Public task disclosure response condition

In detail

• What is the public task disclosure response condition?
• When is the public task disclosure response condition likely to be appropriate?
• What does a valid request for personal information needed for tasks or functions look like?
• How do we decide what’s necessary for this condition?
• Can we decide not to share the information requested?

What is the public task disclosure response condition?

Sometimes you might be asked to share personal information you hold with a public authority, or another organisation that carries out tasks in the public interest or has official functions.

In some circumstances, you’re required to share this personal information. For example, if the other organisation has a legal power to make you give them the personal information. In these circumstances, it’s obvious that it’s lawful for you to share it as doing so would be necessary for a legal obligation (and legal obligation would be your lawful basis).

Sometimes, there may be no legal obligation, but a public authority or organisation still tells you it needs the personal information from you for its public tasks or official functions. In these circumstances, you’re being asked to share the information on a voluntary basis (this means you won’t be able to use the legal obligation lawful basis).

One of the recognised legitimate interest conditions covers sharing personal information when another organisation needs it for their public task or function. This condition is intended to be used by the organisation that holds the personal information (ie the organisation that is being asked to share). We call this the ‘public task disclosure response’ condition (although this is not a term used in the UK GDPR itself).

Annex 1 of the UK GDPR says:

1. This condition is met where—

(a) The processing is necessary for the purpose of making a disclosure of personal data to another person in response to a request from the other person, and

(b) The request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).

This condition recognises the need to facilitate data sharing when an organisation needs the personal information for their public tasks and official functions.

Article 6(1)(e) of UK GDPR refers to the public task lawful basis. Article 6(3) requires that the relevant task or authority (ie the public task) of the organisation making the request must be laid down by UK law (this includes laws made by a devolved Parliament or Assembly) or “relevant international law” (as described in the DPA).

If you’re a public authority being asked to voluntarily share personal information with an organisation that needs it for their tasks or functions (such as another public authority), you should check first whether sharing the information is covered by your own public tasks. If it is, you can’t rely on recognised legitimate interest. Instead, public task is likely to be the appropriate lawful basis if you choose to share the information. (For more information, see Can public authorities use recognised legitimate interest?.)

When is the public task disclosure response condition likely to be appropriate?

You can only use the public task disclosure response condition if all its requirements are met. These are:

• another organisation asks you to share or disclose personal information to them;
• that organisation states in their request that they need the particular information for their public tasks or official functions which are laid down in the law; and
• your disclosure of the personal information is necessary to respond to their request.

It’s most likely to be a public authority that requests you share personal information with them because they need it for their public tasks or official functions (eg a government department or local authority). Sometimes it might be an organisation that’s not a public authority making the request but it can point to its official authority or tasks in the public interest and where in law this is laid down.

Subject to meeting the requirements above, you can rely on recognised legitimate interest as your lawful basis for sharing personal information with the organisation that requested it. But relying on it doesn’t exempt you from complying with your other duties under data protection law (or duties of confidentiality where applicable). You must still meet all your other obligations. For example, if you want to share personal information for a different purpose to the one you originally collected it for, you must also comply with the UK GDPR’s purpose limitation requirements. (For more information, see What else do we need to consider?.)

This condition is not appropriate for all requests for personal information from a public authority or another organisation with public tasks or official functions. For example, you’re being told to share personal information with the requester because you’re under a legal obligation to do this.

In some circumstances, a different condition may be more suitable if the information requested is clearly covered by one of the other pre-approved purposes. For example:

• the crime condition is likely to be more appropriate if you get a request from the police to share personal information they need for their criminal investigation;
• the safeguarding condition is more likely to be appropriate if a local authority’s social services team asks you for personal information about a safeguarding issue; or
• the emergencies condition may be more appropriate if you need to share personal information with a public authority that has asked you for it to deal with an emergency situation.

Don’t automatically assume that every data sharing request you get from a public authority or another organisation with public tasks or official functions is intended to fall within the public task disclosure response condition.

What does a valid request for personal information needed for tasks or functions look like?

The organisation must tell you that it needs the personal information in connection with a public task or other power given to it by law. The UK GDPR doesn’t require the organisation to tell you what their public tasks are or what law these tasks relate to. But depending on the circumstances, the organisation may decide to give you further details in order to help you understand why they are asking for the personal information.

To ensure their request is valid, the requesting organisation should:

• Put it in writing (eg by email or post)

  The UK GDPR doesn’t specify the form of the request. But both you and the organisation making the request must be accountable and be able to demonstrate compliance with the law. As part of this, you should both have an effective audit trail of your data sharing activities. Remember, you must include details of any disclosures of personal information in your record of processing activities. If a requesting organisation makes a verbal request to you, you should tell them to put it in writing.

• Specify what personal information it seeks

  Requesting organisations should explain what personal information they seek from you. If their request isn’t clear enough for you to identify the personal information in scope, you should ask them to provide more details.

If sharing the personal information with the requester is a new purpose, you must comply with the purpose limitation principle as well as having a valid lawful basis. One of the ways you can comply with purpose limitation is to meet a compatibility condition from annex 2 of the UK GDPR. There is a compatibility condition that complements this recognised legitimate interest condition. However, to use this compatibility condition, the requester must also say it needs the personal information because it’s necessary to safeguard an objective listed in article 23(1)(c) to (j) in the UK GDPR (eg safeguarding financial and economic interests of the UK or other important public interest objectives).

You must ensure that personal information is processed securely with appropriate measures in place. This includes when you’re considering whether to share personal information with other organisations. To help ensure security, you should make further checks with the requesting organisation if you’re not sure about the authenticity of the request or the authority of the organisation’s employee to act on its behalf.

Remember, this recognised legitimate interest condition is only about sharing personal information between you and the requesting organisation. So if the request asks you to do something else, this condition won’t be appropriate for those other activities (eg to delete or alter personal information). If you’re asked to do anything else with the personal information, you must ensure that doing so complies with data protection law. This includes having a valid lawful basis and using it in a fair and transparent way.

How do we decide what’s necessary for this condition?

The necessity test for this condition is different from the other conditions. For public task disclosure responses, it’s about what processing is necessary for you to share the personal information that the other organisation requests.

The UK GDPR says the requesting organisation must tell you that it needs this personal information for a specified public task or another power in law. This means you can rely on that declaration. You don’t need to know or be able to demonstrate the information they request is actually necessary to perform their task or function.

When deciding what information to share with the requester, you must consider whether the information you want to disclose is proportionate and is actually necessary to meet the organisation’s request.

This links to the UK GDPR principle of data minimisation. Whenever you want to use personal information, including for data sharing, you must use the minimum amount of information you need for your purpose. Therefore, you must share only the personal information that is needed to answer the request. If you share more information than is necessary to do this, you’re likely to breach the data minimisation principle.

In some cases, you may decide to satisfy the request without disclosing any personal information (eg there may be situations where you feel that anonymous information would be sufficient).

Can we decide not to share the personal information requested?

It’s your choice whether to share the personal information that the request asks for. The UK GDPR doesn’t say you have to share.

Recognised legitimate interest is a lawful basis you can choose to rely on if you’re satisfied that one of its conditions applies. It doesn’t give the requesting organisation a right of access to personal information.

The UK GDPR doesn’t require you to provide a justification if you decide not to share the personal information with the other organisation. But you may wish to let them know you don’t want to share.

We understand it may be difficult to say no to a request, particularly if there seems to be a power imbalance between you and the requesting organisation. We’ve produced separate guidance for those organisations likely to make these requests to help them understand this lawful basis and to make responsible requests.