Next week, the ICO is holding a meeting to discuss, in detail, the Regulation as published by the European Commission. So, I have decided to publish our comments on the Regulation (see references) and use this blog to provide a summary of the key points.
The comments I make focus on how the Regulation can be improved from the data subject perspective. This is because the initial “Call for Evidence” by the MoJ was more like a “Call for Ammunition”, where the only respondents were supposed to be data controllers. In such circumstances, I think data controllers can look after themselves; it is the data subjects who need a hand.
The comments that I think could interest blog readers relate to the following topics:
- The wider definition of “personal data” should not cause problems for data controllers
- The Regulation excludes confidential personal data already subject to the DPA
- There is need for a prohibition on enforced subject access
- Switch from the right to be forgotten to the right to object to the processing
- The centralization of power by the Commission is unbalanced and unacceptable
The wider definition of “personal data” should not cause problems for data controllers.
The fact that identifying details held by another person is not an alien concept for data controllers in the UK, as it already exists in section 8(7) of the current DP Act in the context of subject access. (It occurs when there is a subject access request made by the data subject and the issue is whether the data controller can release personal data that identifies another individual).
In this case section 8(7) states that if the “other individual” can be identified by the data subject from the personal data that are released or from the personal data plus “any other information which, in the reasonable belief of the data controller, is likely to be in, or to come into, the possession of the data subject making the request”, then the data controller might redact any information that could identify the other individual.
So I conclude therefore, that such a change to the definition of personal data as proposed by the Regulation is unlikely to hold many difficulties for data controllers as they do it already, albeit in a more limited context. If there were practical problems or difficulties concerning the identification being held by another person, these would have been aired in the context of subject access.
I am sure that many data controllers will oppose the change in the scope of the data protection regime because it would mean more compliance work; by contrast, data subjects are likely to be in favour this change because it means more protection.
As there is no evidence of difficulty with the inclusion of identification by another person, this in turn means there is only one question for Government to resolve: “which side it is on?”.
The Regulation excludes confidential personal data already subject to the DPA
The Regulation applies to personal data held in a structured “filing system” (Article 4(4)) and the rights of access (Article 15) are to personal data (e.g. in a structured filing system). Recital 13 of the Regulation confirms that manual personal data that are not in a structured file are not subject to the Regulation.
An Accessible Record under the DPA contains personal data that does not need to possess any structure (section 1, definition of “data”). Thus Accessible Records could well be excluded from the Regulation if they are not held in a structured filing system. This exclusion could be from all Principles and all rights whereas currently such personal data is subject to all principles and all rights in the Act.
Similarly “Unstructured personal data”, as used in section 9A of the DPA (introduced as a result of FOIA) is subject to the right of access and correction. By implication the Regulation is stating that “Unstructured personal data” can’t be personal data (not in a structured filing system) so it follows that there is no right of access nor correction. The concept of “Unstructured personal data” does not exist in the Regulation.
The Regulation should be changed to maintain the protection of those personal data that are already subject to the UK’s data protection regime.
There is need for a prohibition on enforced subject access
There needs to be a provision that stops enforced subject access in the Regulation. Such provision exists in the Data Protection Act 1998 but has not been commenced; employers, in the UK for instance, can thus gain access to criminal records for employment purposes without the need to bother with the rules or Code of Practice promulgated by the Criminal Records Bureau.
The technique is being used by Legal and General (and possibly others in insurance industry in relation to health). This undermines the Access to Health Records Act. As the right of access to personal data is to be free under the Regulation, then other data controllers could be tempted to misuse a right targeted at protecting the individual.
The UK experience shows that the right can be perverted to protect a data controller’s interest.
Switch from the right to be forgotten to the right to object to the processing
My general view is that the many aspects of the “right to be forgotten” in Article 17 is best dealt with by “right to object” in Article 19, possibly by an amendment linked to Article 82 if the context is employment.
The switch to the “right to object” has the same effect as the “right to be forgotten” but it avoids any “attack on freedom of expression” criticism, and is more effective as it targets the use of personal data by a data controller within the EU (and not the hosting of the personal data anywhere in the world). This effectiveness is especially important in the context of employment.
For instance, suppose an embarrassing fact about a data subject is posted on a USA web-site, but is used in the UK by an organisation (which by definition has to be by a data controller) to make an employment decision. If the controller is situated in the UK, then even the current Data Protection Act would apply – let alone the Regulation.
