It is well publicised that the Liz Truss Government wants rid of all that Euro-“red tape” by the end of 2023. The Data Protection and Digital Information Bill (the “Bill”) does just that for the GDPR.
Previous blogs have explained the Government has used its “Brexit Freedoms” to define “personal data” below DPA1984 standards, and to legitimise widespread data sharing across the public sector (e.g. to permit disclosure to HMRC when disclosure is not necessary for its functions).
This blog covers the removal of another layer of data subject protection; the exemption that applies to the processing of personal data for “RAS purposes”. “RAS purposes” is the Bill’s shorthand for scientific research, archiving in public interest, historical research and statistical research.
The idea underpinning the Bill’s RAS exemption is as follows. If all the statutory safeguards associated with RAS are implemented, then there is no privacy risk to data subjects or impact on them. In these circumstances, their personal data can be lawfully used and shared for public and private sector RAS purposes, often without informing the data subject about the RAS purposes.
In addition, if these safeguards apply, then the Bill makes any further processing for RAS purposes always compatible with the purpose of obtaining.
As is explained later in the blog, if the RAS exemption applies, the data subject’s right to object to the processing does not apply in practice. In addition, in many instances, it would be “disproportionate effort” to inform the data subject about the RAS purposes.
The Bill also relaxes the definition of “consent” in the context of scientific research (Clause 3 of the Bill). However, reliance on data subject’s consent for RAS purposes is likely to decrease in importance as the legitimate interests lawful basis becomes more attractive for private sector RAS.
Meanwhile, public sector RAS processing can avoid consent by using the lawful basis of necessary for a public task or RAS that is in “the pubic interest”.
Note that the safeguard of withdrawal of data subject’s consent for RAS purposes is diminished, as many controllers can switch their lawful basis from consent.
If Special Category of Personal Data is processed for a RAS purpose, that purpose has to be in the “public interest” (see Schedule 1, para 4, DPA2018); medical research, additionally, is likely to be subject to the approval by an ethics board.
However, these protections are limited if a Secretary of State is determined to specify where the “public interest” lies (e.g. use powers under S.251(1)(a); NHS Act 2006) or to influence or reverse any medical ethics board decision (e.g. by appointing “supportive” members: see S.19(4)(b) and S.19(5); DPA2018).
RAS safeguards
The Bill defines Scientific Research (one of the RAS purposes) to include “any research that can reasonably be described as scientific, whether publicly or privately funded, including processing for the purposes of technological development or demonstration, fundamental research or applied research”.
It can be seen that the definition can include, for example, private sector processing of personal data for proof of concept in new software designs, AI techniques or the development of leading edge technologies (e.g. a new internet surveillance technology).
The RAS purpose exemption set outs a number of safeguards (in new A.84B and A.84C of the UK_GDPR which overlap with S.19 of the DPA2018). Combined, these require that for the RAS exemption to apply, the processing of personal data:
- protects the rights and freedoms of data subjects;
- does not permit the identification of a data subject (apart from the initial obtaining of personal data);
- does not cause substantial damage or substantial distress to any data subject;
- does not take decisions with respect to any particular data subject, and
- uses data minimisation or pseudonomisation techniques.
The application of the above RAS safeguards explains why the following proposition can be promoted:
“As there is no impact on a particular data subject or risk to any specific data subject’s privacy interests, controllers can be safely permitted untrammelled use and disclosure of personal data for RAS purposes”.
Disproportionate effort
Central to keeping data subjects out of the loop is the definition of “disproportionate effort” in the Bill. This applies when personal data are obtained by a controller:
- from a source who is NOT the data subject, or
- from data subjects who do not know about the controller’s further intention to process their data for RAS purposes, because these purposes did not exist at the time of the original collection of the data from them.
The question then is: “should data subjects, in these circumstances, be informed concerning the RAS purposes?”.
New A.13(6) and A.14(6) defines “ disproportionate effort” as a non-exhaustive list that “depends on, among other things, the number of data subjects, the age of the personal data and the appropriate safeguards applied to the processing”. Amongst the “other things” could include: “impact on the data subject” or “what resources are needed to contact all data subjects”.
Now consider the following. Suppose a controller discloses an existing database of ordinary personal data concerning 20,000 people to another controller for a RAS purpose. As the “appropriate safeguards” mentioned previously apply, there is no privacy risk, no threat to rights and freedoms, no harm, no damage, no distress and no impact on data subjects etc.
So, would it constitute “disproportionate effort” to contact 20,000 data subjects to provide each with the following Privacy Notice, which includes something on the lines of:
“Controller X is processing your personal data for RAS purpose. There are no privacy risks to you, no threats to your rights and freedoms, no harm, no damage, no distress and no impact on you whatsoever. Indeed this big load of nothing also applies to everybody else.”?
In short, I think the “disproportionate effort” test is passed and data subjects have no need to be informed about the RAS purposes.
Note that the more data subjects there are (e.g. disclosure of a database of one million), the easier the disproportionate effort threshold is passed. In other words, the way disproportionate effort is defined in the Bill is counter-intuitive: “the more data subjects there are, the easier it is to keep them in the dark about the processing”.
