Public sector organisations can rely on different lawful bases for different data processing operations under Article 6 of the General Data Protection Regulation (GDPR). For their primary processing activities, where they perform their public duties and roles, they usually rely on Public Task under the GDPR. In many cases, this processing requires the sharing of personal data with other public sector organisations to achieve the public task purpose. However, it is our experience that much of the legislation relied upon by public sector organisations (whether primary legislation passed by the Houses of the Oireachtas or secondary legislation including Statutory Instruments signed by a Minister and Circulars) is insufficiently specific to meet the requirements of the GDPR and recent legal rulings. One such case was the Bara case which emphasised the need for transparency. In some instances, public sector organisations would be well advised to seek further legislation and guidance to ensure their lawful basis for processing personal data is sufficiently robust.
The Bara Case
In 2014, a ruling was handed down by the European Court of Justice in relation to a case that arose in Romania in which the personal data of self-employed workers were passed by the Tax Authority to the National Health Insurance Fund. The defendants objected stating that the processing was for purposes other than those which had initially been communicated by the Tax Authority and was undertaken without prior explicit consent and without the data subjects having previously been informed.
The Court held that EU regulation precludes the transfer and processing of personal data between two public administrative bodies without the persons concerned (the data subjects) having been informed in advance.
When processing personal data, public authorities as Controllers are bound by the data protection principles set out in Art 5 GDPR. Of particular importance is that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
Recital 58 also makes clear that transparency is of particular relevance in situations where there are several actors and where technological complexity may make it difficult for the data subject to know and understand whether, by whom and for what purpose their personal data are being collected. This is especially the case in the public sector where personal data may be shared among different actors, such as the central government and local authorities.
The Irish Data Protection Act 2018
Unlike private organisations, which can rely on Legitimate Interest (GDPR Art 6.1(f)) for their main tasks, public sector organisations can only rely on this lawful basis for secondary tasks. This is because public sector organisations primarily receive the legal authority to process personal data through a Member State’s law that clearly sets out the purpose(s) to be achieved for the public good.
In Ireland, an Act passed through the Houses of the Oireachtas is the typical method to create a law requiring the processing of personal data for the public good. In addition, Ministers may also empower state agencies to process personal data via a Statutory Instrument and this is covered in Section 38 of the Data Protection Act 2018. Under Section 38(4) regulations can be made:
(a) by the Minister following consultation with such other Minister of the Government as he or she considers appropriate, or
(b) by any other Minister of the Government following consultation with the Minister and such other Minister of the Government as he or she considers appropriate.
While the legislation allows a Minister to author a Statutory Instrument it also requires the Minister to consult with the Data Protection Commission (DPC) before doing so.
Such forms of secondary legislation are required, under Section 38(7), to specify:
(a) the personal data that may be processed,
(b) the circumstances in which the personal data may be processed, including specifying the persons to whom the data may be disclosed, and
(c) such other conditions (if any) as the Minister or any other Minister of the Government considers appropriate to impose on such processing.
To rely on public task, there must be a clear lawful basis in the form of suitable legislation before data processing begins. This legislation should be sufficiently specific and should ensure that adequate transparency is provided about the nature and purpose of the processing being undertaken.
There is a risk that where state agencies are relying solely on their founding primary or secondary legislation, such legislation may not be adequately specific in terms of the purpose of processing in the public good or the precise nature of the processing to be undertaken. Also, as existing services evolve or new services are created (often under short time constraints and political pressure), processing may have begun before being adequately underpinned by a new Statutory Instrument (or in some cases a Departmental Circular). Other lawful bases may in reality be more appropriate, such as Consent or Contract, depending on the context and the nature of the pre-existing legislation.
As state agencies undertake the scheduled review of their Records of Processing Activities, they should take the opportunity to reassess the legislation they may rely upon for each processing activity in the public good in light of the Section 38 requirements. This should include verifying whether the legislation is specific enough in describing processing and whether this has been adequately communicated to the data subjects involved through privacy notices.
State agencies may need to approach their Minister to seek, ideally, a Statutory Instrument, (or in some cases a Departmental Circular to build on existing legislation) to ensure the Section 38 requirements are met for all processing carried out in the public good under legislation. Though it is likely there may be some reluctance to issue or amend legislation, as Controllers, the responsibility and liability remain ultimately with the Board Members of each state agency.
The Board should seek advice from their Data Protection Officer and, if needs be, ask the DPC for their opinion on the adequacy of the legislation relied upon. Providing a Data Protection Impact Assessment (DPIA) as part of that consultation would be beneficial. Where the Board holds the legislation to be insufficient to meet current requirements, the members should create demonstrable evidence that they have sought assistance from their Minister in the form of changes to existing, or requests for additional, legislation. Where necessary, the Board should also consider ceasing the processing of personal data where a clear lawful basis under legislation cannot be demonstrated.
If you require assistance with reviewing your Record of Processing Activities and evaluating the lawful bases relied upon for your processing, including an assessment of the potential adequacy of the description set out in legislation, the Trilateral DCS team can provide assistance. Please feel free to contact one of our advisors.