The GDPR (General Data Protection Regulation) outlines six lawful bases for processing personal data.
In this blog, we look at one that’s causing a lot of problems for schools – processing that’s “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
It’s a lawful basis that schools and other educational institutions should use wherever possible, because it’s more resilient than its most likely alternative, consent.
But what kinds of processing activities meet this criteria?
When does processing in the public interest apply?
Schools can use this lawful basis if they are:
- Carrying out a specific task in the public interest that’s laid down in law; or
- Exercising official authority (such as a public body’s tasks, functions, duties or powers) that’s laid down in law.
The law that will most often apply to schools is the Education Act 1996, which states that children aged 5–16 in England and Wales must receive a full-time education.
Any activities that are necessary to provide that education are therefore likely to fulfil the requirements of processing in the public interest.
Additionally, Recital 41 of the GDPR states that, although the tasks must be laid down in domestic law, they don’t need to be explicitly stated.
In other words, data processing is permitted as long as the application of the law is clear.
The questions schools must ask, therefore, are whether they need to perform this processing activity to run the school effectively. This may include, for example, processing related to pupil registration and achievement records, or for contacting parents and guardians.
To explain this, let’s look at an example where processing in the public interest applies.
Many schools include photographs of pupils in their records to help identify them and make them recognisable to staff.
Photographs are considered personal data, and if they’re used for the purpose described above, there is a valid reason for processing them. It helps teachers and administrators do their job and also protects pupils.
Provided you correctly document that the information is being used to complete a public task, you’re permitted to use photographs in this way.
Things are only complicated if you want to use photographs for other purposes. That’s not necessarily prohibited, but you’ll need to demonstrate a (possibly different) lawful basis for doing so.
You can find more tips on data protection with our free GDPR – Dos and don’ts poster.
It contains simple tips to help your teachers and staff manage the fundamentals of the GDPR, including safe password practices and the responsible use of devices.
When shouldn’t you use public interest?
The GDPR states that any data processing must be necessary to complete that task. If you can perform your tasks or exercise your powers in a less intrusive way, the public interest basis doesn’t apply.
Consider, for example, after-school clubs and other extra-curricular activities. Although they may be beneficial for a pupil’s education, they aren’t essential – and as such, you cannot use the public interest basis.
That doesn’t mean you can’t process the personal information, though. It just means you need to use a different lawful basis, and in this case, legitimate interests may well apply.
Legitimate interest applies when:
- The processing isn’t required by law, but there’s a clear benefit to it;
- There is little risk of the processing infringing on data subjects’ privacy; and
- The data subject should reasonably expect their data to be used in that way.
School fundraisers provide another useful example. Again, they are beneficial to both pupils and the school, and you’ll want to promote the event, but doing so isn’t essential for pupils’ education.
If you are to send parents promotional material, you are essentially performing marketing and must therefore rely on consent.
To take one more example, let’s look at the way schools pay staff. Although this is clearly necessary for the school to function, processing in the public interest isn’t the most appropriate lawful basis.
Instead, you should use the basis of contractual requirements. Doing so connects the data processing you complete to the rights and obligations outlined in the contract of employment, and reduces the amount of documentation you must create.
GDPR compliance made simple
If you’re looking for more help meeting your data protection requirements, GPDR.co.uk is here to help.
Our GDPR for Schools compliance platform contains everything you need to shore up your defences and complete your documentation requirements.
This tool was developed by data protection and cyber security experts with more than 15 years’ data privacy and cyber security experience, and now comes with a free seven-day trial.