Finally, disproportionate effort does not mean the Privacy Notice omits details of the RAS processing. Clearly, these details must be presented in any up-to-date Notice when personal data are collected (or recollected) directly from data subjects. The exemption merely means that the Notice specifying the RAS purposes is not sent to data subjects, who do not know about these RAS purposes, at the time of the processing.
Right to object
The right to object to the processing applies to RAS processing if it is legitimised by using an A.6(1)(e) or A.6(1)(f) lawful basis. However, the data subject has to show overriding “grounds in relation to his or her situation” if the right is to prevail (unless the research is in the public interest; A.21(6)).
Now if the “appropriate safeguards” that apply to disproportionate effort apply to this right, then the “grounds in relation to his or her situation” do not involve a privacy risk, a threat to other rights and freedoms, harm, damage, distress or impact on data subject. I short, I am struggling to find an overriding ground that the data subject could present.
Of course there might be the odd rare exception of a successful use of the right to object, but the right, in general, would not apply to RAS processing en-masse.
My own view is that if the Bill’s RAS provisions go ahead, the right to object to the processing for RAS purposes should be the equivalent to that applying to direct marketing. The data subject should not have to declare appropriate grounds in order to exercise the right to object, and the right should always prevail, if exercised.
This is an essential protection for data subjects if data subjects loose trust in the researchers or the research; in addition, it will encourage researchers to earn the trust of data subjects.
Policy issues of concern
There are several policy areas of concern that have yet to be debated in public. They are as follows:
- Private and public sector processing for RAS purposes can occur without the knowledge of the data subject so long as RAS safeguards apply.
Is the exclusion of the data subject’s wishes in connection with RAS processing the correct stance to take? Does the exclusion accord with those research ethical standards which hitherto often rely on informed consent, especially RAS using special category of personal data? Should the data subject approve such processing even though the risk to the data subject is very low? (This last question was a key issue in Source Informatics: see references).
- Is there a false separation between the development of an idea and its implementation? For example, does “the development of leading edge, internet surveillance technology” cause substantial distress?
The safeguards in the Bill ensure its answer is “NO”. The actual technology once employed might be very harmful to data subjects indeed, but the development phase of the processing (e.g. to see whether the idea works) does not impact on any data subject nor challenge their rights and freedoms etc.
- RAS could be very profitable for private sector concerns as it potentially provides access to huge amounts of personal data to improve/ generate new services which benefit them directly. It is not at all clear whether the UK economy will benefit. For instance, what is to stop the processing for RAS purposes, initially commenced in the UK, where the profits of new product lines are accrued outside the UK (e.g. in the USA).
- With public sector RAS, the tax payer gets the benefits (e.g. in improved services or enhanced efficiency); with private sector RAS, the senior managers and shareholders reap the rewards. The tax payer or customer, whose personal data are being processed by the private sector, gets ….. well your guess is as good as mine!? (A discrete “thank you” donation to a political party, perhaps).
- There appears to be an assumption that RAS safeguards will actually be maintained. How does the data subject or ICO retrieve the situation if a controller, based outside the UK, obtains personal data for RAS purposes but does not maintain the specified safeguards?
- Does the Bill foster a climate of trust between the researcher and data subjects if the latter has no choice in relation to RAS?
Grim detail of RAS exemption
What follows is a step by step fully referenced guide to the RAS exemption, assuming that all the statutory safeguards are implemented (see above). There are three separate situations to consider:
- When a controller decides to use existing personal data for RAS purposes.
- When a controller decides to disclose existing personal data to a Third Party for its RAS purposes.
- When that Third Party obtains the disclosed personal data for a RAS purpose.
RAS exemption (USE)
Further use by a controller for RAS purposes, concerning personal data that have already been collected by that controller, can occur without informing data subjects. Clause 9(1)(b) of the Bill introduces new provisions in A.13(5) which negates the right of a data subject to obtain transparency information about a “further RAS purpose” (in A.13(3), subject to the disproportionate effort test being passed – which it is, as RAS safeguards apply).
In the private sector, this further use would have as its lawful basis “legitimate interests of the controller” (e.g. to make pots of money) which has to be balanced against the existence of overriding “interests or fundamental rights and freedoms of the data subject” (A.6(1)(f)).
As each data subject’s legitimate interests are protected by all the safeguards (see above), then the controller’s processing is lawful and, like the right to object, it is difficult to establish that there is an overriding interest on the part of the data subject to protect. As stated above, there might be a rare exceptional case where the data subject’s position prevails.
In the public sector the lawful basis is likely to be “public task” (e.g. University research) or “in the public interest” (e.g. Ministerial powers); there again the right to object does not, in practice, apply.
In addition, the controller’s further use for RAS purposes is deemed to be compatible with the purpose of obtaining. (See A.8A(3)(b) of the UK_GDPR introduced by Clause 6(5) of the Bill; interpret the word “processing” at the beginning of A.8A(3) as “use”).
