The Government intend to change the accountability arrangements in the UK_GDPR in such a way that it will become harder to hold controllers to account. In summary, Chapter 2 of the DCMS Consultation document (“Data: a new direction”) makes two main proposals in relation to accountability:
- to reduce or remove the requirement to undertake DPIAs (A.35 and A.36); to reduce or remove the requirement to have a Data Protection Officer (A.37-A.39); to remove the need to create a register of processing activities (ROPA; A.30); and to reduce the need to report a data breach to the ICO (A.33).
- for each controller to develop its own privacy management programme which includes many of the accountability elements similar to those identified in the previous bullet point above.
This is a huge topic so I am splitting my commentary into two blogs; this blog deals with the privacy management programme and the proposal to remove or reduce the DPO role. The next blog will deal with the rest (e.g. ROPA, data breach reporting).
As with previous blogs, there is a lack of evidence in the Consultation that shows the need for change.
So what is accountability?
If accountability is being changed, what is it being changed from? I think it best to let the ICO spell it out. In a speech (17 Jan 2017), Ms Denham said:
“But arguably the biggest change [in the UK’s DP regime] is around accountability.
The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation…..
… The GDPR mandates organisations to put into place comprehensive but proportionate governance measures. Good practice tools that the ICO has championed for a long time - such as privacy impact assessments and privacy by design - are now legally required in certain circumstances.
It means a change to the culture of an organisation. That isn’t an easy thing to do, and it’s certainly true that accountability cannot be bolted on: it needs to be a part of the company’s overall systems approach to how it manages and processes personal data.
But this shift in approach is what is needed. It is what consumers expect. The benefit for organisations is not just compliance but also providing an opportunity to develop the trust of its consumers in a sustained way.”
So, according to the ICO, compared with previous DPA1998 and DPA1984 regimes, the GDPR mandates; “proportionate governance measures”, “good practice tools that the ICO has championed for a long time” and “moves away from seeing the law [a reference to the DPA1998 and DPA1984} as a box ticking exercise”. Above all “accountability cannot be bolted on” at the end of a project; it’s integrated into project development.
Yet the Consultation claims that better data protection outcomes are achievable, not by having statutory accountability objectives, but instead, by adopting non-statutory objectives similar to those found in the previous DPA1998 and DPA1984 regimes.
It is noteworthy that the Consultation claims (para 139) that the statutory requirements of the UK_GDPR “tends towards a ‘box-ticking’ compliance regime”. Yet the ICO says a non-statutory approach towards compliance under the previous DPA1998 and DPA1984 regimes created a “box ticking” mentality.
So who do you trust on box-ticking and improved accountability? A Government which as a matter of policy has always wanted to diverge UK data protection from European standards, or the UK’s data protection regulator reflecting on the experience of 35 years of data protection law?
What is a privacy management programme?
Central to the new accountability regime is a privacy management programme. Such a programme is a set of data protection policies and procedures which, according to the Consultation, could be subject to enforcement if it were unfit for purpose.
Such a programme is claimed by the Consultation to provide “a more flexible and risk-based accountability framework” as it is produced by each controller. Advice as to what a privacy management programme “must” include (note the must!) is given in the Consultation document (para 156). Note providing this must do list is not the responsibility of the ICO.
The use of the word must in relation to the proposed privacy management programme raises the question: “has anything really changed?”. For instance (see para 156):
- instead of a mandatory DPO, there will be designated responsible “individual(s) for the privacy management programme and overseeing data protection compliance” (e.g. this could be a devolved data protection role with a specified individual in each part of the controller as was commonplace under the DPA1998 and DPA1984).
- Instead of a mandatory ROPA, there will be a “personal data inventory which will describe and explain what data is held, where it is held, why it has been collected and how sensitive it is” (i.e. replace one inventory with another).
- Instead of a DPIA, there will be a requirement to use “risk assessment tools for the identification, assessment and mitigation or privacy risks” (i.e. replacing a risk methodology associated with a DPIA with another risk assessment methodology, yet to be invented).
This, the Consultation claims, allows it “to remove some of the unnecessarily prescriptive or burdensome requirements” (i.e. the ones in A.30, A.33, A.35-A.39).
