In this special edition newsletter, sent in addition to our normal monthly update, we are covering the recent proposed changes to the Data Protection Act 2018 (DPA).
On 23rd June 2022; the government published its response to consultation on its proposals to reform UK data protection laws ‘Data: a new direction – government response to consultation’
The government intends to amend the Data Protection Act 2018 (DPA), Privacy and Electronic Communications Regulations (PECR) and the roles and structure of the Information Commissioner’s Office through a ‘Data Reform Bill. It has stated that the aim of these amendments is to strengthen UK data protection standard while reducing burden on businesses and to modernise the ICO. The published response to consultation describes amendments to legislation that the government intends to bring forward, but also describes some proposed changes that will not be subject to legislation, such as codes of practice.
The proposed amendments come with some risks however and some proposals are a little vague. While some will welcome some of the changes; it remains to be seen whether the EU and others will consider that they give continue to give adequate protections to their citizens. An EU decision to reverse the data adequacy agreement put in place post-Brexit following adoption of ‘UK GDPR’ would be disruptive to businesses who transfer personal data to or from the EU, or who process data of citizens of EU member states.
A summary of the proposals follows below:- The consultation was broken down in to five chapters. Key proposals arising from that consultation are listed below by chapter.
Chapter 1 – Reducing barriers to responsible innovation
Scientific Research Under current regulations, data subjects are required to give their consent for use of their data separately for individual studies. The Bill proposes allowing researchers to obtain consent under broader definitions e.g. Consent could be sought for general research in to prevention and cure of types of disease, rather than for a specific disease
Legitimate interests The Bill proposes to alter the process through which organisations could declare a legitimate interest as a justification for data processing. This change will initially be limited to a few clearly defined processing activities including prevention of crime and other public interest reasons.
AI and Machine learning The Bill proposes altering the current restrictions on automated decision making to allow greater use of AI-powered decision making. The need for ‘fairness’ and mitigation of bias in that decision making is stressed. The challenges of determining what is ‘fair’ and of mitigating bias are recognised, however. In the latter case, enabling the processing of sensitive information for the purpose of ‘monitoring and correcting bias in AI systems’ is proposed as a new condition under the bill.
Anonymisation of data The Bill proposes clarification of what data can be considered anonymous and therefore not subject to data protection regulations. It proposes a relative test, taking in to account the means and technology available to a data controller or processor at the time of processing, and technological developments through which they might be able to determine the identity of an individual from data.
Innovative data sharing solutions The Bill proposes roles for ‘data intermediaries’ to facilitate sharing of personal information. In one scenario, this might allow intermediaries to facilitate Subject Access Requests through Smart Data Schemes. In another scenario, it appears to suggest that intermediaries could be ‘gatekeepers’ managing access to personal data by multiple organisations .
Chapter 2: Reducing burdens on businesses and delivering better outcomes for people
Reform of the accountability framework The Bill proposes reduce the burden on organisations of demonstrating compliance with data protection legislation.
Proposals include:-
introducing a flexible accountability framework, underpinned by ‘privacy management programmes’ that would reflect the level of processing activities and volume and sensitivity of data handled by the organisation. The proposal suggests elements of the framework that are similar to the clauses of the various ISO Management System. Privacy Management programme will be required to .
replacing the requirement for organisations data protection officers with requirements to appoint a suitable senior individual. The proposal isn’t explicit as to whether every organisation would need to appoint a senior individual. Under the current UK GDPR, organisations only require a Data Protection Officer under certain circumstances.
replacing the requirement for Data Protection Impact Assessments (DPIAs) with a requirement to implement risk management tools that. The proposal suggests that compliance risk assessments already conducted by organisations may achieve the same outcomes as DPIAs and that those risk assessments are more tailored to the organisation’s processing activities, so removing the requirement for DPIAs would avoid duplication.
replacing the requirement to maintain records of processing activities with a flexible record keeping requirement. Organisations will still need to keep personal data inventories as part of their privacy management program, but in a less prescriptive way.
replacing the current requirement to consult with the ICO where an organisation identifies a data processing activity which poses a high risk that cannot be mitigated. The Bill proposes that consulting with the ICO would become voluntary
Subject access requests The Bill proposes reducing the burden of Subject Access Requests by allowing organisations to refuse or levy a fee for requests that are ‘vexatious or excessive’. While this is just a change of wording, it will allow organisations to refuse more requests than the current definition.
