This blog is the promised second instalment that deals with the powers in the Data (Use and Access) Bill (DUAB “Bill”). These powers give Ministers the ability to sweep aside key elements of the UK_GDPR that protects data subjects from function creep in the public sector.
In evidence in support the above statement, this blog explains details of:
- the two powers that give Ministers the ability to specify any voluntary data sharing with any public body as lawful and not incompatible with the purpose of the original obtaining of the personal data, so long as that public body states that it needs the personal data for any of its public tasks. The function creep arises because if personal data can flow to one public body for its public task, it can flow onwards to other public bodies for their public tasks.
- the power for Ministers to add general exemptions for pet political projects because they are deemed by Ministers to relate to “other important objectives of general public interest” (i.e. other than widely recognised public interest such as crime, tax, benefits, national security, child protection etc). This power essentially permits Ministers to claim that political processing objectives can be treated as objectives in the “public interest”.
- two exemptions that illustrate the control Ministers have over exemptions to the DPA2018. One exemption concerning immigration was subsequently deemed by the Courts to be unlawful (four times). The other involves total disregard of a Strasbourg Human Rights judgement (UK v Gaskin). In both cases, the Government are still claiming the exemptions are “necessary and proportionate”. Official statements offering reassurance about exemptions, in general, are hence rendered worthless.
All three bullet points above applied to the two Data Protection and Digital Information Bills of the previous Government, so they can expect to have the support of the official Opposition.
If anything is likely to resurrect risks to the UK’s “adequacy” determination with the European Commission, it is the way these two exemptions disregard the role of Parliament, show disrespect to Strasbourg jurisprudence, and illustrate the excessive range of Ministerial power.
Recognised Legitimate Interest power
In my last blog (December 5) I explained how the Bill provided the Secretary of State (“SoS”) with powers to specify that certain voluntary disclosures of personal data for pre-ordained Third Party public sector purposes would be in the Recognised Legitimate Interest of that Third Party.
In particular, I mentioned paragraph 1 of Annex 1 which opens up a general data sharing pathway for any public sector body seeking any disclosure of any personal data it deems necessary for its public task.
I also noted that a House of Lords Committee has called for the removal of this power from the Bill because the Government’s explanations for its inclusion were not credible.
A Recognised Legitimate Interest means there is no need for a controller to perform a “Legitimate Interest Assessment” that balances the Third Party’s interests against any overriding interest on the part of the data subject, prior to a disclosure of personal data to that Third Party.
This is because the balance has, by law, been pre-determined to be in the “legitimate interests” of the public sector Third Party. In the case of generalised paragraph 1, this is irrespective of the purpose of the disclosure, so long as the personal data are deemed necessary for disclosure to the requesting public body.
Once processed by one public body, the shared personal data haves the potential to be shared with other public bodies for their public task (perhaps as another Recognised Legitimate Interest or via existing data sharing gateways). That is why I describe this process as: “function creep”.
Finally, the use of a Recognised Legitimate Interest lawful basis fetters the right to object to such disclosures in the vast majority of circumstances because the balance has been pre-determined in favour of disclosure.
Article 23(1)(e): “general public interest”
The Bill also provides the SoS powers to add Recognised Legitimate Interest so long as any addition “is necessary to safeguard an objective listed in Articles 23(1)(c) to (j)”. This nerdy construction needs a bit of clarification!
In general, Article 23 begins with a power for the SoS to introduce exemptions from any data subject right and corresponding Principles so long as the exemptions are deemed to be “necessary”. Reasons for the exemption are precisely listed in most of Article 23 (e.g. to protect an investigation into crime or safeguard an investigation into malpractice by a regulated professional such as a medical practitioner).
In general, I don’t think there will be much debate about the need for the exemptions described in most A.23 paragraphs (e.g. to protect a criminal or regulatory investigation).
However, Article 23(1)(e) widens this list of exemptions infinitely and the SoS can specify exemptions for “other important objectives of general public interest”. These exemptions are specified “in particular [for] an important economic or financial interest of the United Kingdom, including monetary, budgetary and taxation a matters, public health and social security”.
It is the use of “in particular” which makes the range of possible exemptions non-exhaustive, unlimited and illustrative.
Examples in the DPA2018 of “important objectives of general public interest” exemptions include the two exemptions which are explored in this blog: .the confidential references and immigration exemptions.
The immigration exemption
It is noteworthy that there was no immigration exemption from data subject rights in the DPA1984 and the DPA1998. Indeed the lack of an immigration exemption was not aired publicly under these Acts.
Yet, suddenly, in 2016 an immigration exemption became an “important objective of general public interest” for the DPA2018. Why was this?
Immigration has always been a bone of contention for those on the right of British politics (e.g. from Enoch Powell’s “rivers of blood” speech in 1968). During the 1979 election Mrs Thatcher, then Leader of the Opposition, expressed concern that “people are really rather afraid that this country might be rather swamped by people with a different culture”. Yet the DPA1984 did not contain an immigration control exemption.
