The blog concerns the content of the new Data (Use and Access) Bill (DUAB) as published last week; it bears a strong relationship with the previous Data Protection and Digital Information (DPDI) Bills. In fact, DUAB could easily have been named the DPDI (No 3) Bill.
The Bill itself is 138 Clauses, 16 Schedules and 251 pages; many of the provisions of DPDI re-appear in DUAB but with different Clause numbers. The Bill is a complex read as its data protection changes appear as amendments to existing legislation (i.e. one has to cross reference DUAB with the DPA2018 and the UK_GDPR to find out what is happening).
There are, in addition, three immediate political consequences with start of the Parliamentary processes in the House of Lords.
- First, it will be difficult for the official opposition to oppose DUAB since it contains many of the Conservative’s DPDI proposals. In other words, apart from the odd maverick intervention, the opposition to this Bill will not come from the two main political parties.
- Second, the Bill has started its Parliamentary life in the House of Lords. This, from the Government’s perspective, gets the awkward Parliamentary stages out of the way first and at a time when Peers and NGOs have not had much time to really understand the detail of the Bill’s proposals. The Commons passage is likely to be cursory given the Government’s majority in the Commons (as it was with the DPDI Bills).
- Third, if the Bill, after Second Reading in the House of Lords, is remitted to be considered under the Grand Committee procedure of the House of Lords, then voting on amendments to the Bill in Committee will not occur. This means that the Report stage will be the main area of voting contention, and where Government amendments to the Bill will surface for minimal debate. So expect Parliamentary scrutiny of the Bill’s content to be much diminished.
The blog is in three parts: what has been dropped from DPDI; what has been copied from DPDI; and what is new. If I have missed something out, please let me know.
Just so you know; I am reinstating our Zoom sessions on the major changes to the UK_GDPR and DPA2018, arising from DUAB, on January 28th next year (Data Protection Day); details at end of the blog.
What was in DPDI but not in DUAB
DUAB does not contain any proposals:
- to weaken the definition of “personal data”.
- to change the status of Data Protection Officers (so Senior Responsible Individuals are gone).
- to change the requirements associated with the Record of Processing Activities maintained by a Controller or by a Processor.
- to change the circumstances when a DPIA has to be completed.
- to remove the requirement to have prior consultation with the ICO if there are high risks to data subjects that cannot be mitigated after a DPIA has been completed.
- to exclude subject access requests because they are vexatious.
- to encourage “electoral engagement” (I did not understand these in the DPDI anyhow).
- to specify the ICO’s strategic direction (but I suspect this can be done by other means).
- to permit the DWP access to bank records of benefit claimants including pensioners (expect this to appear in other Benefit related legislation).
- to abolish the Home Office’s Biometrics and Surveillance Camera Commissioner and merge the latter responsibility for CCTV with the ICO’s role.
- to scrap the requirement for a Representative in the UK if the controller is based outside the UK and offering services to those residing in the UK (i.e. the Representative in the UK is needed).
What’s in DUAB that was in DPDI
Like DPDI, the DUAB contains proposals that:
- Install a lawful basis of “recognised legitimate interests”, the most important one being the ability of any public body to ask another controller (usually in the private sector) for the disclosure of personal data it needs to deliver its functions. This applies to all public bodies and the Secretary of State (SoS) has powers to add to the “recognised legitimate interests” (but see next bullet). It is difficult to see how the right to object can prevail if the processing is made lawful in terms of a “recognised legitimate interest”.
- Specify that certain further processing purposes as compatible with the purpose of the obtaining of personal data; the SoS has powers to add to the list of further “compatible” processing purposes. These powers are unfettered; in extreme, it permits any future Government to define processing to be lawful, compatible (and provide for exemptions from rights courtesy of A.23(1)(e)).
- Introduce a lawful basis that allows USA law enforcement authorities to obtain telecommunications data for its law enforcement purposes, as per a reciprocal Agreement with the USA (the “Access to Electronic Data for the Purpose of Countering Serious Crime”) signed by Priti Patel when she was Home Secretary (October 2019). There is no information provided as to how this international Agreement has worked in practice or whether it is equally balanced.
