Jon
If you could send a pointer to the article when it is published, it would be much appreciated...
With my data subject point of view I really don’t like that interpretation - not least because it removes a significant protection from public sector use of big data techniques - but as a data controller I'm pretty much indifferent to whether they go for the wide or narrow interpretations. So long as they do it consistently and don't leave a gap in the middle.
And I've just spotted that c7 of the DP Bill, too, could be read either way! Clause 7(c) says that "the exercise of a function conferred on a person by an enactment" falls under Art.6(1)(e), which sounds like the "narrow" interpretation. But then clause 7 contains the word "includes", which leaves open the wide one. Whatever happened to clarity of law :(
Best wishes
Andrew
--
Andrew Cormack
Chief Regulatory Adviser
T 01235 822302
Skype ancormack
Twitter @Janet_LegReg
Blog https://community.ja.net/blogs/regulatory-developments
orcid.org/0000-0002-8448-2881
Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
jisc.ac.uk
> -----Original Message-----
> From: Jon Baines [mailto:[log in to unmask]]
> Sent: 10 November 2017 14:31
> To: Andrew Cormack <[log in to unmask]>
> Cc: [log in to unmask]
> Subject: Re: [data-protection] Universities and the Public Interest
>
> I've written a piece for a journal (not yet published), during the drafting of
> which I vacillated several times. I think (partly as a result of having noted
> what Stephen notes - the phrase "includes, but is not limited to" in the Bill) I
> now tend more towards the expansive reading of 6(1)(e) and restrictive (i.e.
> exclusionary) reading of 6(1)(f). Ultimately, I think these arguments may
> have to be either litigated and/or subject to determinative regulatory action.
> It's not very satisfactory!
>
> Jon Baines,
> Chair,
> nadpo.co.uk <http://nadpo.co.uk>
>
> On 10 Nov 2017, at 14:08, Andrew Cormack <[log in to unmask]
> <mailto:[log in to unmask]> > wrote:
>
>
>
> Stephen
>
> I agree that your “wide” and “narrow” interpretations are both
> possible. And, as you say, 6(1)(e) is *extremely* wide if we go that way. No
> need to consider individuals’ rights and freedoms under that justification,
> either.
>
>
>
> Hence, as a data controller, I find it ironic that the ICO is apparently
> arguing in that direction. And, as a data subject of many public authorities,
> deeply concerning :(
>
>
>
> Andrew
>
>
>
> --
>
> Andrew Cormack
>
> Chief Regulatory Adviser
>
>
>
> T 01235 822302
>
> Skype ancormack
>
> Twitter @Janet_LegReg
>
> Blog https://community.ja.net/blogs/regulatory-developments
> <https://community.ja.net/blogs/regulatory-developments>
>
> orcid.org/0000-0002-8448-2881 <http://orcid.org/0000-0002-8448-
> 2881>
>
>
>
>
>
> Lumen House, Library Avenue, Harwell Oxford, Didcot, OX11 0SG
>
>
>
> jisc.ac.uk <http://jisc.ac.uk>
>
>
>
>
>
> From: This list is for those interested in Data Protection issues
> [mailto:[log in to unmask]] On Behalf Of Stephen Williams
> Sent: 10 November 2017 12:01
> To: [log in to unmask] <mailto:data-
> [log in to unmask]>
> Subject: Re: Universities and the Public Interest
>
>
>
> Andrew references the discussion by the Article 29 Working Party in
> their Opinion 06/2014 on legitimate interests of two possible interpretations
> of the rule that public authorities should not be able to rely on the legitimate
> interest ground for processing at Article 6(1)(f). One is the interpretation that
> Andrew elaborates where both ‘public authority’ and ‘task’ are interpreted
> narrowly, leaving ground (f) processing available for most of the bodies
> activities. The alternative is a wide interpretation that means that processing
> by designated public authorities is confined to grounds 6 a) to e). So what is
> the scope for processing under 6(1)(e)? In fact, on further examination the
> scope of Article 6(1)(e) appears to be very wide. As a minimum it appears to
> require only that the public task or the official authority should be based on,
> or derived from, a legal provision and its application should be foreseeable to
> persons subject to it; that it should meet an objective of public interest and
> be proportionate and necessary to the legitimate aim pursued. The
> provisions about Member states determining the purposes of the processing
> can be read as simply clarifying that such public interest purposes are
> derogated. This wide interpretation is consistent with the approach taken in
> the Bill at section 7 where type (e) processing includes but is not limited to
> the purposes listed. Article 6(1)(e) read in this way would cover most public
> authority processing, but Article 6(1)(e) is also wide enough to legitimise
> necessary ancillary processing, at least in terms of purpose if the relevant
> recitals (see below) are interpreted in the way the Working Party has
> suggested is possible. Such a purposive interpretation of the relevant
> provisions of GDPR is also consistent with how UK statutory powers are
> interpreted. Could not the same logic could be applied to non-PECR direct
> marketing in appropriate circumstances? Given the way EU legislative
> instruments are written either option requires an element of interpretation.
> However, it can be argued a wide interpretation sits more consistently with
> the prohibition on public authorities processing under ground 6(1)(f). But
> further flexibility is available through the mechanism that allows member
> states to designate which bodies are ‘public authorities’ for the purposes of
> GDPR. This could be achieved in the Bill by a schedule differentiating
> between ‘all function’ and ‘hybrid’ authorities, with perhaps a more detailed
> breakdown of any exclusions to follow in delegated legislation. A Table
> setting out what appear to be some of the relevant precepts and their
> sources is attached.
>
>
> ________________________________
>
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the
> body of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask]
> <mailto:[log in to unmask]&BODY=LEAVE%20data-protection>
> * Suspending emails from all JISCMail lists: send SET * NOMAIL
> to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20*%20NOMAIL>
> * To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20data-protection%20NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET%20data-protection%20HTML>
>
> All user commands can be found at
> https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and
> are sent in the body of an otherwise blank email to [log in to unmask]
> <mailto:[log in to unmask]>
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask] <mailto:data-protection-
> [log in to unmask]>
>
> (Please send all commands to [log in to unmask]
> <mailto:[log in to unmask]> not the list or the moderators, and all
> requests for technical help to [log in to unmask]
> <mailto:[log in to unmask]> , the general office helpline)
>
>
> ________________________________
>
> ________________________________
>
> All archives of messages are stored permanently and are available to
> the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
>
> Selected commands (the command has been filled in below in the
> body of the email if you are receiving emails in HTML format):
>
> * Leaving this list: send leave data-protection to
> [log in to unmask] <mailto:[log in to unmask]&BODY=LEAVE data-
> protection>
> * Suspending emails from all JISCMail lists: send SET * NOMAIL
> to [log in to unmask] <mailto:[log in to unmask]&BODY=SET *
> NOMAIL>
> * To receive emails from this list in text format: send SET data-
> protection NOHTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection NOHTML>
> * To receive emails from this list in HTML format: send SET
> data-protection HTML to [log in to unmask]
> <mailto:[log in to unmask]&BODY=SET data-protection HTML>
>
> All user commands can be found at
> https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and
> are sent in the body of an otherwise blank email to [log in to unmask]
> <mailto:[log in to unmask]>
>
> Any queries about sending or receiving messages please send to the
> list owner [log in to unmask] <mailto:data-protection-
> [log in to unmask]>
>
> (Please send all commands to [log in to unmask]
> <mailto:[log in to unmask]> not the list or the moderators, and all
> requests for technical help to [log in to unmask]
> <mailto:[log in to unmask]> , the general office helpline)
>
> ________________________________
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
