Last updated: 
6 days 1 hour ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR: Public Authorities and Legitimate Interests

Monday, June 12, 2017 - 10:19

I was interested to spot that the Article 29 Working Party visited the question of "public authorities" back in 2014, on page 23 of their Opinion on Legitimate Interests. There they note that there are two possible interpretations of the (then draft) General Data Protection Regulation's (GDPR) rule that public authorities may not use legitimate interests in the performance of their tasks: a narrow interpretation of both "public authority" and "task", which leaves legitimate interests available for most of the body’s activities; and a wide view that means that all activities of those bodies should be performed under the alternative "public interest" justification. The working party's discussion of "authorities" and "tasks" on page 21 suggests they favoured the narrow approach.

However so long as those are indeed the two alternatives that regulators will consider now the GDPR is law, it seems to mean that universities and other organisations that might be classed - under the wide definition - as public authorities can continue to design their processes to use legitimate interests where that provides the best protection for their data subjects. If regulators subsequently decide that public interest should be used instead, the same processes should satisfy that justification, too. Though considering the rights and freedoms of data subjects would then become optional. In either case there should be no need for the radical re-design of process (and torture of statutory wording) that would be required to replace a legitimate interests process with one based on consent.

[UPDATE: a blog post from CASE Europe suggests that the ICO and DCMS are indeed inclined to allow universities and colleges to use both legitimate interests and public interest as justifications for non-core and core functions respectively. So there should be no need to squeeze "consent" onto activities for which it's clearly unsuitable.]