UK public sector will be able to rely on legitimate interest ground in some circumstances
The GDPR does not allow public authorities to use legitimate interests as a legal basis for processing personal data. However, an amendment to the Data Protection Bill, adopted by the House of Lords on 11 December, will diverge from the GDPR by allowing public sector bodies to rely on legitimate interest grounds when carrying out non-public tasks.
The amendment makes it clear that all public sector bodies will be treated as public authorities for data protection purposes only when they are carrying out their public tasks. The amendment is particularly useful for universities, schools and colleges that had been worried that they could not process the personal data of alumni for fundraising purposes.
The amendment says that an organisation will only be a public authority “when performing a task carried out in the public interest or in the exercise of official authority vested in it.” Therefore, other organisations with hybrid activities will also benefit from this amendment.
The House of Lords Report stage continues on 10 January 2018.
PL&B has organised a GDPR Help! Roundtable: Managing Risk on 31 January 2018 in London.
1. Update on the Data Protection Bill/Act relevant to GDPR implementation
2. Negotiating data processing contracts with third parties in the light of the GDPR requirements
3. Conducting Data Protection Impact Assessments
4. Data Protection by Design and Default
5. Keeping records of processing
Go to www.privacylaws.com/events to register