Skip to main content
Hafan

Public task disclosure request condition

Contents

At a glance

  • This condition is limited in scope and it only applies to data sharing with organisations who have public tasks or official functions in UK law.
  • It may be appropriate to use this condition if you want to voluntarily share personal information with another organisation. For example, a public authority has asked you for it because having this information is necessary for their public tasks or functions.

In detail

What is the public task disclosure request condition?

Sometimes you might be asked to share personal information you hold with a public authority, or another organisation that carries out tasks in the public interest or has official functions. 

In some circumstances, you are required to share this personal information and it is obvious that it’s lawful for you to do so. For example, if the other organisation has a legal power to get the information from you. 

In other cases, the public authority or organisation may tell you it needs the personal information from you for its public tasks or official functions. In these circumstances, you’re being asked to share the information on a voluntary basis. 

In order to share the personal information, you must have a lawful basis. One of the recognised legitimate interest conditions covers sharing personal information when another organisation needs it for their public task or function. We call this the ‘public task disclosure request’ condition (although this is not a term used in the UK GDPR itself). This condition recognises the need to facilitate data sharing with those organisations that need the personal information for their public tasks and official functions.  

Annex 1 of the UK GDPR says:

“1. This condition is met where—

(a) The processing is necessary for the purpose of making a disclosure of personal data to another person in response to a request from the other person, and 

(b) The request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3).” 

Article 6(1)(e) of UK GDPR refers to the public task lawful basis. Article 6(3) requires that the relevant task or authority (ie the public task) of the organisation making the request must be laid down by UK law (this includes laws made by a devolved Parliament or Assembly).

Further reading – ICO guidance

If you are a public authority wanting to make a public task disclosure request, see Recognised legitimate interest – requesting personal information for your public tasks or official functions (draft guidance available for consultation).

When is the public task disclosure request condition likely to be appropriate?

The public task disclosure request condition only applies if all its requirements are met. These are:

  • another organisation asks you to share or disclose personal information; 
  • that organisation states in their request they need the particular information for their public tasks or official functions which are laid down in the law; and
  • your disclosure of the personal information is necessary to respond to their request.

It’s most likely to be a public authority that makes a public task disclosure request to you, such as a government department, local authority or a police force. Sometimes it might be an organisation that’s not a public authority but can point to their official authority or tasks in the public interest and where in law this is laid down.

If the requester has statutory information-gathering powers that legally oblige you to share personal information, we expect them to use these rather than make a public task disclosure request. In that case, your lawful basis is likely to be legal obligation.

Subject to meeting the requirements above, you can rely on recognised legitimate interest as your lawful basis for sharing personal information with another organisation. But relying on it doesn’t exempt you from complying with your other duties under data protection law. You must still meet all your other obligations. For example, if you want to share personal information for a different purpose to the one you originally collected it for, you must also comply with the UK GDPR’s purpose limitation requirements. (For more information, see What else do we need to consider?.) 

Further reading – ICO guidance

What does a valid public task disclosure request look like?

The organisation must tell you that it needs the personal information in connection with a public task or other power given to it by UK law. The UK GDPR doesn’t require the organisation to tell you what their public tasks are or what law these tasks relate to. But depending on the circumstances, the organisation may decide to give you further details in order to help you understand why they are asking for the personal information.

To ensure their public task disclosure request is valid, the requesting organisation should:

  • Put it in writing (eg by email or post)
    The UK GDPR doesn’t specify the form of the request. But both you and the organisation making the request must be accountable and be able to demonstrate compliance with the law. As part of this, you should both have an effective audit trail of your data sharing activities. Remember, you must include details of any disclosures of personal information in your record of processing activities. If a requesting organisation makes a verbal request to you, you should tell them to put it in writing. 
  • Specify what personal information it seeks
    Requesting organisations should explain what personal information they seek from you. If their request isn’t clear enough for you to identify the personal information in scope, you should ask them to provide more details.  

You must ensure that personal information is processed securely with appropriate measures in place. This includes when you are considering whether to share personal information with other organisations. To help ensure security, you should make further checks with the requesting organisation if you’re not sure about the authenticity of the request or the authority of the organisation’s employee to act on its behalf. 

Remember, this recognised legitimate interest condition is only about sharing personal information between you and the requesting organisation. So if the request asks you to do something else, this condition won’t be appropriate for those other activities (eg to delete or alter personal information). If you’re asked to do anything else with the personal information, you must ensure that doing so complies with data protection law. This includes having a valid lawful basis and using it in a fair and transparent way. 

Further reading – ICO guidance

How do we decide what’s necessary for this condition?

The necessity test for this condition is different from the other conditions. For public task disclosure requests, it’s about what processing is necessary for you to share the personal information that the other organisation requests. 

The UK GDPR says the requesting organisation must tell you that it needs this personal information for a specified public task or another power in law. This means you can rely on that declaration. You don’t need to know or be able to demonstrate the information they request is actually necessary to perform their task or function.

When deciding what information to share with the requester, you must consider whether the information you want to disclose is proportionate and is actually necessary to meet the organisation’s request.

Example

A public authority writes to a company and asks for confirmation about whether their employee was in work on certain days. The public authority makes clear they need this information for their particular public task which they have outlined, along with the law it derives from. 

The company satisfies the necessity part of this condition by sharing the clocking in and out records of this employee for the requested days. 

However, if instead, the company shares the clocking in and out records for that employee for the whole year or the clocking in and out records for all employees on those days, then the disclosure would not be necessary. This is because the company would be sharing personal information that is not covered by the request.

This links to the UK GDPR principle of data minimisation. You must share only the minimum amount of personal information that is needed to answer the request. If you share more information than is necessary to do this, you are likely to breach the data minimisation principle. 

Example

An organisation with tasks in the public interest makes a public task disclosure request to a company. The company finds that the personal information requested is contained within documents that also contain information about people who are not covered by the request. 

The company ensures it only selects the personal information that is necessary to share in order to respond to the organisation. It does this by taking a data minimisation approach and extracts the relevant personal information.

In some cases you may decide to satisfy the request without disclosing any personal information (eg there may be situations where you feel that anonymous information would be sufficient). 

Further reading – ICO guidance

Can we decide not to share the personal information requested?

It’s your choice whether to share the personal information that the public task disclosure request asks for. The UK GDPR doesn’t say you have to share. 

Recognised legitimate interest is a lawful basis you can choose to rely on if you’re satisfied that one of its conditions applies. It doesn’t give the requesting organisation a right of access to personal information. 

The UK GDPR doesn’t require you to provide a justification if you decide not to share the personal information with the other organisation. But you may wish to let them know you don’t want to share.

We understand it may be difficult to say no to a request, particularly if there seems to be a power imbalance between you and the requesting organisation. We have produced separate guidance for those organisations likely to make these requests to help them understand this lawful basis and to make responsible requests. 

Further reading – ICO guidance