Public sector ‘cannot rely on consent’ for GDPR compliance, Information Commissioner warns

Written by Sam Trendall on 4 December 2017 in News

Public sector bodies are being urged to explore one of the four other options available for establishing the lawfulness of data processing

I agree tick box - Image credit: Pixabay

Public sector organisations “cannot rely on consent as a legal basis” for meeting their obligations under the incoming EU General Data Protection Regulation (GDPR), the Information Commissioner’s Office has warned.

With the implementation of GDPR less than six months away, one of the key requirements facing public sector data controllers is establishing the lawfulness of their data processing operations to a standard that satisfies regulators.

The first option for doing so is to obtain the consent of the individual whose data is being processed – commonly referred to as a data subject.

Speaking at the ‘Implementing the GDPR in the Public Sector Summit’, hosted in London by Holyrood’s parent company, Dods, the ICO’s head of parliamentary and government affairs Jonathan Bamford said that while consent may appear to be an attractive option, it would be a folly for public bodies to depend on it as the sole basis for ensuring they process data lawfully.

“You need to be careful, because consent is a very high standard – it always has been,” he said.

“It has to be very specifically given, evidenced in some way – and it is capable of being withdrawn.”

“If you need to process people’s data irrespective of whether they say you can, you cannot rely on consent as a legal basis.”

The text of GDPR explains that “consent should be given by a clear affirmative act establishing a freely given, specific, informed, and unambiguous indication of the data subject's agreement to the processing of personal data”.

It says that “silence, pre-ticked boxes or inactivity should not therefore constitute consent”, and adds that, “when the processing has multiple purposes”, consent must be given for each of those purposes individually.

Outside of consent, there are five other ways in which lawfulness can be proven – four of which are available to public sector entities. 

The first is to demonstrate that data processing is necessary for the purposes of the fulfilment or creation of contract between the data processor and the subject.

The second is to prove that processing data is necessary for the purposes of complying with another legal obligation.

Processing can also be deemed lawful under GDPR if it is done to “protect an interest which is essential for the life of the data subject or that of another natural person”.

The fourth option available to public sector entities is to prove that processing is required to perform a task that is in the public interest, or forms part of “the exercise of official authority vested in the controller”.

The final option, which does not apply to public bodies, is to prove that the act of processing is done in the pursuit of the controller’s “legitimate interests”, so long as such interests do not override the data subject’s “fundamental rights and freedoms”.

With GDPR due to come into effect on 25 May 2018, the ICO has already published a range of material on how best to ensure compliance.



Related Articles

Mhairi Black urges Boris Johnson and Jeremy Hunt to resolve ‘daylight robbery’ of unclaimed pensions
8 July 2019

Research by the Association of British Insurers and Pensions Policy Institute suggested there could be nearly £20bn of unclaimed pensions in the UK

Kate Forbes on why tech is “the most exciting portfolio in government”
5 July 2019

From the Himalayas to the Highlands, Scotland’s Minister for Public Finance and Digital Economy has lived experience of how tech can impact on small communities

Related Sponsored Articles

Associate feature: 5 ways IoT is transforming the public sector
5 February 2018

Vodafone explores some of the ways IoT is significantly improving public sector service delivery

Balancing security and digital transformation
24 October 2018

With the annual worldwide cost of cybercrime set to double from $3tn in 2015 to $6tn by 2021, BT offers advice on how chief information security officers can better...

Associate feature: Who keeps your organisation secure?
19 February 2018

BT's Amy Lemberger argues that having the right security in place to protect your organisation is no longer just an option. It is a necessity.

Share this page