The incoming Labour Government has expanded the role of the Department for Science, Industry and Technology (DSIT) by transferring many IT/data related functions from other parts of Government (mainly the Cabinet Office) into DSIT. The objective is to make DSIT an important driver for economic growth.
In further detail, “experts in data, digital and AI from the Government Digital Service (GDS), the Central Digital and Data Office (CDDO) and the Incubator for AI (i.AI) [have transferred to DSIT] to unite efforts in the digital transformation of public services under one department” (see references).
The objective is to “transform public services and fuel economic growth through science and technology”. This “will be the defining mission of a revamped [DSIT] department” and comprise the “first steps towards building a modern digital government”.
However, if such objectives comprise the strategic mission for DSIT, the questions that must be answered are:
- How do these economic objectives interact with DSIT’s approach to data protection policy?
- Will there be a repeat of an approach which viewed data protection as sand in the oil of economic progress and an inhibitor to wider data sharing across the public sector?
- Will data protection policy become subservient to economic priorities?
Historical approach to DP policy
For the two decades from 1984, governmental responsibility for UK data protection policy was very problematic. For instance, the DPA1984 (and DPA1998) were both a minimal implementation of Council of Europe Convention No 108 (and Directive 95/46/EC) in order to have minimal impact on controllers, the economy and provide the minimal protection for data subjects as compared with European standards.
Any data protection specialist who worked with either the DPA1984 or DPA1998 will remember that both sets of legislation were characterised by a weak regulatory regime, diminished rights and both carried a minimal threat of enforcement.
In addition, both DPAs (and FOIA) were enacted under the auspices of the Home Office, courtesy of its strangely named “Liquor, Gambling and Data Protection Unit”.
This meant that the Home Office, which has the political responsibility for functions that were very invasive of privacy (e.g. law enforcement, national security), were also charged with the responsibility of developing policies for protecting data subjects from such invasion.
It can be seen that this represents a huge conflict of interest. If you have ever questioned why the data protection or FOI exemptions in these early Acts were very expansive when applied to Home Office functions, the answer is, quite simply, staring you in the face!
However, in 2007, responsibility for Data Protection, FOI, Human Rights and related civil society matters were centralised at the Ministry of Justice (MoJ); a neutral Department of State that did not have a vested interest in the processing of vast amounts of personal data for specific public sector functions like tax, housing, health, policing etc.
In data protection terms, the transfer to the MoJ, lifted responsibility for DP policy from a Home Office which processed large amounts of personal data in support of an opposite policy direction.
Why was the MoJ dropped?
The short answer is Micheal Gove MP, when he became Secretary of State at the Department for Education (DfE) in 2011 and thence Lord Chancellor, at the MoJ, in 2015.
In 2011, a FOI request to the DfE included a request to access information contained in Mr Gove’s Hotmail emails to and from his political advisor (“Mr and Mrs Spad”). Mr Gove’s Department refused the request on the grounds that the relevant emails were private emails and the requested information was therefore not held by the DfE (as they would have been if the official gov.uk email address had been used).
This was despite the fact that the Hotmail communications related to official DfE business.
The FOI request was refused by the DfE and this was followed by appeal to the ICO and the inevitable Decision Notice in favour of the requestor. Mr Gove’s Department appealed the Notice but the appeal was withdrawn before the Tribunal hearing. Much, one assumes, to Mr. Gove’s ire.
All became quiet on the Westen Front, until Mr Gove arrived at the MoJ as Lord Chancellor after General Election in May 2015. On October 15, 2015 he scattered policy responsibility for IT/data related matters to the winds.
For instance, responsibility for:
- Data Protection was transferred to the Department for Culture Media and Sport (DCMS) and thence to DSIT when this Department was formed by Rishi Sunak.
- Data Protection for law enforcement and national security was, in practice, returned to the Home Office.
- Human Rights law (including Articles 8 & 10) was retained by the MoJ.
- FOI and EIR (including DP/FOI/EIR interface) was transferred to the Cabinet Office.
- IT security for personal data processed by the public sector and the HMG Security Framework was managed by the Cabinet Office.
- IT security for personal data processed by the private sector (i.e. now surrounding the ISO27000 series) was developed by DCMS then DSIT.
- ID for Government Services developed by the Cabinet Office via Government Digital Service.
- Digital Verification Services parts of the defunct DPDI Bill were developed by DCMS then DSIT.
- Artificial Intelligence (i.AI) was launched in July 2023 by the Cabinet Office.
So much for joined up government!
Why a return to the MoJ
The Government’s changes, as announced, represent a partial reconstruction of responsibility for the above bullet points around DSIT (the first and the last four bullets from the list above).
The problem is that DSIT, with its enhanced responsibilities for AI, R&D and other technologies is intended to become an engine room for economic growth. In these circumstances, data protection can all too easily be seen as an inhibitor (as it was with the previous Government).
The risk is then that DPDI-like provisions will re-emerge to provide wide ranging exclusions to ease the secondary use or disclosure of personal data in support of a turbocharged dash for growth.
To minimise this risk and to ensure that data protection is considered with its proper weight, responsibility for data protection policy should be returned to the MoJ. Leaving DP responsibility in DSIT risks making data protection policy wholly subservient to its economic priorities.
References
Press release about DSIT’s enhanced responsibilities: https://www.gov.uk/government/news/dsit-bolstered-to-better-serve-the-british-public-through-science-and-technology
Post summer Data Protection Courses
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London (and Zoom) on Monday, 16 Sept to Friday, 20 Sept (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London (and Zoom) on (October 8-10: Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education.
More details on the Amberhawk website: www.amberhawk.com or email [email protected].