Given that it is the Second Reading of the Data Protection Bill (DPBill) today, I thought I would write a series of blogs identifying where the DPBill is deficient; I hope to complete this series of blogs before Committee stage so that suggested amendments can be tabled.
This is especially important, as last Friday, the Prime Minister stated that a high standard of data protection was essential to a prosperous, post-Brexit, Britain and that “The UK has exceptionally high standards of data protection”.
Hmmm! Believe it or not, Mrs May’s reference to “high standards of data protection” is to the current Data Protection Act (DPA). This is the same DPA that the European Commission thinks is a defective implementation of Directive 95/46/EC and where the Government refuse to publish why this is the case. Thus any MP wanting to score a Parliamentary “goal” should see the end of this blog (see after “References” below).
So, given the Prime Minister’s claims, it is timely to explain one area where her Data Protection Bill works to reduce the protection for data subjects. Not only that; where she has made a political choice of whether to enhance workers’ rights or reduce them, her Data Protection Bill reduces them.
This issue arises with the processing of manual unstructured personal data (i.e. manually processed personal data that are not stored in a “filing system” as defined in Clause 3(7) of the DPBill).
What is manual unstructured personal data?
Have you ever been to a meeting where someone has taken handwritten notes of what was said? Have the minutes of that meeting, subsequently circulated to attendees, been completely different to your recollections of the actual meeting?
Well just imagine that the issue at the meeting related to your continued employment after a dispute at work, or your discussions with a private provider about the services provided (e.g. about your health or finances). Now, ask yourself a simple question: “Would you want to compare those contemporaneous handwritten notes taken at the meeting with the official version of events recorded electronically after the meeting, if you considered the official version of events to be in error?”.
Well, you have no rights over those handwritten notes because of the Government’s approach to the processing of manual unstructured personal data in the DPBill.
In summary, Clause 21(2) states that the manual unstructured processing of personal data is only subject to the DPBill if the controller is a “FOI public authority”. Thus, if a controller is not a “FOI public authority”, then the processing of manual unstructured personal data is not subject to any data protection principle, data subject right or the DPBill’s enforcement regime.
Clause 24(2) adds that where the controller is a “FOI public authority” then the manual unstructured personal data are effectively limited to the right of access, correction or erasure. However, if the personal data held by a “FOI public authority” relate to the employment purposes, Clauses 24(3) and 24(4) remove these rights for employees of such public authorities.
Consequences of this approach for security
The processing (e.g. disposal) of manual unstructured personal data by a private sector controller is not subject to any security obligations in the DPBill; there is no penalty if such personal data is found in an open skip. This is the case even if the personal data were to be Special Personal Data or contain details of criminal vetting.
By contrast, security arrangements for manual unstructured personal data can be enforced in the DPA, albeit in a very limited way and it is well known that, under the current DPA, the Commissioner treats the loss of sensitive personal data (e.g. health) in an unencrypted form as attracting a monetary penalty.
So, for example, if a private health provider disposed of your manual medical records insecurely, that could attract a Monetary Penalty Notice. This is because the DPA’s definition of Accessible Records includes unstructured manual personal data relating to the data subject’s health.
Accessible Records (i.e. health, housing, social work and education records) are subject to the whole DPA 1998 whereas the DPBill has no concept of Accessible Records. This means that manual unstructured personal data contained in Accessible Records go from full protection under the DPA 1998 (i.e. all Principles, rights etc) to no protection under the DPBill.
I am led to believe that some people call this an “exceptionally high standard” of data protection.
For a “FOI public authority”, Clause 24(2)(a)(i) excludes Article 5(1)(f) (i.e. the Principle related to security). Thus, if any public or private sector controller chucked its manual files into an open skip (making sure that the manual records were not placed in the skip in a structured way!), then there would be no security obligations, irrespective of the confidentiality or sensitivity of the personal data.
I can well understand that manual unstructured personal data does not need the protection of the full DPBill and all the attendant rigmarole. But that does not mean that unstructured manual personal data should not be subject to any protection at all.
In my view an “exceptionally high standard” of data protection” requires all controllers to abide by a general requirement to keep all forms of personal data secure. Article 5(1)(f) should therefore apply to unstructured personal data held by any controller.