Moving past the “Tebbit test” of the 1990s (Do “they” support the English cricket team?) to 2012, Mrs May, then Home Secretary, commenced her 'hostile environment' policy which contained a range of measures aimed at identifying and reducing the number of immigrants with no right to remain in the UK.
Remember the notorious poster van which toured the streets proclaiming that illegal immigrants should “go home or face arrest”. The Windrush scandal was a consequence of this Home Office mind-set.
It was in support of the 'hostile environment' policy, that the immigration exemption was included in the DPA2018; political imperatives to bolster the Party’s voting base had transformed immigration into an “important objective of general public interest”. Note that its purpose has nothing to do with crime, national security, tax or benefit claims etc, all of which have separate exemptions in the DPA2018.
The exemption merely exists for the administrative convenience of the hostile environment policy; it protects personal data from scrutiny by data subjects who are often exploited, financially destitute or living in vulnerable circumstances. The “general public interest” is served, so it is claimed, by making it more difficult for those seeking refuge in the UK, to make their case for the right to remain.
This exemption has had to been rewritten three times, because its two previous incarnations were declared unlawful by four Courts: twice at the High Court and twice before the Court of Appeal (see references for grizzly detail).
It is difficult to believe that any competent Minister would make the same mistake twice (i.e. approve an exemption that could be struck out by the Courts, including on Appeal). The only conclusion I reach is that Ministers knew both exemptions could be challenged in the Courts, and were prepared to push them through Parliament, with appropriate reassurances to Parliament, in the hope that they would not be challenged.
This explains why Ministerial proclamations, made to Parliament, that the exemptions are “necessary and proportionate” or do not breach the Human Rights Convention are totally unreliable.
In summary, the history of the immigration exemption provides evidence that an “important objective of general public interest” can degrade to “the party political interests of the Government of the day”.
Ministers can approve exemptions even when the exemptions themselves are known, by them, to be of dubious legality.
Confidential References exemption (DPA1998)
The DPA2018 changed the confidential references exemption to ensure that confidential references given or received were exempt from the right of access and the right to be informed. Data subjects do not know when they go for a job, that a secret confidential reference about them can be sent or obtained.
By contrast, under the DPA1998, the confidential reference exemption allowed personal data to be exempt from the right of access for the sending controller only. Therefore prospective employees were able to know there was a confidential reference sent by their previous employer and make a request for subject access to the prospective employer who had received the reference.
If the employer refused to provide access on grounds of confidentiality, the data subject concerned could raise the matter with the Data Protection Commissioner (as the ICO was then called), who then could independently determine whether access (or not) should be provided.
This exemption was included in the DPA1998 in order for the UK to comply with the EHCR Judgment: Gaskin v UK (see references).
In further detail, Gaskin considered what should happen if, for example, there was an absolute refusal of a subject access request to a confidential reference, received from a Third Party, in circumstances where that Third Party refused consent for its release.
The Court concluded that there had to be a mechanism for an independent review. The matter could not be left to either the sender or recipient of the confidential reference because both have a vested interest in not providing access to the reference.
So the DPA1998 allowed the data subject to appeal to the Data Protection Commissioner, so that the Commissioner could take-on the independent review role as required by Gaskin. The Commissioner could take enforcement action to order the release of the confidential reference, if this step was needed.
Gaskin said nothing about the status of the controller sending the confidential reference. Consequently, the Government could fashion an exemption which allowed the sending controller to claim an absolute exemption for personal data comprising a confidential reference.
This complicated procedure was explained and approved by Parliament several times in order to meet the ECHR requirements of Gaskin (e.g. Lords Hansard, 10 Jul 1998 : Column 1478).
Confidential References exemption (DPA2018)
However, this exemption has been expanded and in the DPA2018, confidential references can be withheld from a SAR by both the sender and recipient of the reference. Additionally, the fact that the reference exists, can be kept secret as it is exempt from the right to be informed. There was no debate in Parliament about abandoning the ECHR consequences of Gaskin.
In other words, the Government arbitrarily decided to ignore Strasbourg jurisprudence in Gaskin when it drafted the DPA2018 exemption, and it kept Parliament ignorant of these changes (i.e. there was no debate in either House about the exemption when the DPA2018 was a Bill).
As this exemption remains unchanged, the new Government is complicit in ignoring Strasbourg jurisprudence – a red line for the European Commission in adequacy terms.
As an aside, the Government of the day was basking in the benefits of Brexit(?!). Perhaps maintaining an ECHR judgement was too much for it politically to take (even though getting rid of the impact of Gaskin diminished workers’ rights, contrary to the Ministerial propaganda of the time).
Compatible processing power
The Bill contains a Ministerial power to deem certain processing of personal data to be compatible with the purpose of the original obtaining; there is no need to do the compatibility assessment as outlined in Article 6(4).
Roughly speaking, the disclosure list in Annex 1 is replicated in Annex 2 (with some additions). So if a further disclosure is deemed to be for a Recognised Legitimate Interest, the disclosure purpose is also deemed compatible with the purpose of obtaining.
