Last updated: 
3 weeks 2 days ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

GDPR/Data Protection Bill: public authorities and legitimate interests

Friday, December 8, 2017 - 10:10

[Update: a Government amendment to Clause 6 of the Bill appears to confirm that this is their intended interpretation :)]

The new Data Protection Bill seems to bring clarity to the question of which legal bases will be available to educational institutions under the General Data Protection Regulation:

  • Clause 6(1) of the Bill states that (subject to modification by the Secretary of State) organisations that are classed as public authorities under the Freedom of Information or Freedom of Information (Scotland) Acts will also be "public authorities" for the purposes of the GDPR;
  • Under Article 6(1) of the GDPR, those public authorities are not permitted to use the legitimate interests basis "in the performance of their tasks";
  • Instead, by Recital 47, those tasks and their legal basis should be "provide[d] by law";
  • And, by Clause 7(c) of the Bill, where a task is "conferred on a person by an enactment", the legal basis is that it is necessary in the public interest.

Where an educational institution is performing a task that is specified by law, therefore, the correct legal basis is that it is "necessary in the public interest" (Article 6(1)(e)). Where it is performing a task that is not specified by law (for example protecting the security of networks and systems, as in GDPR Recital 49), then all the other legal bases, including "necessary in the legitimate interests [of the organisation]" are available, subject to their usual GDPR conditions.

As we noted in our submission to the Information Commissioner, "necessary in a public interest" provides less protection for data subjects - since it does not require their interests to be considered - so from the individual's perspective the use of this justification should be limited. Indeed, the Article 29 Working Party appear to have identified this issue back in 2014.


Hi Andrew, I've just been reading your article on legitimate interests. I'm wondering how this will be applicable to sharing with the student union, do you have any advice on this please? Many thanks


As far as I can see, it means you still have the same options as at present. Since that sharing isn't (as far as I know) something that's covered by a specific law with its own processing rules, it's not one of your "tasks" so the GDPR's ban on Legitimate Interest and doubt about Consent don't apply.

Note that David Erdos has pointed me at the case where the ECJ seems to have come up with its idea of a "public authority" working forward from the Treaty - as in today's post, fortunately their concept seems to be the same as I'd come to by working backward from the use of the concept in the GDPR :-)