One of the important building blocks of data protection compliance is for a data controller to ensure that they have appropriate "grounds" or "conditions" in place for the lawful processing of personal data. One of the grounds/conditions for lawful processing under the existing Data Protection Act 1998 (and the forthcoming General Data Protection Regulation) is the consent of the data subject. However, this is not the only condition for lawful processing of personal data and in many situations consent may not be a suitable condition upon which to rely. One feature of consent is that not only must it be freely provided, it must also be capable of being withdrawn.
The Information Commissioner's Office published its helpful draft consent guidance earlier in the year on 2 March 2017 for consultation. Unfortunately, the final version of the guidance has been delayed. A recent statement published by the ICO confirmed as follows:
"However we will not be able to publish the final version of our guidance until the Article 29 Working Party of European Data Protection Authorities (WP29), of which the ICO is a member, has agreed its Europe-wide consent guidelines. The WP29 consent guidelines are due to be published later in 2017 and the latest timetable is for this to be agreed and adopted in December 2017. In the meantime we intend to publish a summary of the responses to our consultation.”
In our response to the ICO's consultation, we commented on the lack of definition in the GDPR of the term 'public authority'. This is important as the draft consent guidance suggests that:
"Public authorities, employers and other organisations in a position of power are likely to find it more difficult to get valid consent."
There is also a restriction in the GDPR on reliance on another ground of lawful processing where the data controller is a public authority, namely the 'legitimate interests" of the data controller or a third party. It is possible that this may be an issue which is clarified in the proposed new, yet to be published, UK Data Protection Bill.