Public interest - Legal basis

Overview

Public interest - You can rely on this lawful basis if you need to process personal data:

  • ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
  • to perform a specific task in the public interest that is set out in law.
  • if you document your decision to rely on this lawful basis and ensure that you can justify your reasoning
  • if the processing is necessary
  • you document your decision to rely on this basis to help you demonstrate compliance if required

In short, "public interest" s most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.

Example

"Mark has CCTV installed outside the front of his premises. As the camera has footage of individuals on it it is classed as personal data. The police have requested that Mark share (processes) this tape with them. Mark may process this data under what legal basis?"

As the request has come from an official public body and is legally wanted, Mark may share (process) this personal data under the legal basis of Public Intrest

What the regulator says

Article 6(1)(e) gives you a lawful basis for processing where:

“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

This can apply if you are either:

  • carrying out a specific task in the public interest which is laid down by law; or
  • exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.

If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is ‘necessary’ for that purpose.

‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.  

In this guide we use the term ‘public task’ to help describe and label this lawful basis. However, this is not a term used in the GDPR itself. Your focus should be on demonstrating either that you are carrying out a task in the public interest, or that you are exercising official authority.

In particular, there is no direct link to the concept of ‘public task’ in the Re-use of Public Sector Information Regulations 2015 (RPSI). There is some overlap, as a public sector body’s core role and functions for RPSI purposes may be a useful starting point in demonstrating official authority for these purposes. However, you shouldn’t assume that it is an identical test. See our Guide to RPSI for more on public task in the context of RPSI.

What does ‘laid down by law’ mean?

Article 6(3) requires that the relevant task or authority must be laid down by domestic or EU law. This will most often be a statutory function. However, Recital 41 clarifies that this does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.

You do not need specific legal authority for the particular processing activity. The point is that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.

Who can rely on this basis?

Any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation.

However, if you are a private sector organisation you are likely to be able to consider the legitimate interests basis as an alternative.             

See the main lawful basis page of this guide for more on how to choose the most appropriate basis.

When can you rely on this basis?

Section 8 of the Data Protection Act 2018 (DPA 2018) says that the public task basis will cover processing necessary for:

  • the administration of justice;
  • parliamentary functions;
  • statutory functions;
  • governmental functions; or
  • activities that support or promote democratic engagement.

However, this is not intended as an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public task basis, as long as the underlying legal basis for that function or task is clear and foreseeable.        

For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.

Considerations

Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of public task. However, individuals do have a right to object. See our guidance on individual rights for more information.          

You should consider an alternative lawful basis if you are not confident that processing is necessary for a relevant task, function or power which is clearly set out in law.

If you are a public authority (as defined in the Data Protection Act 2018), your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests is still available for processing which falls outside your tasks as a public authority. Other lawful bases may also be relevant. See our guidance on the other lawful bases for more information.

Remember that the GDPR specifically says that further processing for certain purposes should be considered to be compatible with your original purpose. This means that if you originally processed the personal data for a relevant task or function, you do not need a separate lawful basis for any further processing for:

  • archiving purposes in the public interest;
  • scientific research purposes; or
  • statistical purposes.

If you are processing special category data, you also need to identify an additional condition for processing this type of data. The Data Protection Act 2018 includes specific conditions for parliamentary, statutory or governmental functions in the substantial public interest. Read the special category data page of this guide for our latest guidance on these provisions.

To help you meet your accountability and transparency obligations, remember to:

  • document your decision that the processing is necessary for you to perform a task in the public interest or exercise your official authority;
  • identify the relevant task or authority and its basis in common law or statute; and
  • include basic information about your purposes and lawful basis in your privacy notice.

References