social-media

How should local authorities prepare for GDPR? The issue of consent.

As you’re no doubt aware, the rules around data protection are changing significantly in May of next year with the introduction of the General Data Protection Regulation (GDPR). GDPR significantly increases the rights of individuals to control the way in which organisations use their personal data and local authorities will have to comply with it. This will apply retrospectively to the data you already hold as well as to any new data you collect from May onwards, so it’s an issue that cannot be ignored. This is the first in a series of blogs looking at the implications of GDPR for public sector organisations. In this post I’ll discuss the issue of consent.

What does consent mean in GDPR terms?

The implications are substantial. You will need to be able to explicitly demonstrate either that you have an individual’s consent to hold and process their data or that one of five other specific legitimate reasons apply. You’ll also need to know where all the data you have on each individual is held and be able to identify in each case whether consent was given for the processing that you’re doing or, in cases where consent doesn’t apply, the legal grounds on which you’re processing the data.

The challenge of consent for public sector organisations

There is an additional challenge for local authorities which is that consent has to be freely given. This means that no undue pressure can be placed on individuals to consent. Achieving this can be difficult in any scenario where an individual is in some way beholden to you, which may be the case in the relationship between a local authority and a citizen.

GDPR specifically states that the imbalance of power between data subjects and public bodies means that consent will not usually be a valid legal ground for processing personal data. The ICO states “Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent as it is unlikely to be freely given.”

In circumstances where consent is acceptable, this consent must be specific, informed, unambiguous and freely given. Previously you might have given individuals the option of opting out of having their data used in various ways. That’s not the case any more.

GDPR means that individuals have to explicitly opt in to having their data processed. That consent needs to be specific, meaning that when you collect people’s personal data you should inform them of all the various different ways that you intend to use it and give them the option to opt in and out at a much more granular level.

Justifying processing on grounds other than consent

However, good practice going forward is probably going to involve basing your data processing on legal grounds other than consent. So what are these ground? You can justify processing personal data in the basis that such processing is necessary in order for a task to be carried out in the public interest or the exercise of an official authority. This is likely to be the provision that most public bodies rely on to justify their processesing of personal data.

Individuals will still have the right to object to this processing so in such circumstances you will need to be able to prove overriding legitimate grounds for processing. Note, commercial organisations have the option of justifying data processing on the basis that it is necessary for the pursuit of their legitimate interests, however this option is not available for public bodies.

If you’ve found this blog useful you might also like the second blog in this series which looks at the issue of managing subject access requests in local government.

The information provided and the opinions expressed in this blog post represent the views of the author. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the General Data Protection Regulation.

Comments are closed.

Download the Ultimate Guide to Channel Shift white paper

Thank you for your interest in our Ultimate Guide to Channel Shift white paper. Please complete this form and click submit in order to access the white paper. We hope that you find it useful. 

×
Download the Social Media Risk Management in the Public Sector white paper

Thank you for your interest in our Social Media Risk Management in the Public Sector white paper. Please complete this form and click submit in order to access the white paper. We hope that you find it useful. 

×
Book a demo or ask a question
×
Download our FREE Mobile Working ebook
  • Ten reasons why UK local authorities should invest in mobile working
  • How your staff will benefit from a move to mobile working
  • How to effectively manage the risks associated with mobile working
  • How Stafford Borough Council implemented an effective mobile working strategy
We respect your privacy and will never share your data with any third party. We may email you from time to time with news about our products and services. You can unsubscribe from these emails at any time by clicking on the unsubscribe link in every email we send you or emailing unsubscribe@abavus.co.uk. Full details are in our privacy policy.
Don't miss out. Download your free ebook today.
×
×
WordPress Popup Plugin