Local Government Lawyer Insight February 2018 LocalGovernmentLawyer 24 Data protection law requires that for personal data to be processed there must be at least one legitimising basis - for instance that the data subject has given consent, or that the processing is necessary for the performance of a task carried out in the public interest, or that processing is necessary for the purposes of the legitimate interests of the data controller (or a third party to whom the data is disclosed) except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject. This last is generally known as the "legitimate interests" condition, and is the one which will usually, for instance, permit a public authority to disclose low-risk personal data under freedom of information (FOI) law. The disclosure of personal data under FOI will, as a matter of course, involve a balancing of the interests of the data subject and of the data controller or the third party or parties to whom the data are disclosed. There has been considerable analysis of the exercise of the relevant existing provision (in Schedule 2 of the Data Protection Act 1998 and Article 7(f) of Directive 95/46/EC) - see in particular the judgment of the Upper Tribunal in Goldsmith International Business School v IC and Home Office (GIA/1643/2014). However, the General Data Protection Regulation (GDPR), made on 27 April 2016 and which will apply directly across the European Union from 25 May 2018, purports to prevent any public authority from relying on the legitimate interests condition: article 6(1) says the condition "shall not apply to processing carried out by public authorities in the performance of their tasks" and recital 47 provides the gloss that this is because "it is for the legislator to provide by law for the legal basis for public authorities to process personal data". This would appear to tie, of course, to long-established concepts surrounding public authority vires, and the general position that such bodies were permitted only to do things that they had specific statutory powers to do. But is the Staying legit In what circumstances will a public authority be able to disclose personal data for Freedom of Information purposes following the introduction of the GDPR? Jon Baines investigates.