The Queen’s Speech is accompanied by a long document that describes important elements of the proposed Parliamentary legislative programme. This year it’s called the “Lobby Pack”.
The entry in the Lobby Pack for the Data Reform Bill is a brief summary of the points raised in the DCMS consultation document; the MoJ entry for a Bill of Rights, even less of a summary of its proposed human rights changes. There is no obvious modification to the proposals arising from the public consultations; it as if the consultations had never happened.
Both entries fail to mention that the respective Data Protection and Human Rights proposals are inter-linked and neither mentions the risks to the Adequacy Agreement with the EU. Both sets of changes are promoted as “benefits of Brexit” and both re-assert their respective myths (e.g. reduction in controller obligations, easier data sharing, expansive transfers outside the UK and weaker regulation maintains a high standard of protection for data subjects in the UK).
Analysis of the “Key Facts” provided in the Lobby Pack shows that the DCMS numerical arguments for changes to the UK_GDPR are also very misleading. Indeed, I will go as far to say that the DCMS have published dodgy digits that are no more reliable than those displayed on the side of that infamous Brexit battle-bus.
This blog provides a proper numerical analysis of these Facts; this shows how the DCMS changes to the DP regime favour the interests of large controllers which comprise 0.6% of the controller community. Projected average savings are calculated to be pitiful £2.60 per controller per week.
With respect to human rights proposals, the blog explores one of the two “Key Facts” to reveal something deeply disturbing about prison policy.
A £1 billion data protection claim
With respect to data protection, the Lobby Pack reports as a “Key Fact”, that a DCMS analysis “indicates our reforms will create over £1 billion in business savings over 10 years by reducing the burdens on businesses of all sizes”. My emphasis of all becomes obvious later.
This £1 billion savings announcement was so eye-catching that a well-known DP lawyer was quoted in the press as saying “the reforms are likely to result in significant savings for businesses”. This is of course, the propaganda message the DCMS wants to promote. As we shall see, this message is 100% wrong as the touted savings per business are insignificant.
The correct DCMS figure for projected saving over 10 years is £1.45 billion. This more accurate figure is contained in a document entitled: “Data: a new direction: Analysis of expected impact” (see references) which was published at the same time as the original DCMS Consultation.
So, over the next decade, according to this impact Analysis just mentioned:
- Under a heading “Reducing barriers to responsible innovation” there is a saving for all controllers of £1,111.0 million. This is achieved by “clarifying legitimate interests”, “simpler gateway for research”, easier data subject “permissions for AI systems”, “Clarifying the fairness principle”, “Clearer standards for data minimisation”.
- Under a heading “Reduce burdens on business and deliver better outcomes for people” all controllers are saved £578.3 million. This is achieved by: “Reforming breach reporting requirements”; easing “Privacy and rights in relation to electronic communications”, and “amending bulk subject access requests”.
- On the negative side there are increased “familiarisation costs” of £239 million for all. (My emphasis on all in the above).
Adding the first two savings and subtracting the saving in the third bullet gives total of £1.45 billion per decade (which includes the PECR savings which, in theory, should be discounted as they are not associated with UK_GDPR). However, this makes the £1.45 billion savings figure an upper limit; whilst the “over £1 billion” figure is a lower limit. (Warning: nerdy explanation as to why an upper limit is preferable is in the references).
Some real facts
I am using five additional facts which are missing from the DCMS analysis:
- Fact 1: Companies House has over 4 million companies registered in the UK (from Companies House website).
- Fact 2: The total number of controllers on the ICO’s public register is 1,066,929. The breakdown of registration is: Tier 1: 966,587 (90.6% of the register): Tier 2: 93,604 (8.8%); and Tier 3: 6,738 (0.6%). (Information from the ICO on 12 May 2022).
- Fact 3: Approximate registration revenue per year is: Tier 1: £33.8 million; Tier 2: £5.6 million; Tier 3: £19.5 million. The total ICO revenue collected is £59.0 million per year which is calculated by multiplying the number of controllers in each Tier, by the annual notification fee for each Tier (Tier 1 (£35); Tier 2 (£60); Tier 3 (£2,900)).
