When I posted the blog on the return of the database state via the National Fraud Initiative (NFI), I knew I was going out on a limb. Afterall, if one criticises a key Government initiative for being incredibly invasive of privacy, one hardly expects to be awarded two or three “back-of-the-hand” COVID contracts as a “thank you”.
So it is a relief that the ICO’s response to NFI consultation on data matching (just published) has come to similar conclusions (see references).
In this brief blog, I will summarise what the ICO says and make a brief comment on what is meant. But before that, a brief lesson on reading between the lines: when a regulator says “I recommend that organisation X does action Y”, what is meant is that “organisation X has failed to do action Y when it should have”.
So what are the ICO’s “principal recommendations”? They include implementing “The need for accountability” (Comment: guess what is missing then!!) and an approach that involves “data protection by design and default” (i.e. consideration of how the Principles apply to the processing prior to the processing).
This should be achieved via:.
- “the preparation of a data protection impact assessment (DPIA)”. Comment: no DPIA’s have been done so far.
- a clear description of the different data protection regimes which will apply when exercising each of the NFI powers. Comment: the draft NFI Code has not taken into account the fact that some processing might be subject to Law Enforcement parts of the DPA2018.
- compliance with the data protection principles and the provision of safeguards to mitigate risk to individuals. Comment: apart from transparency requirements, the draft NFI Code does not spell out details of the application of each Principle (e.g. relevant, accuracy, retention) in Article 5.
- the establishment of the respective responsibilities of the Cabinet Office (CO) and any third party controllers involved in the NFI data matching exercises. Comment: roles and responsibilities of those involved in data matching have not been assigned.
- particular attention to special category or sensitive data, criminal offence data, and children’s data, where this is held. Comment: the processing of such sensitive personal data items (e.g. health records) has been largely overlooked in the draft Code.
- Updates to the draft Data Matching Code to ensure the draft Data Matching Code is consistent with the ICO’s Data Sharing Code”. Comment: the draft NFI Code is likely to be inconsistent with the data sharing Code.
Other paragraphs of ICO criticism
“We note that the Cabinet Office (CO) has not yet undertaken a DPIA, although it intends to do so when piloting any of the proposed new powers. The ICO strongly recommends that the CO should carry out a DPIA as soon as possible and before any processing takes place, to ensure that data protection is central to the development of these proposals”. Comment: for Pete’s sake, can you do a DPIA now!
“If the NFI purposes are expanded as proposed, any processing for law enforcement purposes … would still need to explain why the processing is necessary. This means that the approach must be a targeted and proportionate way of achieving the purpose”. Comment: a warning that the intended processing might not be targeted, proportionate or necessary.
“The consultation is framed in terms of the overall desirability of the proposed powers, but does not discuss the question of whether the CO can reasonably perform its tasks or exercise its powers in a less intrusive way”. Comment: explains why the missing DPIAs should be done now.
The NFI intend to use “data from a range of datasets, including those from credit reference agencies, are included in the NFI data matching exercises. As a result of the current pandemic, and its adverse financial impact on individuals as well as the wider economy, there may be many more people in debt than previously. However, the consultation document does not explain how the proposed data matching, which accesses large data sets to search for individuals, is necessary and justified”. Comment: another warning that the processing might not be targeted, proportionate or necessary.
“…the NFI exercises, including for example AppCheck which provides results ‘on demand’, could potentially allow participants to conduct disproportionate searches for information about particular individuals across a wide range of sources without lawful cause under data protection legislation”. Comment: another warning that the processing might not be targeted, proportionate or necessary.
“Although the draft Data Matching Code is principally concerned with the CO’s own approach to NFI data matching, there are intertwined responsibilities between all controllers involved. It would therefore be helpful for all these issues to be clearly addressed in the draft Data Matching Code”. Comment: come on guys, there are more controllers that need guidance.
“As mentioned earlier, the draft Data Matching Code needs to make it clear which rights apply to individuals in respect of their personal data, noting in particular that these rights are not limited to an individual’s right to be informed.” Comment: the right for data subjects to be informed about the processing is not the only relevant right in the GDPR.
“Paragraph 2.6 of the draft Data Matching Code explains how the CO will choose datasets for matching. While it is acknowledged that new powers will be tested in pilots before rolling them out nationally, a requirement for ‘reasonable evidence’ does not appear to address the question of whether the processing is necessary or proportionate”. Comment: yet another warning that the processing might not be targeted, proportionate or necessary.
“The draft Data Matching Code needs to explain the process through which CO decides that it is ‘appropriate’ to use data that has been provided voluntarily, and the criteria that will be applied when making that decision”. Comment: a warning that what the Cabinet Office thinks is “appropriate” does not mean that the processing is targeted, proportionate or necessary.
“The CO data deletion schedule currently suggests inaccurate data should be deleted within three months of the inaccuracy being confirmed, but the processes and timeframes set out in the data deletion schedule or the draft Data Matching Code make no reference to the need for erasure or rectification without delay, or any safeguards to ensure inaccurate data is not transmitted (or if it is transmitted unlawfully, to ensure that the recipient is notified without delay)”. Comment: without some attention here, the processing is likely to breach three Principles in Article 5.
“The present Data Matching Code refers to the potential for the ICO to be invited to undertake a review of the CO’s data matching processes from time to time. It also refers to the potential for the ICO to be invited to review participants’ procedures. These provisions are repeated in the draft Data Matching Code. Neither the CO nor any participants have approached the ICO to undertake such a review to date, but the ICO remains open to considering any such requests in future.” Comment: If the NFI had contacted the ICO earlier, then the ICO might have identified some obvious failings identified in the ICO’s document.
“The ICO looks forward to receiving a formal request for consultation from the CO in relation to these proposals, as required under Article 36(4) UK GDPR”. Comment: the ICO expects that all the issues raised in the ICO’s response will be addressed when this request is made.
Concluding comment
The worrying factor here is that the Government are seeking to employ a more compliant Commissioner.
References
ICO Response to the NFI public consultation: https://ico.org.uk/about-the-ico/consultations/cabinet-office-s-consultation-on-the-expansion-of-the-national-fraud-initiative-data-matching-purposes-2021/
Blog on the NFI: https://amberhawk.typepad.com/amberhawk/2021/02/the-return-of-the-database-state-mandatory-data-matching-and-expansive-data-sharing.html
Blog on a more pliable ICO: https://amberhawk.typepad.com/amberhawk/2021/03/the-next-information-commissioner-likely-to-dance-to-the-governments-tune-and-thereby-lack-credibili.html
Upcoming Data Protection Courses
All courses lead to the relevant BCS qualification:
- Data Protection Practitioner: London, Starts May 11 (6 days)
- Data Protection Upgrade Practitioner: London, May 25-26 (2 days)<LAST ONE
Full details on www.amberhawk.com of by emailing i[email protected]
Comments