- Limit the right not to subject to automated decision making processing or profiling to special category of personal data; this facilitates automated decision or profiling using normal personal data. Controllers are therefore free to make such automated decisions (e.g. to use AI techniques on the information scraped from the internet on applicants for employment). This is “wild west” deregulation and is just asking for trouble.
- Clarify the time limits associated with the exercise of data subject rights (e.g. dealing with requests when the data subject’s original request does not identify the data subject). The controller does not need to make excessive searches for the requested personal data; the search for personal data has to be "reasonable and proportionate ".
- Provide the data subject has the right to complain to the controller (i.e. to resolve an issue with the controller before complaining to the ICO); in summary this looks as if an FOI type internal review procedure will be needed.
- Overturn the 40 year old requirement (from DPA1984 days) to obtain consent for Third Party marketing as such marketing can be in the “legitimate interests” of that Third Party (i.e. an opt-out will do instead).
- Disapply transparency requirements when personal data are used for RAS purposes (Research, Archive and Statistical purposes) and to make any further RAS purpose always compatible with the processing so long as what is called “the appropriate safeguards” apply. This means that personal data can be exchanged secretly between a controller and any number of Third Parties for RAS purposes. As with DPDI, one of safeguards does not impress: there is a requirement for the personal data processed not to cause “substantial damage” or “substantial distress”, as if causing “just short of substantial damage/distress” is acceptable.
- Permits the SoS to apply a “data protection test” when considering whether a country, part of a country, or a controller located in an country offers an adequate level of protection. These provisions increases the risk of divergence from European transfer standards if the European Commission and UK Government have different views on what “adequate” means. Also I don’t understand how a country is not deemed adequate, but a controller, processor, or recipient located in that country is.
- Reinstates the complex proposals for transfers outside the UK for law enforcement; this includes the possibility of a law enforcement controller transferring personal data for law enforcement purposes by assessing the data protection test (instead of Secretary of State).
- Allow the SoS to designate that certain police personal data sets become subject to national security rules (i.e. the personal data subject to Part 3 of the DPA2018 can be designated as being subject to Part 4). The difference: the ICO can enforce Part 3, he can’t enforce Part 4 and the proposal has the effect of taking large volumes of personal data out of the UK's data protection regime.
- The ICO is abolished in favour of the Commission. The problem remains that the SoS appoints the most important members of the Commission and this ability to appoint has the potential to give the SoS undue influence over the Commission’s decision making processes (e.g. determining the policy towards enforcement of AI).
- The Commission still has to have regard for: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard national security. In other words, these “regards” could fetter decisions to protect the privacy of data subjects.
What’s new
The new items I have identified are:
- Allowing the SoS to add items of special category of personal data so that the processing of newly define types of special category of personal data is prohibited (the example given is “neurodata”). These provisions cannot be used to modify the existing list of special category of personal data specified in A.9(1).
- Giving the Treasury powers over the use and disclosure of “business data” and “customer data” with the permission of the customer. If the “customer data” are also personal data, you may have to grapple with "recipient", "third party" and now “third party recipient” (so good luck with that one). The objective is to establish “smart data” schemes, which allow the use the customer’s data to provide services for the customer or business as well as sharing or publication of contextual business data.
Concluding comment
There is no Keeling Schedule published for the DUAB at the moment; as with the DPDI Bill, the absence of a Keeling Schedule significantly hinders any prospect of an informed public debate about its content. Perhaps the ICO could publish one?
One cannot expect anyone to understand what the Government proposes if one has to cross reference the DPA2018; the UK_GDPR and this Bill at the relevant pages where amendments are proposed. This is especially important as there appears to be major concerns (listed above).
I shall be returning to DUAB; so watch this space.
References
All DUAB documents (the Bill; explanatory memorandum etc) can be obtained from https://bills.parliament.uk/bills/3825/publications
Winter Data Protection Courses
The first all-day Zoom workshop (10.00-4.30) on the DATA (USE AND ACCESS) BILL will be held on Tuesday 28 January 2025 (£275+VAT per place).
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London on Monday, 18 Nov to Friday, 22 Nov and Monday, 20 Jan to Friday, 24 Jan 20 (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (December 8-10: Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education.
More details on the Amberhawk website: www.amberhawk.com or email [email protected].