Sandbox Tales: Public Interest and Privacy Notices

The latest report on ICO sandbox participation contains a rapid pivot, and some useful discussion of the “public interest” justification for processing. Back in mid-2019, NHS Digital was awarded a sandbox place for a system for recruiting volunteers into clinical trials (the actual conduct of trials is out of scope). A few months into 2020 that, like many of us, pivoted to respond specifically to the COVID-19 pandemic.

A particularly interesting feature of the resulting report is the discussion of lawful basis in paragraph 4.3. Even after NHS Digital had been required by law to set up the system – which might have been expected to trigger an Article 6(1)(c) Legal Obligation – the preferred basis for processing any particular volunteer’s data remains Art.6(1)(e) Public Interest. This provides a useful middle ground between mandatory participation and the hard-to-explain morass created by the different meanings of “consent” in research and data protection law. There’s a hint here of an old, pre-GDPR, framing, that “public interest” was what you used when you chose to help someone who had a legal obligation.

Another suggested benefit of using Public Interest is that, unlike Legal Obligation, it preserves the individual’s right to object to processing. This is certainly what Article 21 of the GDPR says, though the report doesn’t make clear what the effect of such an objection should be. Under Article 6(1)(f) Legitimate Interest, an objection requires the data controller to repeat the rights-balancing exercise, but applying the individual’s specific circumstances, rather than those of data subjects in general. But Article 6(1)(e) doesn’t have an initial rights-balancing test: it presumes that whatever legislator created the law will have taken relevant rights into account. Rather than trying to work out what those were, it might be simpler for a data controller to consider whether they have “compelling legitimate grounds” for continuing (some) processing, and/or need to keep the data in case of legal claims. Or simply treat any objection as a direct opt-out.

Finally, paragraph 4.8 makes an interesting point on describing benefits in privacy notices. Where someone is volunteering to help “the public interest”, it’s useful to break that interest down to different stakeholder groups. This feels right: if I’m being invited to be altruistic then the benefits to identifiable groups such as “frontline NHS staff” or “high-risk patients” may well be more persuasive than broad appeals to “health” or the “NHS”.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *