This blog considers how the Data Protection and Digital Information Bill (the “Bill”) impacts on the lawful bases used in the context of voluntary data sharing with public bodies.
It explains how the Government is building a legal infrastructure that provides Ministerial powers to legitimise voluntary and general data sharing across the public sector which does not need to consider whether data sharing is in the “public interest”.
For instance, is it “in the public interest” to disclose personal data to protect vulnerable individuals? If your answer is “yes”, then the blog explains why there is no need for many of the new proposed lawful bases or for the abolition of the “public interest” test. Indeed, one new proposed lawful basis can be developed to legitimise data sharing in general, also in the absence of any public interest consideration.
This blog is limited to how such expansive data sharing becomes lawful under the revised A.6 proposed in the Bill. The blog also serves as a reminder of the significant impact of the proposed replacement of the Human Rights Act on this Bill; something that remains absent from all DCMS documentation on this Bill.
Current data sharing
Before describing the changes made by the Bill, it is worth understanding how voluntary disclosure/data sharing of personal data occurs under the current DP regime.
So suppose a Social Work department of a Local Authority (Controller A) wants to obtain personal data held by another body to protect a vulnerable person in its care. So it asks another body (Controller B) to disclose the relevant personal data. Assuming Controller B has no role or function in respect of protecting the vulnerable, how is such a disclosure made lawful under the current UK_GDPR/DPA2018?
Note there is a disclosing controller (Controller B) and an obtaining controller (Controller A) where obtaining and disclosure are both processing operations. So Controller B’s disclosure is Controller A’s obtaining; it’s the same processing operation viewed from different ends of the telescope by each Controller.
This data exchange uses the lawful basis in A.6(1)(e) of the UK_GDPR/DPA2018 regime. This lawful basis requires that the “processing is necessary” for one of two options which are either:
(i) “necessary for the performance of a task carried out in the public interest” or
(ii) necessary for “the exercise of official authority vested in the controller”.
Second, the expansion of the A.6(1)(e) lawful basis by Section 8(1)(c) of the current DPA2018 states that either requirement (i) or (ii) above can be satisfied if the processing is for “…the exercise of a function conferred on a person by an enactment…”. Note that, in our example, the use of the word “person” could refer to Controller A or Controller B.
The above identifies the questions that need to be asked prior to disclosure by Controller B: if the answers are “yes” then the disclosure can occur lawfully. So:
- Is a disclosure to protect the vulnerable a “task in public interest”?
- Is that disclosure for “…the exercise of a function conferred on a person by an enactment…”? In this case, does the person (i.e. the Local Authority via its Social Work Department) have a function conferred by enactment to protect the vulnerable?
Note that Controller’s A processing (i.e. the obtaining) does not need “a public interest test”; that is performed by Controller B prior to disclosure. Clearly Controller A’s obtaining is part of the “official authority vested in the controller” because it is in “…the exercise of a function conferred on a person by an enactment…” (where the person is the Local Authority again).
So both obtaining and disclosure are lawful – and in the public interest.
Now consider the following. Do you think that: (a) disclosure of personal data to the police for a criminal investigation; (b) a disclosure to the relevant national security agency for a national security purpose, or (c) a disclosure to public bodies dealing with a national “emergency” (e.g. a large area flood) are also disclosures “in the public interest” in the same way as “protecting the vulnerable”?
I am convinced the answer is “yes”. And this is before one considers an alternative lawful basis (i.e. A.6(1)(f): disclosure from Controller B is in the legitimate interest of the Third Party (Controller A)).
I say this because, if you agree that the above options are all “in the public interest” then the conditions presented in Annex 1 after the first paragraph are redundant.
Indeed, I suspect that these later paragraphs in Annex 1 are included to act as a smokescreen to mask the real change in its first paragraph.
Lawful basis under the Bill
The Bill introduces the following changes with respect to lawful basis:
First, the task specified in A.6(1)(e) is amended so that it is specific to the controller performing the processing. This lawful basis now reads that the “processing is necessary for the performance of a task [of the controller] carried out in the public interest or a task carried out in the exercise of official authority vested in the controller;
Second there is a new A.6 lawful basis where the “processing is necessary for the purposes of a recognised legitimate interest” where the “recognised legitimate interests” are listed in Annex 1 of the Bill.
Apart from the first paragraph, the Annex 1 list is as follows: “National security, public security and defence”, "Emergencies“, "Crime", “Safeguarding vulnerable individuals” and a revised Democratic engagement purpose (which is not discussed here).
With respect to the Social Work example used above {disclosing Controller B to obtaining Controller A), Controller B’s disclosure uses the Safeguarding vulnerable individuals” lawful basis whilst Controller A’s lawful basis remains “a task carried out in the exercise of official authority vested in the controller”.
