Legal basis for processing
The exercise of public functions
At a glance
- You can rely on this legal basis if you need to process personal data:
- ‘in the exercise of official authority’. This covers public functions and powers that are set out in Act; or
- to perform a specific task in the public interest that is set out in the Act.
- It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.
- You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in the Act.
- The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.
- Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.
In brief
- What does the DPA say?
- What is the “public functions” condition for processing?
- What does “public function” mean?
- Who can rely on the public function basis?
- What else should you consider?
What does the DPA say?
Paragraph 5 of the DPA says:
Processing necessary for exercise of public functions
- The processing is necessary for –
(a) the administration of justice;
(b) the exercise of any functions conferred on any person by or under
any enactment;
(c) the exercise of any functions of the Crown or any public
authority; or
(d) the exercise of any other functions of a public nature exercised in
the public interest by any person.
What is the “public functions” condition for processing?
This condition applies to processing necessary for:
- the administration of justice;
- any functions conferred on any person by law;
- the exercise of any functions of the Crown or any public authority;
but also:
- any functions of a public nature exercised in the public interest, even by a person who is not a public authority.
This is not intended as an exhaustive list. If you have other official non-statutory functions or public interest tasks you can still rely on the public function basis, as long as the underlying legal basis for that function or task is clear and foreseeable.
For accountability purposes, you should be able to specify the relevant task, function or power, and identify its basis in common law or statute. You should also ensure that you can demonstrate there is no other reasonable and less intrusive means to achieve your purpose.
If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is “necessary” for that purpose.
“Necessary” means that the processing must be a targeted and proportionate way of achieving your purpose. This basis for processing does not apply if there is another reasonable and less intrusive way to achieve the same result.
Your focus should be on demonstrating either that you are carrying out a “public function” in the public interest, or that you are exercising official authority.
What does “public function” mean?
The following factors can help determine whether a function is a public function:
(a) the extent to which the state has assumed responsibility for the function in question;
(b) the role and responsibility of the state in relation to the subject matter in question;
(c) the nature and extent of the public interest in the function in question;
(d) the nature and extent of any statutory power or duty in relation to the function in question;
(e) the extent to which the state, directly or indirectly, regulates, supervises or inspects the performance of the function in question;
(f) the extent to which the state makes payment for the function in question;
(g) whether the function involves or may involve the use of statutory coercive powers;
(h) the extent of the risk that improper performance of the function might violate an individual's human rights as set out in the Cayman Islands’ Bill of Rights in the Cayman Islands’ Constitution.
You do not need specific legal authority for the particular processing activity. The point is that your overall purpose must be to perform a public interest task or exercise official authority.
Who can rely on the public function basis?
Any data controller who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation.
However, if you are a private sector organisation, you may consider the legitimate interests basis for processing as an alternative.
See the main legal basis page of this guide for more on how to choose the most appropriate basis.
What else should you consider?
You should consider an alternative legal condition for processing if you are not confident that processing is necessary for a relevant task, function or power.
If you are a public authority (as defined in the DPA), your ability to rely on consent or legitimate interests as an alternative basis is more limited, but they may be available in some circumstances. In particular, legitimate interests is still available for processing which falls outside your tasks as a public authority. Other legal bases may also be relevant.
Remember that the DPA requires that further processing for other purposes should be compatible with your original purpose. This means that if you originally processed the personal data for a relevant task or function, you do not need a separate lawful basis for any further processing for:
- archiving purposes in the public interest;
- scientific research purposes; or
- statistical purposes.
If you are processing sensitive personal data, you also need to identify an additional condition for processing this type of data in Schedule 3 of the DPA. Read the sensitive personal data page of this guide for our latest guidance on these provisions.
To help you meet your accountability and transparency obligations, remember to:
- document your decision that the processing is necessary for you to perform a task in the public interest or exercise your official authority;
- identify the relevant task or authority and its basis in common law or statute (where applicable); and
- include basic information about your purposes in your privacy notice. It is best practice also to include the applicable legal conditions for processing.
Relevant provisions
Data Protection Act (2021 Revision)
Schedule 2, paragraph 5: Legal conditions for processing