The controversial disclosure which allows for general disclosure to the public sector (in paragraph 1 of Annex 1), additionally requires that the purpose of disclosure “is necessary to safeguard an objective listed in Articles 23(1)(c) to (j)”.
This looks like a protection for data subjects, but it is not.
All that is required is that, for such a disclosure of personal data to be deemed to be compatible, is that the disclosure has to be for any objective found in Schedules 2 to 5 of the DPA2018. (For readers not familiar with the DPA2018, the legislation contains 40 pages of exemptions!).
However, as we have seen above that Article 23(1)(e) contains a power that effectively equates an “important objective of general public interest” with “the political interests of the Government of the day”.
So suppose a Minister wants to make any disclosure to any public body compatible with the purpose of obtaining, for a pet party political project. All the Minister asks is: “Is there an exemption in the DPA2018 that fits the Ministerial requirements?”.
- If the answer is “yes”, the disclosure to the public body will be automatically compatible with the purpose of obtaining and the Minister does nothing; the lawful basis for the disclosure of personal data will be paragraph 1 of Annex 1.
- If “no”, the Minister fashions another exemption using the A.23 power, claims the exemption to be an “important objective of general public interest” (just like the dodgy immigration exemption). Then the disclosure becomes compatible.
The House of Lords Committee that looked at this power was not impressed. It said that “the power relates to a fundamental principle in the UK GDPR that processing in a manner incompatible with the original purpose is not permitted”.
It added: “Given the fundamental nature of that principle and the fact that we found the Department’s reasons for needing the power unconvincing, we took the view in our report that the delegated power was inappropriate” (and should be removed).
Finally, I need to explain why taxation explicitly appears in the Annex 2 list but is absent from the Annex 1 list.
It is clear that disclosures to HMRC can occur via paragraph 1 of Annex 1 as they are a public body performing a public task. However, HMRC is subject to an exemption that protects data subjects from inappropriate disclosures for taxation matters.
The Annex 2 listing ensures compatibility without the need to consider that exemption. In this way any disclosure to HMRC is compatible with the purpose of obtaining and the exemption that protects data subjects is wished away without any Parliamentary involvement. More or less the same thing applies to disclosures for law enforcement purposes.
For some reason, the setting aside of these exemptions have not been mentioned by any Government Minister or in the Explanatory Notes.
Concluding comment
It is disappointing that the UK’s Information Commissioner is silent about the dangers that arise from these powers in the context of public sector data sharing. He appears to be wholly unconcerned that the Government is dismantling the two provisions in the UK_GDPR that protects data subjects from unlawful and incompatible data sharing in the public sector.
Mind you, he was wholly approving about the previous DPDI Bills which were far worse from the data subject perspective, so his lack of concern with DUAB is par for the course.
The Commissioner’s policy of minimising the use of enforcement powers with respect of the public sector is only going encourage public authorities to make unnecessary requests for disclosure.
The Commissioner claims on his website that he wants to be “a regulator who empowers”. In practice, his continued laissez-faire attitude merely empowers the Government to take more important protections for data subjects away.
Winter Data Protection Courses
Amberhawk is holding our first session on the changes to the UK’s data protection regime arising from the Data (Use and Access) Bill, by Zoom, on Tuesday January 28th 2025: (10.00am-4.30pm; £275+VAT).
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course: London on January 20-24 (5 days: Monday to Friday: 9.30am to 5.30pm) and on March 17 to March 21 (same timings).
- Data Protection FOUNDATION Course: London on March 11-13 (Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education.
More details on the Amberhawk website: www.amberhawk.com or email [email protected].
References
DUAB Powers should be removed: House of Lords Delegated Powers and Regulatory Reform Committee, 9th Report of Session 2024–25, HL Paper 49 (28 November 2024).
Confidential Reference Exemption was introduced to meet the requirements of the CASE OF GASKIN v. THE UNITED KINGDOM (Application no. 10454/83) in July 1989.
Immigration Exemption: THE 3MILLION and the OPEN RIGHTS GROUP v HOME OFFICE and DSIT, Neutral Citation Number: [2023] EWCA Civ 1474 from [2023] EWHC 713 (Admin); [2023] 1 WLR 3011.
Commentary: The first attempt to introduce an immigration exemption was deemed unlawful following Judicial Review (JR) by the Court of Appeal ([2021] EWCA Civ 800, an appeal from [2021] 1 WLR 3611). After a further hearing to consider remedies, the Court suspended the effect of its declaration until 31 January 2022, so that the Government would have adequate time to amend the relevant provisions of the DPA by way of secondary legislation (see [2021] EWCA Civ 1573; [2022] QB 166).
These amended relevant provisions were also deemed to be unlawful by the Court of Appeal in a second judgment (see [2023] reference above). In total, four Courts have determined that the immigration exemption was unlawfully drafted.
As an aside, the response of the Government was an attempt to make Judicial Review harder to take, mainly because NGOs were crowd-funding the £40K needed to commence JR proceedings.