So both obtaining and disclosure become lawful, in the absence of any public interest consideration.
The absence of any consideration of a “public interest test” prior to disclosure will eventually mean that disclosures under the Bill are likely to occur where no public interest arises. This position is aggravated by the Human Rights changes where “necessary” means “what the Government has determined as necessary” (see references for the reason why).
Even with respect to disclosures for crime prevention and detection etc, the DPA1984 and DPA1998, provided a test that prior to disclosure a disclosing controller had to assess whether a failure to disclose personal data would prejudice the crime prevention purpose etc.
This is not replicated in the Bill. I leave it to readers to determine whether this is another example of data protection standards falling to reach those established by the DPA1984.
Any disclosure for any public sector task?
The first paragraph of Annex 1 is captioned: “Disclosure for purposes of processing described in Article 6(1)(e)”; that is where any disclosure, any public body, any public task comes from.
In further detail, this paragraph states that a disclosure is lawful when:
“the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person”, and
“the request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3)”.
Note the very weak wording in the above; the word “necessary” should have been linked to the disclosure purpose and NOT the purpose of making a disclosure (i.e. the mechanics of the disclosure procedure). The fact that a controller “needs the personal data” for any purpose for any public task in is far lower threshold than one that describes the disclosure as being “necessary” for a specific purpose.
However, as previously stated, these weaknesses are aggravated when the proposed Human Right Act changes click in (i.e. “necessary” means “what the Government decides is necessary”).
So, what does A.6(3) do?
Note the reference that the legal basis has to satisfy A.6(3); this is a reference to the requirement that the prospect for disclosure has to be laid down by UK domestic law. For example, Part 5 of the Digital Economy Act 2017 specifies, in law, a host of disclosure arrangements.
If such a law exists, A.6(3) then allows the Secretary of State “to adapt the application of rules of this Regulation” (i.e. modify the UK_GDPR) in the following areas:
- “the general conditions governing the lawfulness of processing by the controller”;
- “the types of data which are subject to the processing”;
- “the data subjects concerned”;
- “the entities to, and the purposes for which, the personal data may be disclosed”;
- “the purpose limitation” and “storage periods”; and
- “processing operations and processing procedures”.
Some of the powers to “adapt” the above are found at Clauses 5(4), 8A(5), 8A(6), 8A(7) and 8A(8) of the Bill. For example, many disclosures are made exempt from the Purpose Limitation Principle via Annex 2 of the Bill.
Potentially these Ministerial powers can adapt any Principle, A.6 lawful basis (and A.9) to ensure that data sharing can proceed, relatively untroubled by the data protection concerns of data subjects. It is these provisions that establish the legal infrastructure to legitimise voluntary and general data sharing across the public sector in the absence of “public interest” considerations.
Although A.6(3) adds that “…domestic law shall meet an objective of public interest and be proportionate to the legitimate aim pursued”, these requirements should not be considered reliable safeguards for data subjects.
When the Human Rights changes come into effect, the “public interest” effectively means “the interest of the Government of the day” and “proportionate/legitimate” means “what the Government considers proportionate/legitimate”.
Concluding comment
As specified in previous blogs, the proposed changes to the UK’s Human Rights regime infects the Bill like a malevolent virus. Like all embarrassing diseases, the DCMS (and ICO) do not refer to the consequences of the proposed modifications on this Bill.
The requirement that the Courts and ICO give “great weight” to the Government’s determination of what is “necessary”, “proportionate” or “in the public interest” undermine the protections afforded to data subjects especially when public bodies are able to share their personal data without any consideration of the public interest.
Any allegation of “unlawful disclosure” under the Bill will become very difficult to prove, if the argument is reduced to one about the “weight” given to a particular disclosure.
The effect is to give public authorities a “Get Out of Jail Free Card” even when data sharing, not in the public interest, goes pear-shaped.
Autumn Data Protection Courses
I am holding another day course on the changes arising from the Data Protection and Digital Information Bill on Tuesday, September 27 (by Zoom only; £250 + VAT per delegate). Program available from: info AT amberhawk.com
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Courses is in London on Monday September 19-24 (5 days).
- The next Data Protection FOUNDATION Course is in London on Tuesday November 15-17 (3 days).
Full details (as we are upgrading our Amberhawk website), details of all the above courses can be obtained by emailing info AT amberhawk.com
References
How the Human Rights changes impact on data protection: https://amberhawk.typepad.com/amberhawk/2022/07/uk-bill-of-rights-set-to-undermine-uk_gdpr-and-adequacy.html (see other references at the end of the blog)
I have produced a “Keeling Schedule” for the changes to A.5, A.6, A.13, A.14: download it here Download A6 changes DPDIB Aug
Comments
You can follow this conversation by subscribing to the comment feed for this post.