[UPDATE] a slightly revised version of this post formed our response to the ICO consultation.
The Information Commissioner’s draft guidance on consent makes a surprisingly broad distinction between public and private sector organisations, even when they process the same data for the same purposes. This risks removing important protections when personal data are processed by the public sector, and does not appear to be required by the General Data Protection Regulation that the guidance aims to implement.
In discussing the alternatives to consent, page 16 treats “necessary for a public task” (Article 6(1)(e) of the Regulation) and “necessary for legitimate interests” (Article 6(1)(f)) as an equivalent pair – the former “likely to give [] a lawful basis for many if not all of [a public body’s] activities”, the latter available only “if you are a private-sector organisation”. However the two are not equivalent for the person whose data are being processed: the legitimate interests of an organisation must be balanced against “the interests or fundamental rights and freedoms” of the individual, whereas this is not a requirement when processing for a public task. For a number of different activities performed by both public and private sector education organisations – from protecting the security of computers, data and networks to federated access management and learning analytics – we have found that this balancing test provides valuable guidance to organisations and protection to individuals.
Furthermore many, if not most, of the data processing activities performed by public sector organisations are done by private sector organisations as well. Both act as employers, provide education, raise funds, protect their premises using CCTV, and so on. Applying different rules to this processing, depending solely on whether or not public funds are involved, can only create uncertainty and opportunities for accidental or deliberate breaches of data protection.
Article 6(1)(f) of the General Data Protection Regulation in fact only prohibits the use of legitimate interests “by public authorities in the performance of their tasks”. Article 6(3) requires that those tasks be prescribed by law, which may adapt the normal rules of the Regulation. Where a task requires the state to authorise a particular body to work outside normal data protection rules, prohibiting the use of legitimate interests to expand that authority does indeed protect data subjects. However Recital 49 demonstrates that this does not apply to all activities performed by public bodies: “ensuring network and information security” is declared to be a legitimate interest of public authorities equally with a wide range of both public and private organisations. Where public and private sector bodies perform the same function under the same data protection rules there seems no reason to treat them differently.
In the interests of both consistency and protection of data subjects, it seems preferable to limit the use of the “public task” basis to processing activities, such as tax collection, that involve the state assigning specific powers to particular bodies. For activities that are performed on an equal basis by both public and private sector organisations, the greater protection provided by “legitimate interests” and the other legal justifications should be used.
