This blog comprises the response of Amberhawk Training Limited to the DCMS Consultation document “Data: a new direction” (the “Consultation”). Amberhawk is a training company established in 2000; its Directors have over 40 years’ experience in training those who are responsible for data protection in an organisation.
The response is over 15,000 words and takes the form of 7 blogs, each of which are about 2,300 words long. They were published during the consultation period which ends tonight and have been updated as our understanding of the proposed reforms have improved. The links to these blogs at the end of this document.
In summary, the blogs cover the following topics.
- How the data subjects’ privacy protection is much diminished by proposals to change UK_GDPR. This text explains how the DCMS proposals significantly impact on the protection of data subjects to such an extent that the level of privacy protection for data subjects is about that found in the DPA1984. The Ministerial promise of “maintaining the UK’s world-leading data protection standards” for data subjects is therefore dishonest and lacks credibility.
- Government propose to reduce DP accountability requirements to OECD standards. The Consultation makes several mistakes and omissions when explaining its DPO proposals. It follows that its arguments are misleading and its conclusions at this part of the Consultation are suspect. The proposals for a privacy management program do not comprise a recipe for improved data protection management; it is a recipe for inconsistent compliance (as in the DPA1984 and DPA1998) as many controllers will go off on a frolic of their own when deciding how their own programme is implemented and resourced. It appears that the objective is to align UK DP law with OECD standards; DCMS should be more honest with respect to that objective.
- Ministers want to pull the strings and rein-in the ICO’s independence. The blog explains why the DCMS proposals ensure that the ICO role is no longer independent of Government and explains how the Secretary of State is in control of key aspects that would identify the ICO as being independent. If DCMS’s objective is to lose the adequacy agreement with the European Union, implementing these provisions would serve as a good way to achieve this objective.
- Data Protection accountability suffers as a result of an unconvincing attempt to reduce red-tape. This blog discusses the proposal: to remove the obligation to maintain a register of processing activities (ROPA; A.30); to remove the requirement to undertake DPIAs (A.35 and A.36); and to reduce the circumstances when a data breach is reported to the ICO (A.33). These will be replaced by far looser requirements that form part of a controller’s privacy management programme. Additionally, I suspect the DCMS author of this part of the Consultation does not understand the role of the ROPA nor the obvious solution to the over reporting of data breaches. Mention of the processor’s ROPA is missing? Was this deliberate? Is it being retained? Or abolished? This is an example of the problems associated with the Consultation document.
- Government propose to tip the scales in the controller’s legitimate interests. As far as I can see, this proposal is based on a false data protection analysis and illustrated by examples that show that no change is needed. Additionally, if the controller’s legitimate interests always prevails, it follows that the data subject’s right to object to the processing and other related rights are also negated. The impact of these negated rights is missing from the DCMS’s incomplete analysis. In short, if enacted, this proposal will take away rights of those data subjects who could face substantial distress by the processing of their personal data.
- UK plans for incompatible processing undermines data protection for individuals. The proposals misses out any analysis of A.23(1) and in particular A.23(1)(e); this undermines the proposals as the text becomes ambiguous as to what is intended. As far as I can guess the objective is to break the link in A.6(4) between “public interest” and the exemptions in A.23(1) so that Ministers can declare what is in the public interest and negate the compatibility assessment. Because of the lack of clarity, the outcome of this part of the consultation is suspect. The analysis shows that proposal to change the law around incompatibility has a knock on effect that negates most of the Principles in A.5, provides a lawful basis for the “incompatible” processing, can involve the processing of special category of personal data and diminish the rights of data subjects.
- Government’s UK_GDPR proposals for research are unethical and unsafe. The blog shows the proposals for the processing of personal data for research purposes; they are unreliable, untrustworthy and unethical. For instance, the proposals are so “flexible” they can allow for secret research, using of special category of personal data or criminal offence personal data, similar to the “research” that gave rise to the Cambridge Analytica scandal.
Concluding comments
In summary, the DCMS proposals for changing the UK_GDPR do not impress; there are too many mistakes and errors and the conclusions do not withstand intellectual rigour. There is no evidence for the changes that the Government want to make and the invocation for responders to provide the evidence does not fill one with confidence.
One also gets the impression that the proposals for change will be pushed through Parliament using Ministerial Powers with little regard to the consequences.
What really irritates is the repeated statements by the DCMS that the proposals comprise “world class data protection” when they palpable do not. A little more honesty from Government would be better (e.g. we want to lower data protection standards to those of our new trading parties).
Links to the blogs
How the data subjects’ privacy protection is much diminished by proposals to change UK_GDPR; https://amberhawk.typepad.com/amberhawk/2021/11/how-privacy-protection-is-much-diminished-by-proposals-to-change-the-uk_gdpr.html
Government propose to reduce DP accountability requirements to OECD standards; https://amberhawk.typepad.com/amberhawk/2021/10/government-propose-to-reduce-dp-accountability-requirements-to-oecd-standards.html
Ministers want to pull the strings and rein-in the ICO’s independence; https://amberhawk.typepad.com/amberhawk/2021/11/ministers-want-to-pull-the-strings-and-rein-in-the-icos-independence.html
Data Protection accountability suffers as a result of an unconvincing attempt to reduce red-tape.; https://amberhawk.typepad.com/amberhawk/2021/11/data-protection-accountability-suffers-as-a-result-of-an-unconvincing-attempt-to-reduce-red-tape.html
Government propose to tip the scales in the controller’s legitimate interests; https://amberhawk.typepad.com/amberhawk/2021/10/government-propose-to-tip-the-scales-in-the-controllers-legitimate-interests.html
UK plans for incompatible processing undermines data protection for individuals; https://amberhawk.typepad.com/amberhawk/2021/10/proposals-for-incompatible-processing-undermine-protection-for-data-subjects.html
Government’s UK_GDPR proposals for research are unethical and unsafe; https://amberhawk.typepad.com/amberhawk/2021/09/governments-uk_gdpr-proposals-for-research-are-unethical-and-unsafe.html
Data Protection Courses (New Year: 2022)
Because of continued COVID double jab / booster uncertainty, the fuel crisis, or the results at Barnsley FC the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection Foundation Course is in London, and starts Tuesday, February 1st to 3rd (3 days); Full details on http://www.amberhawk.com/DPFoundation.asp or by emailing info@amberhawk.com
- The next Data Protection Practitioner Course is in London, and starts Tuesday, January 25 (6 days); Full details on amberhawk.com/StandardDP.asp or by emailing info@amberhawk.com
Comments