Consequences of this approach for rights of access
I find it surprising that in 2018, if public sector controllers have had to provide subject access to manual unstructured personal data since 2005 (and have done so without problems), that private sector controllers cannot do so over a decade later. This is especially important with respect of the right of access to contemporaneous handwritten notes taken at meetings where important decisions are taken that impact on data subjects.
In addition, the impact of Clauses 24(3) and 24(4) removes rights for employees-access their own employee data held by a “FOI public authority”. Note that if Clauses 24(3) and 24(4) were absent, employees of “FOI public authorities” would have access to unstructured employee personal data and that such staff would therefore have preferential access rights over private sector employees (who would not have access to unstructured employee personal data).
Therefore, when constructing the DPBill Government was faced with a political choice. It could legislate so that all employees could have access to unstructured employee personal data or it could take away the public sector employee’s right of access to unstructured employee personal data held by “FOI public authorities”. This would mean that no employee of any controller (public or private) would have access to unstructured employee personal data.
Note that both choices result in employees having the same level of subject access rights; the difference is that the one allows employees full access to all their own employee personal data and the other does not.
My own view is that all controllers should provide right of access and correction to all manual unstructured personal data. Not to do so could also lead a loophole where contentious records are stored in unstructured manual form.
Concluding comment
At the launch of her election campaign last year, the Prime Minister pledged to "protect and enhance workers' rights" when the UK leaves the EU. Last Friday, she boasted that “the UK has exceptionally high standards of data protection”.
Well when it comes to the crunch on manual unstructured employee personal data, Mrs May’s DPBill legislates for a lower level of data protection and for a reduction of workers’ rights.
Perhaps someone could tell the Prime Minister before she next speaks on data protection?
Data Protection Courses (London)
- BCS Data Protection Bill/GDPR Practitioner Qualification: London starts 13 March and 10 April http://www.amberhawk.com/StandardDP.asp
- Data Protection Bill/GDPR all day Workshop: London on 16 March http://www.amberhawk.com/bookevents3.asp
- BCS Data Protection Bill/GDPR Conversion Practitioner Qualification: London on April 17/18 http://www.amberhawk.com/ConversionDP.asp
References
UK’s GDPR law will not be judged “adequate” if it contains provisions that made the DPA inadequate. See http://amberhawk.typepad.com/amberhawk/2017/03/uks-gdpr-law-will-not-be-judged-adequate-if-it-contains-provisions-that-made-the-dpa-inadequate.html
Can I encourage a MP to intervene in the Minister’s speech the following question?
“Last Friday, the Prime Minister claimed that the UK has a high standard of data protection. Is it true that that the European Commission are considering infraction proceedings against the UK, so much so, that the Government refuse to publish the exchange of letters concerning infraction proceedings? Can the Government place all relevant correspondence between the UK and the Commission about these infraction proceedings into the public domain so Parliament can assess the Prime Minister’s claim and assess whether the problems the Commission raise are also problems in the Data Protection Bill” (Note: the comment in the blog about MI5 was my attempt at irony so don’t raise it).
Possible Amendments to the Bill
To help ensure “a high standard of data protection” (a Prime Ministerial objective) Clause 24 of the DPBill should allow the right of access and correction to manual unstructured personal data processed by any controller.
If that fails, to “enhance workers’ rights” (another Prime Ministerial objective), ensure Clause 24 allows the right of access and correction to manual unstructured personal data processed for an employment purpose by any controller.
If that fails ensure that Article 5(1)(f) applies to all processing of manual unstructured personal data by any controller to make sure such personal data is disposed of in a secure way.
A good blog post, once again.
I find it interesting that the progress of the Bill through the Lords was relatively transparent. I could at least read the minutes of proceedings pretty much the day after. The same can't be said for the Commons, where the First Reading on the 18th January seems to have not taken place, and where minutes are impossible to come by.
And we're supposed to be afraid of the unelected Lords?
Posted by: NH | 05/03/2018 at 04:46 PM
This looks ideal, if your an ex-forces NCO who likes to keep 'unofficial' records on employee's you manage that can be shared with other managers... Having suffered this with an ex-navy NCO who kept handwritten notes on me and my team, which he circulated to our head of school and other management, along with his own 'blacklists'. I can see this making things worse, especially for those of us who are Trades Union reps.
Posted by: Niel | 16/03/2018 at 08:23 AM