I have from time to time been struck by the relatively low profile that the legitimacy conditions have in data protection matters; and thought it worthwhile reflecting on why this is so, at least in relation to processing by the State, where legitimacy has a special resonance.
The purposes for which data are processed by the State are generated by contexts which go deep into the social, political and legal framework, purposes which have, as a result, a deep legitimacy, reflected in the conditions – but not an uncontested legitimacy. Even when the conditions are legitimate for the state to process data there may still be interference with rights. A Secretary of State acting unilaterally under prerogative powers could meet a Schedule 2 condition.
In Directive 95/46/EC, Article 6 requires that data should be collected for a legitimate purpose. Article 7 states the conditions which make the processing legitimate. The correct order is,arguably, the other way around; and this inversion makes it easy to underestimate the significance of the legitimacy conditions. Further difficulties follow because the concept of legitimate purpose is present in the terms of both Article 6 and article 7.
In the DPA there is no reference to legitimacy in the Schedule 2 & 3 conditions, which give effect to Article 7. Typically, following the requirements of the first principle, one finds a schedule condition without having much idea why it is necessary to do so; or considering whether the schedule condition and the second (purpose limitation) principle might or not be identical.
Still, if the processing is legitimate, and if that contains a purpose (which must in some sense be limited), why are further restrictive purpose conditions imposed? This line of thinking can be detected in the Government’s position on information sharing. It was the core of the difference between the Government and the Information Commissioner on the information sharing proposals.
And while the IC said he didn’t challenge the legitimacy of the proposal, only the proportionality of the measures, there was still a sense that the proportionality challenge reflected on the legitimacy of the proposal as well. The application of the purpose limitation principle challenged the legitimacy of a government proposal with the purpose of allowing data sharing for multiple purposes. How much restriction of multiple purposes can be achieved without fundamentally modifying, or wholly undermining, the purpose itself? We must wait and see.
I think this example illustrates how micro data processing by the state is inevitably connected to the macro legitimacy issues, particularly when personal data processing is central rather than ancillary to the purpose; and that this can involve rights, political conflicts and challenges. Yet it is a connection obscured by the Data Protection Act; and underplayed in the Directive.
Does this obscured point in the DPA restrict the functioning of Article 8 rights in relation to processing by the State? At least to the extent that legitimacy issues are approached when there is a proportionality dispute under the terms of the DPA, but never properly articulated as such? So that even if we think a database proposal is intrinsically disproportionate and cannot be modified, and thus not a legitimate purpose, we can’t express this in DPA terms? Or are the legitimacy conditions just wallpaper?