As promised in last Friday’s blog, an explanation why the data sharing provisions in Part V of the Digital Economy Bill (the “Bill”) should not be supported. The Bill completes its Commons stages today with hardly any detailed scrutiny of its data sharing provisions.
In privacy terms, this blog shows that the data sharing proposals demonstrate:
(a) a lack of understanding of how the Data Protection Act (DPA) works;
(b) a failure to explain how the interference inherent in data sharing complies with Article 8 of the Human Rights Act (HRA);
(c) a disregard for the views of the Information Commissioner (ICO).
However, these three are not my main concerns over this Bill. In my view the data sharing provisions in this Bill (e.g. data sharing for efficient public sector service delivery, for research and statistics, for debt recovery and for fraud):
(d) combined with the flexibility for Ministers to add to the list of data sharing objectives, provides a gateway that could allow future Governments to share personal data across the public sector by Ministerial edict;
(e) could replace many existing data sharing legislative provisions and negate the need for data sharing provisions in future legislation.
In my view, the Bill will diminish Parliament’s role in scrutinising future legislation which requires an element of data sharing. A future Government will not bother Parliament with data sharing provisions if generous data sharing provisions have already been enacted. This is especially concerning with respect to the provisions in the Bill that relate to debt and fraud.
This means any future Government can increasingly rely on the exercise of Ministerial powers via Statutory Instrument to push through any future data sharing that is required, especially whenever debt or fraud is an issue.
It is this risk (i.e. that future data sharing can be legitimised without reference to the detailed Parliamentary scrutiny associated with primary legislation) which makes the Bill’s data sharing provisions unacceptable.
The Bill reduces the protection in the DPA
Most data protection officers know that a disclosure of personal data can occur if failure to disclose would “prejudice” a criminal inquiry or tax assessment (section 29(3) of the DPA). The Bill reduces this threshold so that a disclosure of personal data can occur “in connection with” a fraud (or a debt).
The point being made is that the existing disclosure threshold of “prejudice” means the public authority requiring disclosure has to justify why “prejudice” would occur prior to any disclosure. By contrast, a disclosure associated with a threshold of “in connection with” requires very little by way of prior justification.
As an aside, I also suspect that the data sharing provisions with respect to public registers (e.g. births and deaths, marriages etc) in conjunction with the availability of other public domain personal data (e.g. electoral rolls etc) will make the eventual emergence of another detailed national population register, by administrative fiat, an inevitability. Has this prospect been discussed by Ministers during the Bill’s passage? Of course not.
(P.S. Why “another” national population register? Because the national security agencies obtain a complete copy of all electoral rolls and other bulk personal datasets, one can assume they already have compiled one).
Who is a “specified person”?
The Bill provides for the disclosure of personal data between “specified persons… in connection with fraud” (clause 48(1)). A “specified person” is any public body identified in Regulations by any Minister and, surprisingly, any person “providing services to a public authority”.
In data protection terms, a provider of services to a public authority would be usually be a data processor. I therefore don’t understand why a private sector data processor should be included as being a “specified person” as processors are beholden to the instructions of their public-sector controllers. The drafting Clause 48(6) could therefore indicate a lack of understanding of the controller-processor relationship in the DPA.
However, the idea might indeed be to allow private sector controllers (e.g. credit reference agencies) to deliver anti-fraud services to public bodies by merging their immense databases with other public sector databases. I float this off as a suggestion as the powers are so broad, I do not know what data sharing this Bill will eventually legitimised in future?
Has the prospect of private sector involvement been discussed by Ministers during the Bill’s passage? Of course not.
A public body that likes to say “yes”
Ministers also stress that the disclosures in the Bill are permissive and not obligatory; a public body can in theory actually refuse to disclose personal data. This has impressed the ICO (sadly).
In practice, such refusals will hardly ever happen. That is why the draft Codes of Practice that accompany the Bill refer to “powers to share” (just as if any disclosure was obligatory) and not, for example, “seeking permission to share” (which is what you would expect if disclosures were genuinely permissive).
In other words, public sector bodies will be expected to share personal data with any other public sector body for a range of activities; data sharing will become the new norm.
“Action” against fraud (or debt) can involve profiling
The Bill states that data sharing in relation to fraud is permissible between “specified persons” for “the purposes of taking action in connection with fraud against a public authority”.
Note that an “action” is not limited to a specific investigation into a particular fraud. An action could be data sharing of databases in order to do some data matching or profiling or even to collect some bulk personal dataset (who knows – the list of possible actions is extensive).
It is important to understand that with the reduction of the threshold for disclosures “in connection with” fraud, in conjunction with the word “action”, will inevitably mean that data sharing will increasingly involve the disclosure of personal data concerning data subjects who have committed no crime or who are not under direct suspicion.
Existing data sharing powers become redundant
I will now explain why I believe the general data sharing powers in this Bill, with its the lower threshold of “in connection with” fraud (or debt), will eventually replace existing data sharing powers with respect to fraud (or debt).
In the context of benefit fraud, for example, consider the following questions:
- Can personal data be disclosed by law already to counter benefit fraud under existing powers (e.g. in the Social Security Administration (Fraud) Act 1997)?
- Can the National Fraud Initiative do wide scale data matching exercises to counter fraud in the public sector general (expanded by the Serious Crime Act 2007)?
- Can voluntary disclosures take place under Section 29(3) if failure to disclose would “prejudice” a particular criminal inquiry into any fraud?
The answer to these above questions is, of course, “yes”.
So do the DWP or HMRC need the “powers” in the Bill? Has there been an explanation as to why, for instance, the DWP’s or HMRC’s existing powers to demand personal data are deficient? Is the “failure to disclose would prejudice a fraud investigation” threshold is too high for DWP or HMRC? Answer there has been none.
