[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]
The new Data Protection Bill seems to bring clarity to the question of which legal bases will be available to educational institutions under the General Data Protection Regulation:
- Clause 6(1) of the Bill states that (subject to modification by the Secretary of State) organisations that are classed as public authorities under the Freedom of Information or Freedom of Information (Scotland) Acts will also be “public authorities” for the purposes of the GDPR;
- Under Article 6(1) of the GDPR, those public authorities are not permitted to use the legitimate interests basis “in the performance of their tasks”;
- Instead, by Recital 47, those tasks and their legal basis should be “provide[d] by law”;
- And, by Clause 7(c) of the Bill, where a task is “conferred on a person by an enactment”, the legal basis is that it is necessary in the public interest.
Where an educational institution is performing a task that is specified by law, therefore, the correct legal basis is that it is “necessary in the public interest” (Article 6(1)(e)). Where it is performing a task that is not specified by law (for example protecting the security of networks and systems, as in GDPR Recital 49), then all the other legal bases, including “necessary in the legitimate interests [of the organisation]” are available, subject to their usual GDPR conditions.
As we noted in our submission to the Information Commissioner, “necessary in a public interest” provides less protection for data subjects – since it does not require their interests to be considered – so from the individual’s perspective the use of this justification should be limited. Indeed, the Article 29 Working Party appear to have identified this issue back in 2014.