When a Prime Minister calls a General Election, the Official Opposition in Parliament becomes very powerful. The reason is that the two main political parties can agree to enact outstanding and uncontroversial pieces of legislation (e.g. in this case, before the end of next week – May 30th). Parts of the DPDI Bill do fall into this uncontroversial category; but many bits don’t.
In summary, the Opposition can say to Government something like; “we will agree to pass the DPDI Bill if you remove Schedule 11 (DWP powers to access bank accounts), the definition of personal data and the new disclosure arrangements in Schedule 1, paragraph 1” etc. Alternatively something like: “we will let through the DPDI Bill limited to the DVS elements, ICO changes to an Information Commission and law enforcement transfers of personal data outside the UK”.
This horse trading is called “wash-up”; it is undertaken in smoke filled rooms, out of the public gaze where FOI is a distant dream.
The problem is that the Labour Party is not opposed to the DPDI Bill; so it could agree to enact something from the DPDI. That explains why privacy NGO “BigBrotherwatch” has launched a campaign to get its supporters to contact Labour MPs to ensure the DPDI Bill has no resurrection.
If Labour seeks the views of the ICO, he will repeat his oft-expressed (and erroneous) view that he supports this Bill as it presents no risk to data subjects (aaargh).
So in my last missive on the lamentable (but unlamented) DPDI Bill, I thought I would list the items that are in my view controversial in the hope that it helps “Kill the Bill.
Weakening data subject protections
The list is not complete but contains the following; all impact on the rights and freedoms of all UK data subjects.
Personal data: this definition is changed to make it more prescriptive (i.e. less personal data are subject to the DPDI Bill). This definition, which impacts on all the data protection rights and Principles, does not meet the standard set by the DPA1984, CoE No 108 and GDPR and is a risk to the UK’s Adequacy Agreement with the EU.
Lawful basis: the specification of “Recognised Legitimate Interest” legitimises any voluntary data sharing of personal data from any private sector controller to any public sector controller for its public tasks. In addition, the further purpose of the disclosure is also likely to be deemed compatible with the purpose of obtaining. The data subject’s right to object to such disclosures is much diminished.
As modifications of lawful basis are not possible with the GDPR, this provision is also a risk to Adequacy.
Marketing: “opt-in” (consent) for third party marketing becomes the exception; “opt-out” (legitimate interests) becomes the new norm. This overturns the “opt-in” consent rule for Third Party Marketing established under DPA1984 (40 years ago).
In my view, this change represents a spammer’s charter for Third Party marketing.
Transfers outside the UK: these transfers are legitimised via powers granted to the Secretary of State (SoS) without direct reference to Parliament (as it follows negative resolution procedures). The provisions allow the SoS to identify specific controllers in a certain country as adequate, even though the country itself is not deemed to be adequate.
This also could threaten the Adequacy Agreement if transferred personal data from the UK contains personal data that has originally been transferred from the European Union.
Data subject rights: the presumption that automated decision-taking is prohibited, is removed. This means that automated decisions using Artificial Intelligence (AI) techniques are likely to become the norm in the UK. There is very little protection for UK data subjects except for making complaints after an AI decision has had an effect on them.
In addition, DPDI specifies that a data subject complaint is first directed to the controller. This will add a further month and a half delay before the data subject can complain to ICO (who often takes 4-5 months to allocate a case-worker).
This means delays of half a year or more concerning an automated decision can be expected. Such a time delay does not protect the data subject’s interests; it protects the controller’s interests.
Research (RAS) processing: it becomes easier to share personal data for RAS purposes, in the absence of transparency to data subjects, so long as certain safeguards apply (see next bullet). Consent as the lawful basis for RAS is likely to be replaced by “legitimate interests” or “public task”. Existing databases can be used and disclosed for RAS purposes and the “scientific research” definition is expanded to cover AI research and development.
There is a considerable risk that, to facilitate AI research and development, there will be disclosures of personal databases in the legitimate interest of Third Parties and onward to further Third Parties in their legitimate interests, again in the absence of transparency. This “Wild West” approach to data-sharing is likely, in my view, to result in major data breaches or significant AI harm to individuals.
