The list is likely to disappoint many businesses and other private sector organisations, as it is narrower than was expected following the government consultation that preceded the Bill. Most of the approved purposes are likely to solely or primarily benefit the public sector.
Some organisations may find the inclusion of crime detection investigation and prevention helpful for fraud prevention activities, but limited processing for such purposes is already fairly easy to carry out without the new provision and more extensive efforts will still be subject to an assessment of their reasonableness and proportionality. An employer will not, for example, be able to claim extensive or intrusive surveillance of staff is necessary simply because crime prevention is included in the list of pre-approved processing activities to qualify as a legitimate interest.
The inclusion of processing necessary for “democratic engagement” is notable for being presented with rather more detail than other processing purposes. This entry to the list will allow elected politicians and candidates for office (and individuals working for them) to process personal data of those aged 14 and above (many of whom will not be able to vote for some years) in connection with a vote or election campaign. While there are strong arguments in favour of ensuring that privacy laws do not impede the democratic process, the government is vulnerable to criticism for making it easier for politicians to handle personal data, without giving similar consideration or weight to the arguments of and challenges faced by business, charities and other organisations.
Until the government or the Information Commissioner’s Office produces further guidance setting out how much – or how little – assessment is required to rely on the list of pre-approved legitimate interests processing purposes, it is not clear whether its creation will make any practical difference to most data controllers.
Aside from the need for guidance, it should also be noted that the list is not necessarily exhaustive. The Secretary of State for Digital, Culture, Media & Sport is granted the power to amend or add to it with secondary legislation, so it is possible that further processing purposes will be added in future.
Second time lucky - compatibility with an original purpose
Although Section 5 and Schedule 1 of the Bill seek to make life easier for controllers by creating approved legitimate interest purposes, Section 6(3) creates a new UK GDPR Article 8A which places a new burden on controllers seeking to process personal data for a purpose different to that for which it was originally collected.
The recitals to the UK GDPR state that a new legal basis is not required where secondary processing activities are compatible with the original purpose. However, the DPDI Bill as drafted, requires the establishment of a valid legal basis for the new processing by the controller, unless an exemption applies, or the new purpose is automatically deemed compatible. An assessment of compatibility and a new legitimate interest assessment will probably be required. When assessing compatibility, a controller must consider:
- any link between the original purpose and the new purpose;
- the context in which the personal data was collected, including the relationship between the data subject and the controller;
- the nature of the personal data, including whether it is a special category of personal data or relates to criminal convictions and offences;
- the possible consequences of the intended processing for data subjects; and
- the existence of appropriate safeguards (for example, encryption or pseudonymisation).
Just as Schedule 1 creates a list of default list of legitimate interests purposes, Schedule 2 (which will become Annex 2 to the UK GDPR) contains a list of processing purposes which will automatically be treated as compatible with the original processing purposes. In addition to processing for scientific and historical research, archiving, and statistical purposes which are already deemed automatically compatible under the UK GDPR, there are a number of additional purposes. The Secretary of State will also have powers to add to or amend the new Annex 2. The new compatible purposes contained in the Bill are:
- processing personal data for the purpose of detecting, investigating, or preventing crime or apprehending offenders
- protecting public security
- responding to emergencies
- safeguarding vulnerable individuals
- disclosures to people carrying out tasks in the public interest
- protecting the vital interests of an individual
- the assessment or collection of tax, and
- compliance with legal obligations.
If the secondary processing is for one of these purposes it will be deemed “compatible” with the original processing, for which the data was first gathered, and the controller will not have to assess its compatibility.
Although the DPDI Bill offers a number of changes to the approach to managing lawful basis, legitimate interests and compatible processing, any significant change in processing activity is likely to attract the attention of a diligent Data Protection Officer or privacy leader within an organisation. Privacy notices will still need updating, as will records of processing (subject to the changes proposed for those) and in many cases risk assessments of some sort will still be essential to determine the necessity of the processing to meet the controller’s purpose (whether original or new but compatible).
Since many controllers will wish to adopt the same practices in the UK and EU, it seems likely that controllers will continue to make thorough legitimate interests assessments even where the purpose falls within a category listed in the new UK GDPR Annex 1. However, controllers will also have to decide whether to adopt a more stringent approach in respect of compatible secondary processing by identifying a legal basis for the processing across the EEA – even though this will only be required in the UK.
Without clear guidance from the government or the ICO around what compliance activities are needed and when they are required, the changes discussed above are likely to add to the confusion experienced by many data controllers, rather than do anything to alleviate the burden on business as the government has sought to do.