Who should prepare Codes of Practice that describe good practice in data protection? Should a Code’s final content be the responsibility of the data protection regulator or a government minister?
I can sense your reaction to these two questions. A longish blog on Codes of Practice--oh dear. On the standard scale found on most data protection “Yawnometers”, the topic of “Codes of Practice” is usually found on the far right of the scale, just before “Registration fees”.
However, this view is mistaken. If, as this blog explains, the development methodology for producing a Code of Practice is institutionally biased in favour of the controller, then this bias risks infecting all Codes of Practice produced by this methodology. This is the case, whether the Code relates to Facial Recognition CCTV, Marketing or data sharing.
It is this bias that undermines the “good practice” which is supposed to protect the interests of data subjects.
Lindop Report into data protection
When the above questions were considered in the Lindop Report in 1978 (see references), the Report concluded that the text of Codes of Practice should be the ultimate responsibility of an independent Data Protection Authority. The Lindop Report specifically rejected the idea that Ministers should be responsible for the final content of Codes of Practice in order to avoid an obvious conflict of interest.
This conflict arises as government Ministers are politically responsible for the processing success of the large departmental controllers they manage; they therefore have a vested interest in the outcome of any processing of personal data.
For instance, if it came down to a choice between ensuring a Department’s policy was successful or was “obstructed” by some data protection concern that “got in the way of progress”, then the former would always prevail over the latter.
This explains why Lindop concluded that Ministers were not in the position to fashion a final text that balances the processing interests of a controller with the processing interests of data subjects.
It is interesting to note that under the GDPR, the European Data Protection Board, made up of data protection authorities, is tasked with producing European wide Codes of Conduct (as Codes of Practice are called). Note that these Codes are not finalised by groups of European Ministers with a common political agenda.
Codes in the UK
In the UK, we have grown used to Secretaries of State producing Codes of Practice that help ensure that data protection interferes as little as possible with their Departmental processing priorities. For instance, consider the Home Secretary who produces Codes of Practice on policing, or on how organisations can have access to your communications data or intercept communications.
So, in this context, who has the ear of the current incumbent, Ms Suella Braverman? Is it the Chief Constables with their surveillance priorities or is it the privacy NGOs whose “lefty lawyers” have thrice inflicted judicial review privacy defeats on the illegal immigration exemption, or on the use of facial recognition CCTV by South Wales Police?
And so it goes on. The Cabinet Office responsible for minimising public sector fraud produces a Code of Practice on data matching that covers processing that attempts to identify public sector employees who are working and who are also claiming out of work benefits (i.e. identifying benefit fraud suspects). The Code defines what happens, for example, if personal data are inaccurate.
Various Ministers of State produce the Codes of Practice that relate to their Departmental data sharing objectives under the Digital Economy Act 2017, where these Codes are also supposed to protect data subjects from adverse effects of such data sharing.
In each of the above cases, it is the Minister in charge of the processing objectives of his Department, who also decides on the procedures that protects the interests of data subjects.
Codes under DPDI No 2 Bill
So it is of no surprise that the Data Protection and Digital Information No 2 Bill (“the Bill”) continues this trend; the Bill changes the law so the ICO is no longer the final arbiter of the content of a Code of Practice. It specifically states that the Secretary of State (“S.o.S”) has to approve the final text of a Code of Practice, and can identify the corrections that have to be made before any Code is approved.
The steps taken in the development of a Code of Practice are as follows:
- The Secretary of State (S.o.S) instructs ICO to prepare a Code of Practice in a specific area. Codes on data sharing, journalism, marketing and Age Appropriate Design are already identified in the Bill as a requirement.
- The ICO has to “consult” the S.o.S prior to preparing any draft Code. This allows the S.o.S . to inform the “independent” ICO of the S.o.S’s broad hopes for the Code. The same “consultation” process goes for proposed amendments to Codes that already exist.
- Thus before preparing any draft Code, the S.o.S has the opportunity to remind the ICO to ”have regard” for the non-data protection related obligations of his revised office. For instance, that the Code should “have regard” for the desirability to promote innovation, competition, protect criminal investigations, and towards national/public security as well as be in-line with the ICO’s strategic priorities which have been set by the S.o.S.
