If, on April 1st, I reported that a cabal of controllers could club together and draft a Code of Practice that establishes their legal compliance with the UK’s data protection regime, you would probably say that this was too far-fetched to be true. Yet this is the procedure that has been put in place by our the Government for all law enforcement processing of personal data.
The grim detail can be found in Clause 68A of the Data Protection and Digital Information (DPDI) Bill. The production of law enforcement Codes of Conduct (as they are called) does not have to involve any data protection expertise, nor the ICO, nor does the text require Parliamentary approval nor does a Code have to consider its impact on data subjects.
Yet, law enforcement processing often comprises the most sensitive of processing.
In addition, the DPDI Bill’s procedure for Codes of Conduct compares starkly with Codes of Practice (which does involve, by law, data protection expertise, impact on data subjects and the approval of the ICO and Parliament).
How Codes of Practice are produced
The DPDI Bill specifies that the ICO has to reissue the Data Sharing Code of Practice, the Age Appropriate Code, and the Journalism Code to accommodate the changes in the DPDI Bill. As is well known, the Direct Marketing Code has been held up until the range of non-consensual marketing rules of the DPDI Bill become law.
Additional Codes of Practice can be produced on the instructions of the Secretary of State (SoS).
All these Codes follow the same procedure. This first involves consultation with the SoS and other specified parties that have an interest in the production of a Code. This could involve a preliminary scoping document covering the need for a Code.
For example, a revised data sharing Code will have cover the voluntary data sharing arrangements for disclosures of personal data from the private sector to public sector controllers arising from the introduction of the “Recognised Legitimate Interest” lawful basis. The revised Code also has to accommodate the weakened data subject’s right to object to such disclosures using this lawful basis.
The text of Code is first drafted by the ICO. This is then considered by a panel of experts, chosen by the ICO for their knowledge of the subject; this panel then produces a report on the draft Code. The panel of experts includes representatives of “persons likely to be affected by the Code” as well as representatives from data subject facing organisations.
This expert panel report can suggest modifications to the draft Code; the ICO can reject or accept some or all of the suggestions. Details of any rejection from the panel of experts has to be made public. The Code (if modified) is then subject to an impact assessment.
This procedure is also followed for significant amendments to existing Codes. However, for reasons unexplained, the analysis of a panel of experts can be dispensed with, if the Code is an additional Code produced following instructions of the SoS.
The Code is then submitted to the SoS for comments which are made public (if the SoS has any). The ICO has a choice: he can reject SoS’s comments; withdraw the Code, or submit a “revised” Code to accommodate them. The Code is then laid before Parliament by the SoS.
Note that if the ICO rejects the SoS commentary, the SoS can ask Parliament not to approve the Code. In this way, the SoS still retains the “whip hand” if there is disagreement over the Code’s content.
How Codes of Conduct are produced
Let’s assume there is a need for a Code of Conduct covering facial recognition cameras as used by law enforcement agencies. How would such a Code of Conduct be developed?
First the ICO identifies “expert bodies” who are “encouraged” to produce a Code. Note that the identification is of expert bodies and not expert individuals. In other words, there is no obligation placed on expert body, to choose from its ranks, an individual who has requisite expertise in data protection. Note also, the expert bodies can reject the ICO’s encouragement.
These expert bodies are then also “encouraged” to submit their Code of Conduct to the ICO in draft. In other words, the drafting of the content of a Code of Conduct can emerge without any submission of its text to the ICO.
If a draft Code of Conduct is submitted to the ICO, the ICO can express an opinion on a Code, decide to approve the Code, and publish the Code if approved. Of course, this provision does not apply if the Code is not submitted to the ICO.
There is no requirement for the ICO to publish his or her opinion on a particular Code of Conduct (e.g. to explain why approval was not granted). Codes that have not been submitted to the ICO for approval can still be published without any commentary from the ICO.
There is no requirement for an Impact Assessment (e.g. impact on data subjects) nor is there a requirement to seek Parliamentary approval of a Code of Conduct’s content.
One can easily see a situation where the ICO does not like a Code of Conduct and expresses some contrary views on its proposals. The response of the expert bodies could well be to press ahead with that Code of Conduct without any further involvement of the ICO.
This could especially be the case with, for example, if a populist Government wanted to skew law enforcement policy in a specific direction (e.g. wanted facial recognition cameras to target those who have pre-booked seats on flights to Rwanda).
Remember the ICO is to be replaced by a Commission where all the voting members of the Commission are appointed by the SoS. Additionally, the SoS might express a view that a strong emphasis on law enforcement should be a strategic priority for the Commission.
All these possibilities could put pressure on the Commission to approve the Code of Conduct produced by the law enforcement agencies.
Once a Code is “approved” by the ICO, then the text may be used to demonstrate compliance with the law enforcement requirements (see Clauses 56(4) and 59(7A) of the DPDI).
In this way, public bodies producing a Code of Conduct effectively are drafting text that determines how data protection law applies to their controversial area of law enforcement processing. This "lawfulness" is without any reference to the Courts, Parliament, Impact assessment on data subjects nor any detailed privacy analysis from the ICO.
The ICO has not objected to such a prospect.
Forthcoming Data Protection Courses
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- All-day Zoom workshop (10.00-4.30) on the DATA PROTECTION AND DIGITAL INFORMATION BILL held on Thursday 9 May.
- Data Protection PRACTITIONER Course is in London on Monday, 13 May to Friday, 17 May (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (July 2-4: Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education. Next course on June 11th, 12th & 18th 2024
More details on the Amberhawk website: www.amberhawk.com or email [email protected] (e.g for. DPDI workshop agenda).
Comments
You can follow this conversation by subscribing to the comment feed for this post.