Website cookies and similar technologies The Bill proposes amending the requirements for obtaining ‘user consent’ for cookies to reduce the number of pop-up consent boxes on websites. Users will still be able to decline cookies, but proposal suggests this could be achieved through the user configuring global settings in their internet browser rather than site by site. This will require some technical development and the Bill proposes allowing certain ‘non-intrusive’ cookies to be placed on a device without the user’s consent in the meantime.
Direct marketing Current direct marketing rules permit a ‘soft opt-in’, allowing some marketing by businesses to previous customers, unless they specifically opted-out of such communications. The Bill proposes extending the soft opt-in to non-commercial organisations.
Nuisance callers The Bill proposes giving the ICO greater powers to address nuisance calls generated by rogue direct-marketing firms. The Bill proposes increasing fines for nuisance calls, texts and other serious data breaches that are prosecuted under the Privacy and Electronic Communications Regulations (PECR). Fines would be aligned with current UK GDPR penalties (up to four per cent global turnover or £17.5 million, whichever is greater) and would take in to account the volume of calls generated, rather than the current measure of calls connected. It also proposes introducing a ‘duty to report’ on communications providers to inform the ICO of suspicious levels of traffic on their network.
Chapter 3: Boosting trade and reducing barriers to data flows The proposal states that the government wants to remove barriers to cross-border data flows and pursue a number of adequacy assessments to permit transfer to and from a number of geographical areas. Future adequacy tests would follow a framework based on risk assessment. Tests would retain broad requirements to protect individual’s data, but the proposal would also permit the Secretary of State for Digital, Culture, Media, and Sport to consider UK government strategy in adequacy decision-making. The proposal would remove the current requirement to review adequacy decisions every four years in favour of ongoing monitoring.
Chapter 4: Delivering better public services The proposal includes propositions to address interoperability issues, legal and cultural barriers, inconsistent capabilities, and financial issues that it feels restricts collaboration between the public and private sectors.
The proposal would introduce legislation to clarify lawful grounds for private organisations processing data for public bodies.
The government would push forward an ‘Algorithmic Transparency Standard’ to give more information about algorithms that are used for public sector decision-making. Recognising the concerns around police processing of biometric data, the government will work with policing authorities to promote best practice including codes of conduct.
Chapter 5: Reform of the Information Commissioner’s Office The Bill proposes changing the governance structure of the ICO from its current ‘corporate in sole’ model to a governance model with a chair, chief executive, and board. The Chair would be appointed in manner through which the Information Commissioner is currently appointed, but the CEO would be appointed by the board.
The ICO would be set objectives and given duties rather than specific tasks. Objectives would define priorities for the ICO’s activities. An overarching objective to uphold data rights and encouraging trustworthy and responsible personal data use would be set.
The government is considering rolling the roles currently carried out by the Surveillance Camera Commissioner and Biometrics Commissioner in to the ICO.
The ICO would be required to cooperate and consult with other regulators with regard to competition, innovation, and economic growth.
The ICO would be required to set up a panel of experts in relevant fields when developing statutory guidance and would need to carry out impact assessments before publishing guidance.
The Secretary of State would be required to approve Codes of Practice and statuary guidance produced by the ICO before they are presented to parliament.
The ICO would be allowed to use its discretion to decide when and how to investigate complaints and would be required not to investigate certain types of complaints including vexatious complaints and complaints where the complainant has not first attempted to resolve the issue with the relevant data controller. Data controllers would be required to consider and respond to data protection complaints lodged with them.
To allow more effective investigation, the ICO would be given power to compel witnesses to attend and answer questions at interview as part of its investigations. Investigations will need to be more transparent.
If you would like to discuss any of the topics we have covered in this newsletter, or would like to know more about how PCML Consultants can help you with your Security, Quality, Environmental, H&S and Business Continuity objectives, then please don’t hesitate to get in touch.