Research (RAS) Safeguards: The safeguards for data subjects associated with RAS purposes (mentioned above) are not particularly “safe”. For example, one safeguard is that the RAS disclosure does not cause “substantial damage or substantial distress”; this means that moderate damage or distress is perfectly acceptable to Government.
The Regulator: the ICO becomes an Information Commission where voting members of the Commission are all selected by SoS. Such self-selection puts at risk the regulatory independence of the UK and has knock on implications for the Adequacy Agreement.
Codes of Practice: Codes are still not produced in an independent manner in the UK. Although the SoS does not to approve the final text of a Code (as originally intended), it is possible for the SoS to recommend that Parliament vote down the Code. As the SoS’s political party form the majority of MPs, the SoS veto over the text of Codes of Practice is maintained. (btw the ICO thinks the veto has gone).
National security: the SoS can designate personal data processed by the police as being of interest to GCHQ. MI5 or MI6. The result is that the personal data, once designated, move from Part 3 of the DPA2018 to Part 4. This then means that any processing of designated personal data fall outside the DP enforcement regime.
This reason for this designation mechanism has never been explained. However, it provides an alternative, for example, that could permit a bulk ANPR database that the police use to monitor traffic on UK roads being subject to national security rules for data protection purposes.
Forget bulk data transfers and the statutory restrictions and protections found in Investigatory Powers legislation; instead think designated databases under DPDI Bill and total freedom from ICO regulation.
Codes of Conduct: Law Enforcement Codes of conduct can be produced by expert Law enforcement bodies covering their own processing. If approved by a (SoS compliant) Information Commission, these Codes can specify that the processing described in a Code complies with Part 3 data protection obligations.
The prospect of controllers establishing that their own processing is compliant with DP law, by reference to a Code of Conduct they produced for themselves, is pure Alice in Wonderland. It obviously risks reducing the protection afforded by data subjects
DWP Powers: the Department for Work and Pensions (DWP) want to obtain financial details from financial bodies to use AI techniques to identify whether any payment to any claimant is correct (e.g. benefit, pension, allowance). As powers to demand these details when there is suspicion of fraud already exist, these new powers do not need any suspicion of fraud.
An “account information notice” from the DWP can demand details from accounts of those connected to a benefit recipient (e.g. of a family members). So potentially these powers involve half the UK population (e.g. child benefits; OAPs, benefit recipients).
Even the ICO has identified a likely A.8 ECHR problems (ICO says “I do not think the current drafting is sufficient to ensure this [proportionality]”. Note the ICO does state the obvious: that there is lack of an A.6 lawful basis that could be subject to his enforcement powers.
International Agreement: there is a new lawful basis of “necessary for the purposes of responding to a request made in accordance with the Agreement … [between UK and USA Governments] … on Access to Electronic Data for the Purpose of Countering Serious Crime signed 3 October 2019”. This sets a precedent for other similar International Agreements having a similar lawful basis.
Again the ICO is on record as saying this change is unnecessary.
Conclusion
For the above reasons(and more), the data protection elements of the DPDI Bill should NOT be subject to the Parliamentary “wash-up” mechanism. The Bill should be killed off.
This is especially the case as Government Ministers still claim that this DPDI Bill maintains a high level data subject protection and at the same time eases the load of controller compliance, when this is demonstrably wrong. Quite simply, this Government cannot be trusted with data protection.
However, before you rest easy, the Tony Blair Foundation has plans for the wider use of NHS data to make large financial gains for UK Plc whilst maintaining the highest degree of patient confidentiality.
“Hang on a second; haven’t I heard this before?” I therefore suspect that a further DP legislation is on the horizon after the Election.
Forthcoming Data Protection Courses
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture.
- Data Protection FOUNDATION Course is in London on (July 2-4: Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Data Protection PRACTITIONER Course is in London on Monday, 8 July to Friday, 12 July (5 days: 9.30am to 5.30pm).
- Remember our specialist DP qualification for those in Education. Next course on June 11th, 12th & 18th 2024
More details on the Amberhawk website: www.amberhawk.com or email [email protected].
Comments
You can follow this conversation by subscribing to the comment feed for this post.