Yet at the same time the Consultation admits that “the introduction of privacy management programmes may create additional burdens for organisations arising from increased discretion as to how to deliver compliance within the new accountability framework” (my emphasis in para 182).
Barrier to protect or barrier to progress
So either way, one concludes that any data protection regime creates burdens, but this has always has been the case (something which the Consultation overlooks).
The prime objective of data protection is to protect the data subject’s personal data by creating barriers that a controller has to overcome (e.g. if a controller wants to process personal data for something else). Barriers are designed to protect and get in the way; a flood barrier in a zone that may be flooded might block a road, but no one says remove the flood barrier.
Data protection barriers protect data subjects, and overcoming barriers create burdens, and overcoming burdens is burdensome. Remove the barriers, reduce the burdens risks reducing the protection for data subjects.
That explains why any removal of barriers has to be justified and evidence based. There is nothing in the proposal for a privacy management programme which gives me reason to believe that such evidence exists.
Instead the Consultation wants to readers to believe in Cakeism: that is the religion that emerged during the Brexit debates. In this case, without providing any evidence, the belief that data subjects can have a higher level of protection with reduced burdens for controllers.
No role for the ICO
It is surprising that the Consultation does not specify a role for the ICO in identifying the content of a privacy management programme or the new accountability arrangements in general; the provisions in Canada, Singapore, New Zealand and Australia evidently take precedence (see para 154).
This is reinforced by the Consultation which reduces the ICO’s input into the content of a privacy management programme to be available “to organisations lacking the capacity or expertise to design their own accountability practices” (para 150). This carries the obvious inference that many controllers can develop their own privacy management programme and can more or less ignore the ICO’s guidance on this subject.
Finally, I note that advice on how to “create a comprehensive privacy management programme” forms part of the ICO’s Accountability Framework (which is mentioned by the Consultation in passing and only in the context of a data breach; para 183). Somehow, this advice does not get a look in.
Why is the ICO deemed to be so unimportant here? I would have thought the ICO would be hopping mad about being effectively excluded from the design of the very important accountability regime. Her response to the Consultation is very acquiescent in this regard (see references).
What is the impact of the changes?
In effect, all that is happening is that a set of statutory requirements of the UK_GDPR (e.g. in A.30, A.33, A.35-A.39) are being incorporated as components of a mandatory, but non-statutory, privacy management programme.
In addition, every controller is ploughing its own furrow with regard its own privacy management programme where the ICO’s views can be excluded from the programme’s content. To my mind, this is not a recipe for improved data protection management; it is a recipe for inconsistent compliance as many controllers go off on a frolic of their own when deciding how their own programme is implemented.
Similarly, if the DPO function can be devolved to several individual(s), that is a recipe for inconsistent delivery of advice, procedures and accountability. I suspect many readers who experienced the DPA1998 or DPA1984 would be able to vouch for how fragmenting data protection responsibilities does not work.
The proposed changes protect a controller from enforcement. The UK_GDPR allows a breach of the requirements in each of A.30, A.33, A.35-A.39 to be enforced separately; the Consultation proposals require that the privacy management programme to be so deficient it can be enforced as a whole (the latter being a more difficult).
In summary, I don’t think the DCMS has any evidence to substantiate any change to the current accountability arrangements – that is why the Consultation calls for “evidence” with every question about the proposed changes.
In addition, the ICO has not enforced any accountability obligation since 2018 so there is no case-law that provides a clue that something is obviously wrong with the current accountability arrangements (e.g. unlike say with Durant in the DPA1998 where the definition of “personal data” was narrowed too far).
I was under the mistaken belief that when Government proposed legislative changes, it already had the supporting evidence. Not in this case evidently.
No private sector DPOs
As shown below, the Consultation makes several mistakes and omissions when explaining its DPO proposals. It follows that if its arguments are misleading then its conclusions are suspect, then DPO removal or reduction cannot be justified in terms of the official reasons provided by the Consultation.
The Consultation states that the private sector needs a DPO when “certain types of processing” occur (para 161). A precise (and less sinister) description of these “certain types of processing” would refer to “core activities” that involve the processing of “large scale” special category of personal data or “large scale” criminal offence personal data, or involve systematic or regular surveillance of data subjects on a “large scale”.