If data subjects find out about the RAS purposes, they can do very little about it as the right to object to the processing does not apply, in practice (see above). Data subjects could refuse to provide any personal data to the controller, but this step is likely to result in them forgoing the controller’s services.
Finally, the controller’s Privacy Notice has to be updated to reflect the RAS purposes.
RAS exemption (DISCLOSE)
Suppose our controller who is using personal data, already collected from the data subject, sells personal data for a RAS purpose. Here there is a disclosure from the selling controller and obtaining by the separate buying controller; it’s the same transaction viewed from different ends of the telescope.
As the purpose of the disclosure to other controllers is for the RAS purposes, the lawful basis remains “in the legitimate interests of the controller” (making money from the disclosure). One could even argue that it is also in the “legitimate interest of Third Party” to whom personal data are disclosed, as the disclosure allows the Third Party to perform the RAS purposes (i.e. A.6(1)(f) applies).
As there is no impact or privacy risk to any data subject, there is “no legitimate interest” of the data subject to protect because RAS safeguards apply. Similarly the right to object to the disclosure for RAS purpose does not apply in practice (as explained above).
So as explained in the previous USE section of this blog, there is no need for the disclosing controller inform existing data subjects of the further disclosure for RAS purpose as personal data have already been obtained from the data subject. (A.13(3) excluded by A.13(5) as introduced by Clause 9 of the Bill). However, the disclosing Controller’s Privacy Notice has to be changed to reflect the disclosure for RAS purposes.
The disclosure for a RAS purpose is also deemed to be compatible. (See A.8A(3)(b)) introduced by Clause 6(5) of the Bill, but this time read “processing” in A.8A(3) to mean “disclosure”).
RAS exemption (OBTAIN)
Note that the obtaining controller has not obtained personal data from the data subject unlike the disclosing controller as described above.
The lawful basis of the obtaining controller remains “legitimate interests” and this covers future processing (e.g. use and onward disclosure) so long as the processing is for RAS purposes and the statutory safeguards protect the data subject’s interests.
The obtaining controller has no need to inform data subjects of the RAS purpose because informing the data subject would constitute “disproportionate effort”. This is because there is no impact on the data subject from the processing as the safeguards protect the data subject’s interests. (We have already covered this ground in relation to A.13, but the relevant detail here is in A.14(5)(e) and A.14(6) of the UK_GDPR as introduced by Clauses 9(2)(a)(v) and 9(2)(b) of the Bill).
The processing is compatible (A.8A(3)(b); Clause 6(5) of the Bill). However, this time obtaining controller has to make a public statement about processing for RAS purposes (new A.14(7); Clause 9(2)(b) of Bill). This can be easily done via an update of the relevant Privacy Notice in the public domain.
Concluding comments
If the safeguards apply, RAS processing is lawful and compatible and often unknown to the data subject. And this applies to onward disclosures to, and uses by, other controllers for RAS purposes.
Several Secretaries of State have espoused, as part of their post Brexit “rush for growth”, the notion that personal data is the “new oil”. The Bill intends to make that oil available on tap, for any RAS purpose of any kind, undertaken by any controller anywhere, often without any reference to each data subject’s wishes.
I am looking for a word to describe this situation; “unethical” readily comes to mind.
In this Wild West “free for oil”, it is only a matter of time before there is the data protection equivalent of the catastrophic spills of the Exxon Valdez or Torrey Canyon.
Autumn Data Protection Courses
I am holding another day workshop on the changes arising from the Data Protection and Digital Information Bill on Tuesday, September 27 (by Zoom only) and Thursday, October 27 (by Zoom only). The fee is £250 + VAT per delegate. Program available from: info AT amberhawk.com
Because of continued COVID uncertainty, the following courses can be attended in person, or via Zoom, or as a mixture if you something untoward happens. It's up to you.
- The next Data Protection PRACTITIONER Course is in London on Monday October 31-November 4 (5 days)
- The next Data Protection FOUNDATION Course is in London on Tuesday November 15-17 (3 days).
Full details (as we are upgrading our Amberhawk website), details of all the above courses can be obtained by emailing info AT amberhawk.com
References
Under the common law of confidence, should patients consent if their medical records are to anonymised? The lower Court said “yes” reversed on Appeal.
- Source Informatics - Court of Appeal: Neutral Citation Number: [1999] EWCA Civ 3011
- Source Informatics v DoH: v [1999] EWHC 510 (Admin) (28 May 1999)
A BIG THANK YOU for Hogan Lovells for producing a Keeling Schedule for the UK_GDPR: this should be the job of DCMS. https://www.engage.hoganlovells.com/knowledgeservices/news/uk-data-protection-reform- how-the-uk-gdpr-may-change
DPDI defines “personal data” below DPA1984 threshold: https://amberhawk.typepad.com/amberhawk/2022/08/new-data-protection-bill-defines-personal-data-below-dpa1984-threshold.html
Voluntary disclosure to HMRC? Always lawful and always compatible: https://amberhawk.typepad.com/amberhawk/2022/08/voluntary-disclosure-to-hmrc-always-lawful-and-always-compatible.html