Public task disclosure response compatibility condition
In detail
- What is the public task disclosure response compatibility condition?
- When is the public task disclosure response compatibility condition likely to be appropriate?
- What does a valid request for personal information needed for tasks or functions look like?
- How do we decide what’s necessary for this compatibility condition?
- If it’s compatible, do we have to share the requested information?
- What is our lawful basis?
What is the public task disclosure response compatibility condition?
You may be asked to share personal information you hold with:
- a public authority; or
- another organisation that carries out tasks in the public interest or has official functions.
When you originally collected personal information, you may not have expected to be asked to share it with a public authority. In this case, sharing the information with that other organisation is for a new purpose.
In some cases, you are required to share this personal information because the other organisation has a legal power to get it from you. Such cases are usually obvious. For reusing personal information in this way, see the Legal obligations compatibility condition.
In other cases, a public authority or organisation may tell you it needs the personal information from you for its public tasks or official functions. In these circumstances, you’re being asked to share the personal information on a voluntary basis. Data protection law allows you to reuse personal information for this purpose.
Annex 2 says:
“Disclosure for purposes of processing described in Article 6(1)(e)
1.This condition is met where—
(a) the processing—
(i) is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and
(ii) is not carried out by a public authority in the performance of its tasks, and
(b) the request states that the other person needs the personal data for the purposes of carrying out processing that—
(i) is described in Article 6(1)(e),
(ii) has a legal basis that satisfies Article 6(3), and
(iii) is necessary to safeguard an objective listed in Article 23(1)(c) to (j).”
We call this the ‘public task disclosure response compatibility condition’ (although this term is not used in the legislation itself). It recognises the need to allow sharing personal information with organisations that need it for their public tasks and official functions. Reusing personal information to achieve this is compatible with your original purpose, but you must meet the requirements of this condition.
Article 6(1)(e) of the UK GDPR refers to the public task lawful basis. Article 6(3) requires that the organisation making the request must have the relevant task or authority (ie the public task) laid down by UK law (this includes laws made by a devolved Parliament or Assembly).
The requester must also need the information because it’s necessary to safeguard a public interest objective listed in article 23(1)(c) to (j). This covers issues such as safeguarding public security and the financial and economic interests of the UK.
However, you cannot use this compatibility condition if you are a public authority and you are already using the personal information for your own public tasks.
Further reading – ICO guidance
When is the public task disclosure response compatibility condition likely to be appropriate?
Sharing personal information under the public task disclosure response compatibility condition is only a compatible purpose if all its requirements are met. These requirements are that:
- another organisation asks you to share or disclose personal information;
- the organisation states in its request that it needs the information for its public tasks or official functions that are laid down in the law;
- the organisation also states that it needs the information because it’s necessary to safeguard a public interest objective;
- your disclosure of the personal information is necessary to respond to the organisation’s request; and
- you’re not a public authority already using the information for your own public tasks.
You’re most likely to receive a request from a public authority to share personal information with it because it needs it for its public task or official functions, such as a:
- government department;
- local authority; or
- local council.
You might also receive such a request from an organisation that’s not a public authority but can point to:
- its official authority or task(s) in the public interest; and
- where in law this is laid down.
What does a valid request for personal information needed for tasks or functions look like?
The organisation making the request must tell you that:
- it needs the personal information in connection with a public task or other power given to it by UK law; and
- the information is necessary to comply with a public interest objective.
The UK GDPR doesn’t require the organisation to tell you:
- what its public tasks are;
- what law these tasks relate to; or
- what the public interest objective is.
But depending on the circumstances, the organisation may decide to give you further details to help you understand why it’s asking for the personal information.
An organisation making a valid request should do the following:
- Put it in writing (eg by email or post).
The UK GDPR doesn’t specify the form of the request. But both you and the requesting organisation must be accountable and be able to demonstrate compliance with the law. As part of this, you should both have an effective audit trail of your data sharing activities. You must include details of any sharing of personal information in your record of processing activities. If an organisation makes a verbal request to you, you should tell it to put the request in writing. - Specify what personal information it is asking for.
A requesting organisation should explain what personal information it is asking you to share. If its request isn’t clear enough for you to identify the personal information required, you should ask it to provide more details.
Example
A public authority has responsibility for regulating a particular profession. Its statutory powers include investigating compliance with professional ethical standards.
The authority asks a select group of organisations to share personal information about their conduct and any complaints received. This information will allow the authority to investigate potential breaches of the ethical standards. The authority states the following in its request:
- that it requires this information to carry out its public task;
- its legal basis set down in law; and
- that it needs this information to support its objective of investigating breaches of ethical standards.
An organisation receiving this request decides whether it needs to provide the personal information to respond to the request. The organisation did not originally collect the requested personal information for the purpose of sharing with a third party. It decides that it can reuse the information for this new purpose of responding to the request from the public authority, and it identifies an appropriate lawful basis. In this case, the organisation decides it can satisfy the recognised legitimate interest condition of public task disclosure response.
Remember, this compatibility condition is only about sharing personal information between you and the requesting organisation. So, if the request asks you to do something else, you can’t rely on this condition to reuse personal information. If you’re asked to do anything else with the personal information, you must ensure that doing so complies with data protection law. This includes ensuring any reuse is compatible and uses the information in a fair and transparent way.
How do we decide what’s necessary for this compatibility condition?
The necessity test for public task disclosure response differs from most of the other conditions in annex 2. For this compatibility condition, it’s about what processing is necessary for you to share the personal information that the other organisation requests.
The UK GDPR says the requesting organisation must tell you that it needs this personal information for:
- a specified public task or another power in law; and
- a public interest objective.
This means you can rely on that declaration. You don’t need to know or be able to demonstrate that the information it requests is necessary for these stated purposes.
However, when deciding what information to share with the requesting organisation, you must share only what is proportionate and necessary to answer the request. Otherwise, this condition doesn’t apply, and the reuse isn’t compatible. This means you’re likely to breach the data minimisation principle.
Further reading – ICO guidance
If it’s compatible, do we have to share the requested information?
This compatibility condition allows you to voluntarily share personal information that you originally collected for a different purpose in response to a valid request for information needed for a public task or official function. It allows you to do so in compliance with the purpose limitation principle. This means it’s your choice whether to share the personal information that request asks for.
Data protection law doesn’t say you have to share the requested information just because it’s compatible to do so. You also don’t need to provide a justification if you decide not to share the information. But you may decide to let the requesting organisation know you don’t want to share the information.
Further reading – ICO guidance
We have produced guidance for public authorities and those with tasks to help them understand how to make these requests. See:
What is our lawful basis?
Remember, if you originally collected the personal information using the consent lawful basis, you must consider whether it is reasonable to ask for consent to disclose it. Depending on the circumstances, asking for consent may not be practical.
In any case, you must satisfy a lawful basis for disclosing personal information in this way. You may decide it’s appropriate to rely on recognised legitimate interest and the condition for public task disclosure response for this specific purpose. This is similarly worded to the annex 2 compatibility condition.