- A draft Code is prepared by the ICO which is then considered by a panel of experts, chosen by the ICO, who then produce a Report on the draft Code. The panel should include members(s) who represent the interests of data subjects but this is not an absolute obligation.
- This Report can suggest modifications to the draft Code; the ICO can reject or accept some or all of the suggestions. However, the ICO must publish the Report (or an abridged version of it) and the reasons for any rejection of the panel’s recommendations. The panel does not have the opportunity to formally publish its views on any ICO rejection of its advice.
- The Code (with any modification) must then be associated with an impact assessment, produced by the ICO, covering those affected by the Code. This impact assessment is not peer-reviewed (e.g. by the expert panel mentioned previously).
- A final form of the Code is then submitted to the S.o.S for approval which should take no longer than 40 days from receipt of the Code.
- In the case of non-approval, the S.o.S has the publish the reasons why and the ICO has to submit a “revised” final form of the Code for approval. The views of the expert panel on the S.o.S’s reasons for refusal are not sought and this is likely to allow the detail of any refusal to be hidden from public view or debate. One assumes any submitted revision of a Code resolves the S.o.S’s reasons for refusal.
- If approved, the Code of Practice laid before Parliament. However, just in case the Code is not in the form desired by the S.o.S., there are Ministerial powers that can junk some or all of the above consultation process (e.g. the involvement of data subject experts in the panel of experts).
- The production of Codes of Practice could also become a performance indicator for the ICO. If so, this risks equating a “good performance indicator” with “meeting the S.o.S’s expectations”. Conversely, poor performance can be equated with the S.o.S’s non-approval of a Code of Practice – and perhaps, the absence of a name from an Honours list.
In short, the Secretary of State exerts full control of the final content of the text of all Codes of Practice produced under the Bill.
Concluding comments
In this way, the interests of data subjects, which is part of the “good practice” that is supposed to emanate from a Code of Practice can become significantly degraded.
For example, under the Bill’s new regime, a Code of Practice for data sharing produced, under the Digital Economy Act, by one Government Minister for the benefit of his Department, will have to be consistent with the data sharing Code of Practice which, under the DPDI Bill, now has a text approved by the S.o.S (another Government Minister).
Hence my conclusion that the proposed Codes of Practice procedure in the Bill contains a heavy institutional bias that favours controllers over data subjects.
And this is before one considers the provisions in the Bill that ensure that further data sharing arrangements, specified by Ministerial use of executive power, are made lawful and compatible (see Annexes 1 and 2), thereby further undermining the two main data protection concepts that protect data subjects from unnecessary data sharing (for the grim detail, see references).
Data Protection Courses (Autumn 2023)
An all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill will be held on Thursday 7 December 2023 hopefully to include changes made prior to the House of Lords stages. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session. The course now also covers the main law enforcement changes.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- The Data Protection FOUNDATION Course in London on September 19-21 2023 (Tuesday to Thursday, 3 days: 45am to 5.00pm) or
- The Data Protection PRACTITIONER Course in London on Monday, 25 September 2023 to Friday, 29 September 2023 (5 days: 9.30am to 5.30pm).
Full details on the new Amberhawk website (www.amberhawk.com) or obtained by emailing [email protected].
References
The DPDI No.2 Bill references to Codes of Practice etc as used in the blog can be found at Clauses 27, 28, 29, 30, 31 and 33. These have been unamended by the Parliamentary Committee stage.
The Lindop Report on data protection (Command 7341; published December 1978). This Report, which promotes Codes of Practice as central to data protection compliance, is out of print but occasionally some Reports appear for sale on Amazon.
My 50 minute video-lecture on the DPDI No 2 Bill, first presented to the Data Protection Forum in June 2023. It covers lawfulness and incompatibility of the processing under the Bill. https://www.dropbox.com/s/9s424y1r13v9dv9/DP%20forum%202023%20june%20%20v2%20lowq.mp4?dl=0
The content of the whole lecture is summarised on my blog at: https://amberhawk.typepad.com/amberhawk/2023/06/if-guard-rails-are-needed-to-control-artificial-intelligence-why-does-the-dpdi-no2-bill-remove-them.html
Comments
You can follow this conversation by subscribing to the comment feed for this post.