I reckon the solution is clear on the face of the GDPR: the legitimate interests ban only applies "in the performance of their tasks", and recitals are clear that those tasks need to be defined by law. So if you're performing a task that *isn't* defined by law, and you don't have any "special authority", then all six bases should apply as usual. See
https://community.jisc.ac.uk/blogs/regulatory-developments/article/gdprdata-protection-bill-public-authorities-and-legitimate
https://community.jisc.ac.uk/blogs/regulatory-developments/article/european-law-public-authorities
The only "special authority" I've found that's assigned to universities by law is in the area of visa sponsorship. Would be interested to hear if anyone spots others.
Cheers
Andrew
> -----Original Message-----
> From: This list is for those interested in Data Protection issues [mailto:data-
> [log in to unmask]] On Behalf Of Stephen Williams
> Sent: 31 October 2017 14:41
> To: [log in to unmask]
> Subject: Universities and the Public Interest
>
> I have been listening to the debate in the Lords on amendments tabled at
> Committee stage on the Data Protection Bill.
>
> Universities and Colleges may be very interested in the discussion of the
> amendment to clause 6:
>
> “Page 4, line 35, at end insert—
> “( ) A college, school or university is not a public authority or public body for
> the
> purposes of the GDPR.”
>
> The focus of the debate was around enabling colleges etc to use the
> legitimate purposes processing ground as a basis for alumni relations and
> fundraising. The amendment was withdrawn on the basis of the
> Government committing to further discussions, but the Minister did indicate
> the Govt were sympathetic and outlined how such activities might continue.
> See the following extract from Baroness Chisholm’s speech in Hansard:
>
> “Universities are classified as public authorities under the Freedom of
> Information Act, and the Bill extends that classification to data protection.
> We recognise that universities, as complex organisations with many varying
> functions and interests, also carry out other functions that may not count as
> “public tasks” under data protection law. The conundrum raised by the noble
> Baroness has also been raised with the Government by the universities. I
> thank them for their time and help in working with both the Government
> and the Information Commissioner to resolve the problem.
>
> I fully appreciate that the intention of the amendment is to protect our
> schools, colleges and universities by allowing them to continue pursuing their
> interests outside of their public tasks. I reassure noble Lords that neither the
> Bill nor the GDPR puts that at risk. The Information Commissioner’s Office has
> confirmed that it will issue detailed guidance on this matter, including the
> processing of personal data for the purpose of maintaining alumni relations,
> in order to make this clear. Representatives of the higher education sector
> have also indicated to the Information Commissioner’s Office that they may
> wish to develop further sector-level guidance, and the Information
> Commissioner’s Office will assist with that.
>
> However, we are very sympathetic to everything that noble Lords have said
> today. It is important that we should meet again, and I am happy to agree to
> a meeting between myself, my noble friend Lord Ashton and all interested
> Peers so that we can talk about this further, in order that when we come
> back on Report we will have something that perhaps everyone will wish to
> hear. I hope my clarification on this issue is sufficient for now, and that the
> noble Baroness will agree to withdraw her amendment.”
>
> Also of interest is the discussion of amendment 11:
> “Clause 7
> LORD CLEMENT-JONES
> LORD MCNALLY
> Page 5, line 6, leave out “includes” and insert “means”.
>
> Amendment 11, deals with the point raised by Chris Pounder in his earlier
> post about an inclusive as opposed to an exclusive list of public interest
> grounds for processing personal data of the vin ordinaire variety.
>
> In his response to this point the Minister, Lord Ashton of Hyde advised that
> the clause was intended to replicate the condition for processing in the
> current Act at schedule 2 5 (d) namely;
>
> The processing is necessary—"for the exercise of any other functions of a
> public nature exercised in the public interest by any person”.
>
> The reasoning is set out in Hansard:
>
> “In keeping with the approach taken under the 1998 Act, the Government
> have not limited the public interest general processing condition. The list in
> Clause 7 is therefore non-exhaustive. This is intentional, and enables
> organisations which undertake legitimate public interest tasks to continue to
> process general data. Noble Lords may recall that the Government
> committed after Second Reading to update the Explanatory Notes to provide
> reassurance that Clause 7 should be interpreted broadly. Universities,
> museums and many other organisations carrying out important work for the
> benefit of society all rely on this processing condition.”
>
> The question the Government will need to answer is whether such a broad
> brush approach fits with the requirement at Article 6(3) GDPR that
> “3.The basis for the processing referred to in point (c) and (e) of paragraph 1
> shall be laid down by: (a) Union law; or (b) Member State law to which the
> controller is subject.”
>
> The relevant recitals are 10 and 45 which could be clearer.
>
> “10) ………….Regarding the processing of personal data for compliance with a
> legal obligation, for the performance of a task carried out in the public
> interest or in the exercise of official authority vested in the controller,
> Member States should be allowed to maintain or introduce national
> provisions to further specify the application of the rules of this Regulation. In
> conjunction with the general and horizontal law on data protection
> implementing Directive 95/46/EC, Member States have several sector-
> specific laws in areas that need more specific provisions. This Regulation also
> provides a margin of manoeuvre for Member States to specify its rules,
> including for the processing of special categories of personal data (‘sensitive
> data’). To that extent, this Regulation does not exclude Member State law
> that sets out the circumstances for specific processing situations, including
> determining more precisely the conditions under which the processing of
> personal data is lawful.”
>
> “(45) Where processing is carried out in accordance with ………..a task carried
> out in the public interest or in the exercise of official authority, the
> processing should have a basis in Union or Member State law. This Regulation
> does not require a specific law for each individual processing. A law as a basis
> for several processing operations based on a legal obligation to which the
> controller is subject or where processing is necessary for the performance of
> a task carried out in the public interest or in the exercise of an official
> authority may be sufficient. It should also be for Union or Member State law
> to determine the purpose of processing. Furthermore, that law could specify
> the general conditions of this Regulation governing the lawfulness of
> personal data processing, establish specifications for determining the
> controller, the type of personal data which are subject to the processing, the
> data subjects concerned, the entities to which the personal data may be
> disclosed, the purpose limitations, the storage period and other measures to
> ensure lawful and fair processing. It should also be for Union or Member
> State law to determine whether the controller performing a task carried out
> in the public interest or in the exercise of official authority should be a public
> authority or another natural or legal person governed by public law, or,
> where it is in the public interest to do so, including for health purposes such
> as public health and social protection and the management of health care
> services, by private law, such as a professional association.”
>
> However, if the Government’s intention is not to limit the public interest
> processing condition in the way they say one has to ask why the Bill doesn't
> simply replicate the provision at Schedule 2 (5)(d)?
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at
> https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
> Any queries about sending or receiving messages please send to the list
> owner
> [log in to unmask]
> Full help Desk - please email [log in to unmask] describing your needs
> To receive these emails in HTML format send the command:
> SET data-protection HTML to [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> ^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