The omission of “large scale” and “core activities” plus the use of “certain types of processing” suggest to the reader that more DPOs are needed when, in practice, the current statutory requirement for a DPO is relatively limited. The Consultation does not provide one example of a DPO being appointed when there was no statutory requirement to appoint one. Important evidence to support the proposed changes is therefore missing.
The Consultation then goes on to state that “Some organisations may struggle to appoint an individual with the requisite skills and who is sufficiently independent from other duties, especially in the case of smaller organisations” and as a result “The government therefore proposes to remove the existing requirements to designate a data protection officer” (para 162-163).
There are at least two things wrong with these two statements. “Smaller private organisations” would need a DPO only if they were engaged, for example, in large scale and systematic surveillance or the processing of large scale criminal records or health data and these were “core activities”.
Such small organisations, I contend, do not exist in large numbers; the Consultation gives the impression they do. It is noteworthy that the Consultation does not provide a single example of any such small organisation.
Secondly, when there is a shortage of DPO skills, the Consultation proposes to do away the requirement to have a DPO.
This argument is wholly specious. For example, does the Government solve the shortage of HGV drivers (or brain surgeons or whatever) by removing the obligation to have the “requisite skills” to become a HGV driver (or brain surgeon or whatever)?
In general, I suspect the need for the appointment of a DPO in the private sector has been worded in order to provide the answer the Government wants: that many controllers will strongly agree that DPOs are not needed (even though the respondents themselves don’t have to appoint a DPO).
Finally, the idea to abolish DPOs on the basis of a skills shortage shows that how low the Government values the skills of the data protection profession.
No public sector DPOs
With respect to the public sector, the Consultation fails to explain that the mandatory DPO requirement arises from the fact that many public authorities have the powers to demand vast quantities of personal data, or that thousands of data subjects have little choice but provide personal data if they want services from a public authority.
Additionally, the Consultation omits that certain small public bodies (e.g. Parish Councils) have been defined not to be public authorities (see S.7(3) of the DPA2018) with the result that such public bodies do not need a DPO. Indeed, S.7(4) of the DPA2018 provide powers that can be used to add to the list of public bodies defined not to be public authorities (i.e. no DPO needed).
It is surprising that the fact that these powers exist is wholly omitted by Consultation; expanding the current list of small public authorities from the need to have a DPO is the obvious way of resolving any problem.
Finally, the Consultation does not provide a single example of a small public authority that does not need a DPO. The evidential base is again deficient.
Motive for change
The Consultation, with all its emphasis on the data protection regimes of Singapore, Canada and Australia reveals a possible motive for change: it is to reduce UK_GDPR standards closer to those set out in the “OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data”. Removal of A.30, A.33, A.35-A.39 is consistent with that motive.
Such a move would support the UK’s application to become a member of Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) whose members include (guess who?) Australia, Canada and Singapore. Part of the negotiation could be the promised use of powers of the Secretary of State under S.17 of the DPA2018 to determine that CPTPP countries are adequate.
If my suspicions are correct, all the talk in the Ministerial Forward about “maintaining the UK’s world-leading data protection standards” is complete twaddle. Instead “it’s the economy, stupid": the UK desperately wants trading partners not hitched to the European standards of data protection.
It’s not quite “if you buy our Yorkshire Puddings, the UK will chuck in a adequacy determination” but it is a step in that direction.
With that in mind, I propose the UK_GDPR should be renamed the UK_OECD.
Data Protection Practitioner Course (late Autumn)
Because of continued COVID uncertainty, fuel crisis, or the results at Barnsley FC the course can be attended in person, or via Zoom, or as a mixture if you something untoward happens: it's up to you.
- The Data Protection Foundation Course is in London, and starts Tuesday, November 16 (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The Data Protection Practitioner Course is in London, and starts Monday, December 6 (5 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
References
- ICO on Accountability: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/01/gdpr-and-accountability/
- ICO privacy management programme is part of her Accountability Framework: https://ico.org.uk/for-organisations/accountability-framework/
- ICO response to the DCMS Consultation: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2021/10/response-to-dcms-consultation-foreword/