However, when this Bill becomes law, why should public authorities like DWP or HMRC exercise precisely worded powers to demand limited personal data when any statutory restriction can be lifted by using generous “in connection with” data sharing provisions in this Bill?
Why would any law enforcement body pussyfoot around with a test of “prejudice” if it can rely on a test of “in connection with” instead?
Has the above been discussed by Parliament or raised by Ministers or in consultation documents – course it hasn’t.
Disclosures under the Bill do not need to be “necessary”!
To demonstrate the disregard for basic data protection norms, I will refer an amendment which dealt with onward disclosure of personal data collected by a data controller in the public sector.
In the Bill, an onward disclosure of personal data is permitted if it is “made for the purposes of a criminal investigation (whether or not in the United Kingdom)”. The amendment wanted to change the word “made” to “necessary” (full debate details in references below).
Note that with respect to the onward disclosure, the test of failure to disclose would “prejudice” a fraud inquiry has been ditched, and by now, this should not surprise the reader. It is yet another example where the protection afforded by the DPA has gone (without explanation, I add).
The amendment attempted to correct two failings:
- Provide a Schedule 2 legal basis in the DPA as any disclosure of personal data, in the absence of data subject consent, has to be associated with a test of being “necessary” (for something); and
- Establish that any interference has to be “necessary” and ensure that any disclosure of personal data was proportionate in Article 8 HRA terms.
The Minister in his response that rejected the amendment said it would “in practice, inhibit public authorities from disclosing information, or delay them from disclosing it until they were content it was “necessary” to do so. The consequence of the amendments would therefore be to create an uncertainty where we are trying to provide legal clarity.” (my emphasis; read the bold italic text again)
The conclusion reached by the Minister is that “legal clarity” requires data sharing:
- that cannot meet the obligation that data sharing is necessary for the functions placed on a public body (the requirement in Schedule 2 of the DPA)
- that allows interference into private and family life by a public body which does not have to be “necessary” for the functioning of a democratic society (the requirement in Article 8 of the Human Rights Act).
In paragraph 6 of her evidence (DEB 36), the Commissioner called for “necessary”, “proportionate” and “justifiable” data sharing; a call that has (following the Minister’s comments) fallen on deaf ears.
That is why there appears to be a general lack of understanding of how the Data Protection Act works and a need to explain how the interference inherent in data sharing complies with Article 8 of the Human Rights Act.
In her written evidence (DEB 52; see references), the ICO states that she is “content that her concerns about the codes (in Part V the Bill) have been addressed” because the Bill’s codes would be “subordinate to the ICO’s statutory code of Practice on data sharing”. This “get out of jail free card” has been gratefully received.
I do not know what the Commissioner was told privately but the Bill does not actually provide that the Ministerial Codes of Practice are “subordinate” to the Data Sharing Code; the requirement in the Bill is that any Ministerial Code is “consistent” with that Code.
The use of the word “subordinate” means that if there were a conflict between Codes, the provisions in the Data Sharing Code would prevail. This is not the case as the use of the words “consistent” ensures the codes are of equal standing and the Data Sharing Code might not prevail.
Another ICO proposal that fell on deaf ears was for a definition of “personal information” in the Bill which actually was the same as “personal data” in the DPA. This has not happened (for reasons unexplained) so we are faced with the wholly confusing proposition that some personal information might not be personal data.
So, for public bodies that are subject to FOIA and hold category (e) personal data, here is an early Xmas pub quiz question: can you think of any recorded “personal information” held by a public authority that is not “personal data”? Send the answer to the Minister please.
I hope the above analysis explains why I signed the Daily Telegraph letter last Friday; the data sharing provisions in this Bill need a complete rethink.
The “statutory data sharing gateways” provided in this Bill is really a “data sharing motorway”; it is wholly disproportionate, expansive and shows little data protection understanding of the First Principle, especially in terms of Schedule 2. The Code of Practice on data sharing which is proffered as the ultimate in protection is not the superior Code that applies to data sharing. The provisions undermine future Parliamentary scrutiny.
Finally, I observe the 170 page Bill has been pushed through in rapid time (7 sittings in October); the Eighth Sitting (3 hrs) was devoted to the Part V and its 32 pages (40 clauses) which deal with data sharing.
This means each data sharing clause was allocated less than 5 minutes of scrutiny and each dense data sharing page of legislation received just over 6 minutes.
Remember these statistics, when any Minister claims that Brexit gives the UK more Parliamentary scrutiny.
Forthcoming Amberhawk’s courses in December/January:
- GDPR Workshops: 7 December (London); 23 February (London)
- DP Foundation Course: Starts 10-12 January (BCS syllabus; London)
- DP Practitioner Course: Starts 17 January (BCS syllabus; London)
Advanced warning: we have devoted the next UPDATE session on 3rd April 2017 to the GDPR. We have an impressive array of speakers lined up including from ICO and DCMS http://www.amberhawk.com/bookevents.asp
I am referring to the Bill (before Report stage in the Commons on 28/11/2016) http://www.publications.parliament.uk/pa/bills/cbill/2016-2017/0087/17087.pdf
Other blogs by other signatories to the Daily Telegraph letter published last Friday
ICO written evidence submissions can be found at:
The debate and Minister’s mentioned in the blog starts at col 325 of https://hansard.parliament.uk/commons/2016-10-25/debates/7654915e-9860-4536-88c9-bac929c0df6d/DigitalEconomyBill(EighthSitting).
The range of fraud initiatives undertaken by the NFI: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/421224/NFI_matches_per_body__2015_.pdf