- Fact 4: The latest Annual Report (2020/21) indicates the cost of running the ICO is £56.4 million. Note that there is a potential for a small surplus as Registration fees can be more than the ICO’s running costs in data protection.
- Fact 5: There are 67.1 million data subjects resident in the UK as per July 2020 (ONS website).
So what kind of questions do Facts like the above this raise? Three spring to mind immediately:
- From Facts 1 and 2, it can be seen that only 1 in 4 companies at Companies House is registered with the ICO. So could the ICO garner more in registration fees (e.g. by looking for active companies registered at Companies House but not registered with the ICO)? This improved revenue stream could help the ICO generate more resources to provide advice to controllers. Is this better than changing the law because of a lack of clarity in the UK_GDPR as claimed by the DCMS in its Consultation? Your answer is……
- From Facts 3 and 4, could any future surplus in registration fees be earmarked by the ICO to employ more staff to reduce the complaints backlog? Is this better than the DCMS proposal to deal with the ICO’s complaint backlog by passing legislation that allows the ICO to dismiss or not investigate complaints from data subjects? Your answer is……
- Should the notification fee (fixed in 2018) be increased? For example, increasing the notification fee for Tier 2 to £100 and Tier 3 to £3,500 increases ICO resoursces by over £10 million.
These obvious question (and others) should have been raised and answered in the DCMS consultation; it wasn’t. It’s another omission.
Cui bono?
The ICO’s registration breakdown above (see Fact 2) reflects the size of the controller; Tier 1 includes micro companies of less than 10 staff; Tier 2 includes SME’s less than 250 staff but more than 10 staff, and Tier 3 is large controllers with complex data processing needs.
So who benefits from the DCMS proposals for easier data sharing, less data breach reporting, easier lawful processing of health personal data, removing ROPAs and DPOs, easier data transfers and less structured accountability requirements?
Is it a controller from Tier 1, Tier 2 or Tier 3? What’s you answer?
Oh, you chose Tier 3, what a surprise!! It can thus be seen from Fact 2 that most of the changes the DCMS are proposing is primarily for the immediate benefit of 0.6% of the controller community in Tier 3; the community of controllers that hold the maximum amount of personal data on the majority of data subjects in the UK.
It follows the DCMS changes do not reflect the interests of all controllers as stated in the Key Facts; instead they reflect the immediate interests of a relatively small number of large controllers. DCMS arguments about “removing the burdens etc” from “all controllers” are completely bogus. For example, the DCMS proposal to scrap DPOs is unlikely to impact many Tier 1 controllers, unlike Tier 3 controllers which probably have a DPO.
Let’s play with the numbers
Start with the £1.45 billion of savings over 10 years; this represents £145 million of savings per year over all controllers (£1 billion =£1,000 million). As there are 1.07 million controllers (Fact 2), the average saving for each controller can be calculated at £136 per year per controller. This is about £2.60 per week per controller (or the cost of a single cup of coffee in Barnsley – not London).
The conclusion one reaches is that the savings are really insignificant. Even a small business in Tier 1 is not going to go bust because it did not save £2.60 per week. It also follows that these touted financial savings are not a motivator for the proposed changes to the data protection regime.
So, suppose the UK_GDPR were unaltered; what would be the cost of maintaining protection for each data subject at the current UK_GDPR standards? As there are 67.1 million data subjects in the UK (Fact 5), the savings of £145 million per year infer an cost of maintaining current UK_GDPR standards is £2.16 per year per data subject. This equates to 4.2p per data subject per week, or 0.6 pence per day.
In other words, the DCMS are prepared to weaken the privacy protection for all data subjects order to save less than a penny per day on each data subject. Remember this penny stretches over all controllers; hence the blog’s headline: “DCMS fails to spend a penny”.
