This blog is limited to commentary on the Government’s proposals for the Further Processing of personal data found in section 1.3 of the DCMS Consultation document (“Data: a new direction”).
In summary, the Consultation proposes to exempt the application of the Purpose Limitation (or Finality) Principle whenever there is an important public interest in the further processing; this further processing could be undertaken by a controller different to the one that collected the personal data.
As this blog shows, the meaning of “important public interest” is left deliberately opaque and many important data subject safeguards are negated.
As much scientific research (e.g. a national cancer registry) will be judged to be in the important public interest, these provisions in section 1.3 are very relevant to most researchers.
In my view, if anything causes the European Commission to pull the plug on its UK adequacy determination, the implementation of these section 1.3 proposals will carry a significant part of the blame.
Purpose Limitation – what is it?
If one considers the Purpose Limitation Principle (“Personal data shall be collected for a specified, explicit and legitimate purpose and not further processed in a manner incompatible with those purposes”), it can be seen that the Principle protects the data subject from a controller saying one thing about the processing of personal data at the time of collection and, in future, doing something else completely different with the personal data.
Notice the key word used in the Purpose Limitation Principle is “incompatible” and not “different”. For a processing purpose to be “incompatible” with the purpose of collection it has to be “very very different” from that purpose specified at the time of collection (e.g. in a transparency or privacy Notice), explicit (e.g. the Notice is clearly explained) and “legitimate” (e.g. the purpose of collection has an A.6 lawful basis).
The proposals in the Consultation document are the complete opposite (e.g. “further processing for an incompatible purpose may be permitted when it safeguards an important public interest”). This change protects the controller from the data subject so long as the further “incompatible” processing purpose is in the “important public interest”.
So is processing for the “important public interest” the same thing as the processing for “other important objectives of general public interest” as specified in Article 23(1) of the UK_GDPR especially at A.23(1)(e)? The answer appears to be NO.
So what’s in Article 23(1)(e)?
The provision in A.23(1)(e) allows for an exemption from all incompatibility considerations if the processing is to meet “other important objectives of general public interest”. However, the implementation of any exemption has to be “necessary and proportionate measure in a democratic society” and particular safeguards for data subjects have to be in place; these are set out in A.23(2).
The Consultation’s proposals relating to further processing that is in the “important public interest”, by contrast, do not mention the words “necessary”, “proportionate” nor make any reference to the A.23(2) safeguards.
So is the difference between “other important objectives of general public interest” (as used in A.23(1)(e)) and “important public interest” (as used by the Consultation) explained? Answer: No. Are there examples of “important public interest” provided by the Consultation? Answer: “No”.
It follows that the meaning of “important public interest” in the Consultation has nothing to do with defence, national security, law enforcement, prisons, probation, court procedures, regulatory action, financial matters, budgets, public health, social security, tax and free speech etc as all these important public interest considerations are already implemented in the UK as exemptions described in Schedules 2 to 4 of the DPA2018.
My best guess is that the term “important public interest” as used in the Consultation is defined as follows: “an important public interest is an interest that a Minister considers may be important to the public”.
I suspect many respondents to the Consultation will not spot the difference between the two “public interest” cases discussed above. They will think of their own examples of important public interest (e.g. disclosure for tax or money laundering purposes) when responding to the Consultation. If this suspicion is correct, respondents views on questions Q1.3.1 to Q1.3.4 are wholly unreliable.
Consequences for the UK_GDPR
Setting the navel gazing on the meaning of important public interest etc to one side, it is important to understand the consequences if the proposition (e.g. “further processing for an incompatible purpose may be permitted when it safeguards an important public interest”) ever comes into data protection law.
The lawful basis for such further processing will be A.6(1)(e) – “task carried out in the public interest”. As there is a lawful basis, the lawfulness test of the first Principle in A.5 is met (A.5(1)(a)).
In the previous blog, I showed that the processing might not be transparent to the data subject, especially in the context of a further research purpose. These provisions (described last time) could be used negate the fairness and transparency limb of this Principle as well; especially if research can be tagged as being of important public interest.
There also appears to be no barrier to including the use of special category of personal data (see Schedule 1 of the DPA2018) or indeed criminal offence personal data in any important public interest processing. This is because many of the conditions in Schedule 1 are subject to a substantial public interest test which looks very similar to the important public interest test suggested by section 1.3.
The right to object is effectively negated (the processing is in the important public interest remember), as is the right to erasure for the same reason.
If legislation specifies the processing of specific items of personal data to be in the important public interest, this will negate the Principles in A.5(1)(c) and A.5(1)(e). This is because the legislation specifies that the personal data will be relevant to an important public interest purpose and can be retained for as long as that important public interest purpose exists.
Any residual fairness issue (A.5(1)(a)) will be resolved as part of the new law (i.e. the “challenges to ensure re-use remains fair and within reasonable expectations” will be “taken care of”, and of course the Purpose Limitation Principle will be set aside for reasons of “important public interest”.
Concluding comment
It can be seen that a proposal to change the law around incompatibility has a knock on effect that negates most of the Principles in A.5, provides a lawful basis for the “incompatible” processing, can involve the processing of special category of personal data and diminish the rights of data subjects.
Welcome to another example of the “UK’s world leading data protection standards”, as specified in the Ministerial Forward to the Consultation Document.
Data Protection Practitioner Course (Autumn)
Because of Indian variant, fuel crisis and the continuing COVID pingdemic uncertainty, the course can be attended in person, or via Zoom, or as a mixture if you get pinged (it's up to you).
- The Data Protection Foundation Course is in London, and starts Tuesday, November 16 (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing [email protected]
- The Data Protection Practitioner Course is in London, and starts Monday, December 6 (5 days); Full details on amberhawk.com/StandardDP.asp or by emailing [email protected]
Comments
You can follow this conversation by subscribing to the comment feed for this post.