The Government has been required under Freedom of Information rules to release further details of those protracted infraction proceedings concerning the deficiencies in UK’s Data Protection Act. For the first time, UK citizens can see why the European Commission believes that eighteen of the thirty four Articles in the Data Protection Directive 95/46/EC have not been properly implemented by the UK Government.
The detail that the Government has been forced to release is far more extensive than the Commission’s own truncated explanation (“liberated” after a seven year struggle and published in connection with an earlier blog – see references). The additional detail revealed by the UK Government raises serious questions as to whether or not the European Commission can be trusted to be transparent (and indeed to follow instructions from the European Ombudsman to become more transparent).
The new revelations show that the Commission has concerns over the definition of “personal data” (which is not limited to Relevant Filing system as was reported in my earlier blog). The Commission point to the absence of a definition of “consent” (used in relation to Schedules 2 to 4) and an important element in the First and Eighth Data Protection Principles. The Act’s “protection” of sensitive personal data (health and criminal) is explicitly mentioned by the Commission as being deficient.
The Commission also think that the use of “vital interests” in Schedules 2 to 4 of the Act is far wider that envisaged by the Directive, and that, in general, there are too many subject access exemptions. The absence of the enforced subject access offence in connection with health personal data and employment is mentioned explicitly.
The Commission also criticise the security obligations outlined in the Seventh Principle; clearly the Commission thinks that the UK’s implementation needs strengthening. The Commission also thinks the UK’s “fair processing notice” provisions are deficient in general – something that I had not appreciated.
Finally, the Commission state that the transfer of personal data outside the EEA is not supervised sufficiently and that the Commissioner has insufficient powers.
Why 18 Articles are deficient
In further detail, the areas of contention over the Directive are provided below as a quote from the “liberated” material are listed below. Unfortunately the Government refused to explain whether it disagrees with the Commission.
The contentious Articles are:
“Articles 2 and 3 – the definitions of “personal data” and “filing system” and the interpretation in the Durant judgment, which the Commission considered were narrower than required by the Directive.
Articles 2 and 7 – the absence of a definition of “consent” in the Data Protection Act, which the Commission considered was required by the Directive.
Article 3 – the inclusion of “recreational purposes” in the Data Protection Act which, in the Commission’s view appeared to be broader than household activities.
Articles 6 and 28 – the Commission claimed that the ICO failed to take proper regulatory action against employers who sought health information from job applicants.
Article 8 – the Commission raised the issue of whether the Data Protection Act treated data relating to criminal offences differently to other categories of sensitive personal data.
Article 8 - the Commission considered that the Data Protection Act appeared to broaden the circumstances in which sensitive personal data could be processed when necessary to protect the vital interests of the data subject
Articles 10 and 11 – concerns the provisions in the Data Protection Act in relation to information to be given to the data subject in cases of both data collection from the data subject and from third parties which appeared to the Commission to fall short of that required by the Directive. The Commission also considered that the Data Protection Act appeared to exempt from this requirement data which the data controller is obliged to make public.
Article 12 - the Commission considered that the DPA appeared to confer upon the courts a discretion to grant or refuse applications made by data subjects to rectify, or erase inaccurate personal data.
Article 13 – the issue the Commission raised concerns the exemption in the DPA from the right of subject access of the data subject to confidential references.
Article 16 – the Commission considered that the range of exemptions in the Data Protection Act was broader than those permitted under Article 16. (Note: the reference to Article 16 may be wrong as this Article does not relate to exemptions)
Article 17 – in the view of the Commission the obligation on data controllers to implement appropriate technical and organisational measures to protect personal data as set out in the Data Protection Act appeared to be weaker than in the Directive.
Article 22 and 23 – the Commission considered that the Data Protection Act appeared to narrow the scope of non-material damage.
Article 25 and 26 – the Commission raised the issue of the extent to which UK data controllers are monitored by the ICO as to their assessment of adequacy of the level of protection in third countries to which they transferred data and the extent to which the ICO grants authorisations for the transfer of personal data to third countries not providing an adequate level of data protection when the data controller can adduce the existence of data protection safeguards.
Article 28 – the Commission raised the issue of the sufficiency of the investigative powers of the data protection supervisory authority”.
Commentary
For over half a decade (since Durant in December 2004, if we are precise), the UK Government has hidden from Parliament and the UK population, an explanation as to why the Home Office’s implementation of the Data Protection Act 1998 has been accused of being defective implementation of Directive 95/46/EC.
All the statements made to Parliament by a cohort of Home Office Ministers that their mass surveillance proposals (e.g. ID Card database) were compliant with the Data Protection Act (and the Human Rights Act) are now shown to be somewhere between “wholly suspect” and “demonstrably untrue”. It is unimaginable to think that these Ministers did not know that what they told Parliament was at variance with the true position.
For its part, the coalition Government has continued the unabashed policy of secrecy that it inherited from New Labour, so much so, that the “liberation” of details from the UK Government has been accompanied by a flagrant disregard for the timescales normally associated with a Freedom of Information Act request (see references).
The Government has also refused to provide summary details in the same form as the above, to explain why the Government think the Commission is wrong. This decision is misguided as it transforms the public debate about the changes to the Directive to one that is uninformed by the facts.
Why is it uninformed? How can you consider what should be changed when the starting position is not even identified? It’s rather like building a house on foundations which have been secretly moved before the first brick is laid.
References:
To link is a download of the new revelations from the UK Government Download UK deficiency details_may 2011
The Decision Notice showing unacceptable time delays in dealing with the request Download FOI_DN_5029054
The previous Blog (and the less informative European Commission findings) can be accessed on “European Commission explains why UK’s Data Protection Act is deficient”: http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html
Advert: FOI courses start in London on 13 June. Next Update is October 17th 2011 in London. We have timetabled our Audit, Privacy Impact Assessment, and RIPA courses for September 12th, 13th and 14th in London. Full details on the Amberhawk main site (www.amberhawk.com). Next DP courses in London starts on June 13
Great post - and thank goodness there's someone with the persistence to stick with a disclosure request over the disgraceful seven years it has taken our elected servants to comply.
Something I don't quite get, though, is this: I can see that, if the UK DPA is not a correct transposition of the EU DPD, UK laws which claim compliance with the DPA are not necessarily compliant with the DPD...
But can you unpack, a little, why that means that acts like the ID Card Bill would be non-compliant with the ECHR or UK Human Rights Act?
Posted by: Robin Wilton | 12/05/2011 at 10:21 AM
The Data Protection Act and Human Rights Act are more or less joined at the hip and overlap in the area of "proportionality". The Principles can be seen as a rule book with respect to how to attain proportionality (e.g. personal data not excessive, accurate, kept secure, supporting rights of access to personal data etc).
If the DPA is questioned as it has been by the EU, it raises whether the assumption (that the Act properly defines when the processing of personal data is proprtionately processed) is correct. This is especially the case as the EU claims the Act permits wide deviations from the expected European norm.
Chris
Posted by: cp | 13/05/2011 at 12:05 AM