At a glance
- You can rely on this lawful basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in law; or
- to perform a specific task in the public interest that is set out in law.
- It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
- You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.
- The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
- Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
- What’s new under the GDPR?
- What is the ‘public task’ basis?
- What does ‘laid down by law’ mean?
- Who can rely on this basis?
- When can we rely on this basis?
- What else should we consider?
The public task basis in Article 6(1)(e) may appear new, but it is similar to the old condition for processing for functions of a public nature in Schedule 2 of the Data Protection Act 1998.
One key difference is that the GDPR says that the relevant task or function must have a clear basis in law.
The GDPR is also clear that public authorities can no longer rely on legitimate interests for processing carried out in performance of their tasks. In the past, some of this type of processing may have been done on the basis of legitimate interests. If you are a public authority, this means you may now need to consider the public task basis for more of your processing.
The GDPR also brings in new accountability requirements. You should document your lawful basis so that you can demonstrate that it applies. In particular, you should be able to identify a clear basis in either statute or common law for the relevant task, function or power for which you are using the personal data.
You must also update your privacy notice to include your lawful basis, and communicate this to individuals.
Article 6(1)(e) gives you a lawful basis for processing where:
“processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”
This can apply if you are either:
- carrying out a specific task in the public interest which is laid down by law; or
- exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.
If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is ‘necessary’ for that purpose.
‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.
In this guide we use the term ‘public task’ to help describe and label this lawful basis. However, this is not a term used in the GDPR itself. Your focus should be on demonstrating either that you are carrying out a task in the public interest, or that you are exercising official authority.
In particular, there is no direct link to the concept of ‘public task’ in the Re-use of Public Sector Information Regulations 2015 (RPSI). There is some overlap, as a public sector body’s core role and functions for RPSI purposes may be a useful starting point in demonstrating official authority for these purposes. However, you shouldn’t assume that it is an identical test. See our Guide to RPSI for more on public task in the context of RPSI.
Article 6(3) requires that the relevant task or authority must be laid down by domestic or EU law. This will most often be a statutory function. However, Recital 41 clarifies that this does not have to be an explicit statutory provision, as long as the application of the law is clear and foreseeable. This means that it includes clear common law tasks, functions or powers as well as those set out in statute or statutory guidance.
You do not need specific legal authority for the particular processing activity. The point is that your overall purpose must be to perform a public interest task or exercise official authority, and that overall task or authority has a sufficiently clear basis in law.
Any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation.
Private water companies are likely to be able to rely on the public task basis even if they do not fall within the definition of a public authority in the Data Protection Bill. This is because they are considered to be carrying out functions of public administration and they exercise special legal powers to carry out utility services in the public interest. See our guidance on Public authorities under the EIR for more details.
However, if you are a private sector organisation you are likely to be able to consider the legitimate interests basis as an alternative.
See the main lawful basis page of this guide for more on how to choose the most appropriate basis.
The Data Protection Bill includes a draft clause clarifying that the public task basis will cover processing necessary for:
- the administration of justice;
- parliamentary functions;
- statutory functions; or
- governmental functions.
However, this is not intended as an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public task basis, as long as the underlying legal basis for that function or task is clear and foreseeable.
For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.
Individuals’ rights to erasure and data portability do not apply if you are processing on the basis of public task. However, individuals do have a right to object. See our guidance on individual rights for more information.
You should consider an alternative lawful basis if you are not confident that processing is necessary for a relevant task, function or power which is clearly set out in law.
If you are a public authority (as defined in the Data Protection Bill), your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests is still available for processing which falls outside your tasks as a public authority. Other lawful bases may also be relevant. See our guidance on the other lawful bases for more information. We will publish more guidance on the definition of a public authority when the relevant Bill provisions are finalised.
Remember that the GDPR specifically says that further processing for certain purposes should be considered to be compatible with your original purpose. This means that if you originally processed the personal data for a relevant task or function, you do not need a separate lawful basis for any further processing for:
- archiving purposes in the public interest;
- scientific research purposes; or
- statistical purposes.
If you are processing special category data, you also need to identify an additional condition for processing this type of data. Read our guidance on special category data for more information. The Data Protection Bill includes specific draft conditions for parliamentary, statutory or governmental functions in the substantial public interest – more guidance on this and other conditions will follow when the Bill is finalised.
To help you meet your accountability and transparency obligations, remember to:
- document your decision that the processing is necessary for you to perform a task in the public interest or exercise your official authority;
- identify the relevant task or authority and its basis in common law or statute; and
- include basic information about your purposes and lawful basis in your privacy notice.