Concluding comments
This is the fourth blog in the last two months which involves public sector processing of personal data; these have covered the following four topics (see references):
- A blog that described a ministerial admission that the sharing of personal data for service delivery purposes can be not “necessary” for the functions of a public body (the current DPA requirement) because the word “necessary” would inhibit data sharing. Comment: under the DPBill, such data sharing could be legitimate “in the public interest”;
- A blog that described Clause 7 of the DPBill as providing a non-exhaustive list of grounds Comment: under the DPBill processing that cannot be justified in terms of being necessary for the functions of a public body could be legitimised “in the public interest”;
- A blog that described a Data Processing Framework which can hinder enforcement by the Commissioner. Comment: such hindrance of enforcement is likely to concern to processing legitimised “in the public interest” but is consistent with the Government’s Framework); and
- The current blog, which refers to the removal of specific protection for data subjects in favour of a test of “substantial public interest” which has to be authorised by law.
The second Xmas question is now clear: Do the four paragraphs above, all describing processing necessary in “the public interest” also describe a legal framework that permits “function creep”?”.
With that happy thought, have a good holiday – Hawktalk is back in the New Year.
New Data Protection Courses (London)
Data Protection Bill/GDPR all day Workshop: London (10 January) http://www.amberhawk.com/bookevents3.asp
We have dates, brochures and fees for courses based on Practitioner and Foundation Certificates relating to the new UK DP law (as it is at the moment) based on the GDPR. The courses are:
- A DP Foundation course (3 days)
- A DP Practitioner course (6 days, mock exam and real exam)
- A DP Practitioner Conversion course for those who already have the BCS Practitioner Certificate (2 days)
If anyone wants these, email [email protected] . The information will be on the website early in the new year; however, the BCS syllabus is down-loadable from the amberhawk website home page (www.amberhawk.com)
References
A ministerial statement that the sharing of personal data for service delivery purposes could be not necessary for the functions of a public body and that “necessary” was a word that was too restrictive with respect to data sharing; http://amberhawk.typepad.com/amberhawk/2016/11/digital-economy-bill-data-sharing-provisions-undermine-parliamentary-scrutiny-and-create-privacy-ris.html
Clause 7 allows public bodies to processing personal data not for their statutory functions: http://amberhawk.typepad.com/amberhawk/2017/10/dpbill-provides-flexible-grounds-for-public-bodies-when-processing-personal-data-for-their-statutory.html
Comments concerning the Data Processing Framework which would hinder any enforcement by the Commissioner (e.g. when processing that is in the public interest now); http://amberhawk.typepad.com/amberhawk/2017/11/a-framework-to-undermine-the-icos-ability-to-enforce-the-new-data-protection-bill-across-the-public-.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.