Remember all these numbers (£2.47 per week; 0.6p per day) are, according to the DCMS figures, upper limits; the true number could be much less
Even if the £145 million yearly savings were all allocated to large controllers in Tier 3, the average annual saving is £21,520 per large controller which is an amount that would not even appear in the balance sheet of a controller having revenues in excess of £36 million per year.
If the £145 million were allocated all to Tier 2, the savings would be £1,550 per controller. There again pifflingly small for companies with turnover up to £36 million.
Concluding comment – data protection
I have to admit that whilst writing the above, a song from the Mary Poppins film somehow entered my mind: “Feed the Birds for tuppence a bag”.
There are two reasons for this: first, 0.6 pence (in pre-decimalisation currency) is just under tuppence, and secondly, DCMS have definitely generated numbers “for the birds“.
Human Rights: the Key Fact
I don’t want to spend too much time on this so I will be brief. But it is important to always discuss the DP changes with the A.8/A.10 Human Rights proposed changes; this is because the Government has failed to do so and perhaps, does not want to do so.
There are two Key Facts presented in the Lobby Pack; one Key Fact reads:
“Between 2005 and 2011 [six years] the Prison Service in England and Wales faced successful legal challenges from over 600 prisoners on human rights grounds. This has cost the taxpayer £7 million, including compensation paid out and legal costs”.
The missing facts, not presented by the MoJ, is that the prison population is about 79,000 per year and that the annual cost of running the Prison Service is about £3.82 billion per year (both figures from Government website).
So 600 prisoner complaints costing £7 million over 6 years represents about 100 prisoner complaints per year, costing £1.17 million. 100 prisoners represents 0.13% of the annual prison poulation whilst the legal fees and compensation of £1.17 million per year represents 0.03% of the prison annual budget.
It can be seen that MoJ’s Key Fact, used to argue for comprehensive changes to the human rights regime, is very small beer in terms of the Prison Service. Indeed, if a company had 79,000 customers, I suspect that receiving 100 complaints per year would show that not much was wrong with customer processes.
However, the true picture underpinning this Key Fact is revealed in the MoJ Consultation itself. Under a heading “Prisons’ provision of drugs treatments”, the Consultation says:
“Between 2005 and 2011, the Prison Service in England and Wales faced successful claims from over 600 prisoners who claimed that their human rights were breached by the failure to provide them with methadone, Valium or other particular forms of treatment for their drug addictions.
The Prison Service has settled claims alleging a combination of negligence, inhuman and degrading treatment (under Article 3), the violation of the right to a privacy (under Article 8) and discrimination (under Article 14). This has cost the taxpayer around £7 million, including compensation paid out and legal costs”.(page 40)
So the the MoJ want to justify the change to the human rights regime for everyone because 0.13% of prisoners have claimed to have experienced “negligence”, “discrimination” etc.
I understood the current prison policy was that the guilty are sent to prison “AS punishment” (e.g. the loss of liberty); the MoJ’s “Key Fact” is more consistent with a policy where the guilty are sent to prison “FOR punishment” (e.g. for “inhuman and degrading treatment etc”).
Shameful.
Summer Data Protection Courses
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Courses is in London on Tuesday July 5-7; July 19-21 (6 days); full details by emailing info AT amberhawk.com
- The next Data Protection FOUNDATION Course is in London on Tuesday, July 12-14 (3 days); full details by emailing info AT amberhawk.com
References
“Data: a new direction: Analysis of expected impact” from : https://www.gov.uk/government/consultations/data-a-new-direction
The Full “Lobby Pack” can be found on: https://www.gov.uk/government/publications/queens-speech-2022-background-briefing-notes but you can download the relevant extract here
Mathematical diversion: if I say that savings over a decade are above £1.1 billion (lower limit), then it hints at the savings could be far more (e.g. £7 billion): this allows a Minister to say “the savings are at the very least £1.1 billion but could be more”. If we have an upper limit, our Minister is unlikely to say: “the savings are at the very most are £1.49 billion but could be less”.
Comments
You can follow this conversation by subscribing to the comment feed for this post.