As you’re no doubt aware, the rules around data protection are changing significantly in May of next year with the introduction of the General Data Protection Regulation (GDPR). GDPR significantly increases the rights of individuals to control the way in which organisations use their personal data and local authorities will have to comply with it. This will apply retrospectively to the data you already hold as well as to any new data you collect from May onwards, so it’s an issue that cannot be ignored. This is the first in a series of blogs looking at the implications of GDPR for public sector organisations. In this post I’ll discuss the issue of consent.
What does consent mean in GDPR terms?
The implications are substantial. You will need to be able to explicitly demonstrate either that you have an individual’s consent to hold and process their data or that one of five other specific legitimate reasons apply. You’ll also need to know where all the data you have on each individual is held and be able to identify in each case whether consent was given for the processing that you’re doing or, in cases where consent doesn’t apply, the legal grounds on which you’re processing the data.
The challenge of consent for public sector organisations
There is an additional challenge for local authorities which is that consent has to be freely given. This means that no undue pressure can be placed on individuals to consent. Achieving this can be difficult in any scenario where an individual is in some way beholden to you, which may be the case in the relationship between a local authority and a citizen.
GDPR specifically states that the imbalance of power between data subjects and public bodies means that consent will not usually be a valid legal ground for processing personal data. The ICO states “Public authorities, employers and other organisations in a position of power over individuals should avoid relying on consent as it is unlikely to be freely given.”
In circumstances where consent is acceptable, this consent must be specific, informed, unambiguous and freely given. Previously you might have given individuals the option of opting out of having their data used in various ways. That’s not the case any more.
GDPR means that individuals have to explicitly opt in to having their data processed. That consent needs to be specific, meaning that when you collect people’s personal data you should inform them of all the various different ways that you intend to use it and give them the option to opt in and out at a much more granular level.
Justifying processing on grounds other than consent
However, good practice going forward is probably going to involve basing your data processing on legal grounds other than consent. So what are these ground? You can justify processing personal data in the basis that such processing is necessary in order for a task to be carried out in the public interest or the exercise of an official authority. This is likely to be the provision that most public bodies rely on to justify their processesing of personal data.
Individuals will still have the right to object to this processing so in such circumstances you will need to be able to prove overriding legitimate grounds for processing. Note, commercial organisations have the option of justifying data processing on the basis that it is necessary for the pursuit of their legitimate interests, however this option is not available for public bodies.
If you’ve found this blog useful you might also like the second blog in this series which looks at the issue of managing subject access requests in local government.
The information provided and the opinions expressed in this blog post represent the views of the author. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the General Data Protection Regulation.