Such a data controller under the existing UK Act has to apply three Data Protection Principles (1st, 3rd and 4th). He has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose), that they are accurate and up to date (e.g. the personal data relate to the actual individual under examination and not someone who happens to have the same name) and ensure that the data subject knows of their use for a specific purpose. The data subject also has the right of access to personal data used to make that decision. The same will go for the Regulation.
Instead of the “right to be forgotten”, I would extend the existing “right to object” to the processing (as is proposed in Article 19 of the Regulation) to apply the “right to object” to those circumstances where the processing is “necessary for an employment contract with the data subject” or with “a view to entering into an employment contract with the data subject” (e.g. an employment contract with a prospective employee). That is why I suggested this change might better stand as a part of Article 82.
In this way, data controllers can argue that they should be able to scour the internet for background details about an individual but that data subject will be able to argue the exact opposite. This provides a structure where the facts of each case can be independently examined to identify whether the data controller’s or the data subject’s position should prevail. Following such examinations, advice on best practice will emerge.
The centralization of power by the Commission is unbalanced and unacceptable
There are about 50 places where you have a provision like this: “The Commission shall be empowered to adopt delegated acts in accordance with Article yy for the purpose of further specifying the criteria and requirements as to the circumstances in which a personal data .breach is likely to adversely affect the personal data referred to in paragraph zz”.
Essentially this type of provision makes the Commission the ultimate arbiter of the data protection rules as these powers can overturn the actions of any supervisory authority.
My suggestion is that the untrammeled powers the Commission seeks should be modified so that the Board of Data Protection Regulators could be involved. I suggest:
the Board could exercise the powers the Commission identify in the Regulation. The Commission could raise an issue with the Board who then determines a suggested data protection solution. The Commission can then be given the power to overrule the Board in cases where this is deemed necessary – this would require the Board to “try again”. In this way, the Commission still possesses all the trump cards (as in the Regulation
an alternative is to leave the Commission’s powers where they are, but state that the exercise of the power is subject to Board approval on data protection grounds. This again provides a check on the misuse of Commission’s powers but gives the Board an ultimate veto.
There have been several circumstances when the European Commission has determined that there is an adequate level of data protection, when most data protection authorities have formed the opposite view. The PNR agreement with the USA is a good example of this divergence of view, and any reading of the output from the European Data Protection Supervisor will provide a host of other examples.
Put simply, the European Commission appears to have a track record of putting political considerations above those of data protection; there is a significant risk that this approach will continue. Secondly, the issue is quite serious in the context of the Commission as the Regulation will eventually apply to the Commission itself. This means the Commission is to be given powers to modify how the Regulation would apply to its own processing of personal data.
In my view, both these prospects are equally unacceptable.
If interested in our submission, you can download it here. I go into some other definitional commentary and make comments on notification not mentioned above: Download Amberhawk_ MoJ Call for Evidence March 2012
Blogs that give background to our submission are:
“The Regulation: what are the big changes to the Data Protection Act regime?” (http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html)
“EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights” (http://amberhawk.typepad.com/amberhawk/2012/02/eu-data-protection-regulation-breaks-explicit-link-with-privacy-and-human-rights.html)
Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws: http://amberhawk.typepad.com/amberhawk/2012/01/judgement-reinforces-the-link-between-lawful-processing-the-first-data-protection-principle-and-human-rightsother-law.html
“Enforced Subject Access to medical data raises its ugly head in the insurance industry” on http://amberhawk.typepad.com/amberhawk/2012/02/enforced-subject-access-raises-its-ugly-head-in-the-context-of-medical-insurance.html)
“Data Protection: forget about a “right to forget”; http://amberhawk.typepad.com/amberhawk/2011/03/data-protection-forget-about-a-right-to-forget.html
MoJ asks for arguments to oppose the European Commission’s Data Protection Regulation; http://amberhawk.typepad.com/amberhawk/2012/02/moj-ask-for-arguments-to-oppose-the-european-commissions-data-protection-regulation.html
Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html
Note: Our Update session on March 26th (London, £195+VAT, next week; has a half-day devoted to the Regulation from the data controller perspective. Places still available - details on the Amberhawk web-site (top right button).