This blog considers how the Data (Use and Access) Bill (the “Bill”) impacts on the lawful bases used in the context of voluntary data sharing with public bodies.
In summary, the Bill creates an infrastructure of Ministerial powers that ensures voluntary data sharing to the public sector has a lawful basis; that such data sharing is not incompatible with the purpose of obtaining, and that such data sharing is, in practice, exempt from the right to object.
These powers have to be combined with the ability of Ministers in Article 23(1)(e) to specify new exemptions that can negate other data subject right on the grounds of “general public interest”. (This will be the subject of my next blog).
By creating a comprehensive gateway for voluntary disclosures to the public sector, the Bill also has the effect of undermining the role of Parliament in determining the conditions under which an organisation is obliged to provide personal data by law.
These Ministerial powers have been criticised by the House of Lords Delegated Powers and Regulatory Reform Committee (see references). It recommends that the powers should be removed from the Bill, because they are “inappropriate” and the justification for them, provided by Government, is “unconvincing”.
For example, in relation to the removal of the power to negate Purpose Limitation Principle the Committee concluded: “Given the fundamental nature of that principle and the fact that we found the Department’s reasons for needing the power unconvincing, we took the view in our report that the delegated power was inappropriate” (and recommended its removal).
I would add that the first paragraph of Annex 1 (which legitimises disclosures to any public sector body) should also be removed from the Bill. This blog explains why.
Recognised Legitimate Interests
The Government’s justification for the change in data protection law is seductively simple; it goes like this.
Data protection is hard for many controllers, especially when faced with a one-off request for disclosure of personal data from any law enforcement agency, an agency that protects vulnerable children and adults, a national security agency, a defence agency, and for public security purposes or in emergency situations (e.g. floods).
In these circumstances, so the Government claim, many organisations hesitate and do not know whether to disclose personal data or not.
Hence the Bill will clarify the law by providing a list of Recognised Legitimate Interests, so controllers can disclose without performing any balancing test of the competing interests. This is because Recognised Legitimate Interests have pre-determined the balance of interests is in favour of disclosure of personal data.
Hence, it is unlikely that there will be any overriding interests on the part of the data subject and that, as a result, the right to object to disclosure (and perhaps other subsequent processing that depends on that disclosure) is effectively extinguished.
Just in case the Government needs flexibility, it has provided a Ministerial power to make variations or additions to these Recognised Legitimate Interests.
How does disclosure work now?
So, suppose you get a request from a Local Authority Social Work Department: “We are worried about Child X; can we have a copy of your personal data that relates to Child X?”. You go through some security questions to ensure it’s not a hoax (e.g. check who is asking) and then you can move on to the decision whether to disclose or not.
In order to make this decision, you will probably ask for information about the circumstances pertaining to the disclosure (e.g. “what are the worries”; “what do you want from us”; “how would our personal data help you” etc). Normally you will need this type of information before you decide whether to disclose(or not).
If the request is genuine and the concerns about Child X are real, you have a choice. Protect Child X or protect the putative child abuser’s privacy. So which one is it?
Not a difficult choice is it?
Then you square the disclosure of personal data with the data protection requirements. Currently such a disclosure would be necessary “in the legitimate interest of a Third Party” (the Social Work Department) and the questions you have asked (e.g. why would our personal data help etc) create the balancing test of whether there exists overriding interests on the part of the data subject in not disclosing.
How does disclosure work under the Bill?
Now we come to the Bill and, for example, how it proposes to deal with the same disclosure protecting vulnerable children. Remember the decision in favour of disclosure is baked in.
In response to the question: “we are worried about Child X; can we have a copy of your personal data concerning Child X?”, are you going to respond as follows:
“We have checked you are a Social Work Department and a public body with responsibility for child protection. You have asked for these personal data because they are needed to protect Child X. We are NOT interested in any other details, so here is your personal data.”
Similar with an emergency:
“We know you are a public body tasked with responding to an emergency. You have asked for certain personal data that you state are needed. We are NOT interested in what the emergency is, so here is your personal data”.
I suspect the answer is “NO”.
In practice, I also suspect you would still ask the questions of the kind: “what is the emergency or worries”; “what do you want from us”, and “why would our personal data help you” etc to decide whether or not to disclose.
In the rare case of a decision not to disclose, the fact that the lawful basis is a Recognised Legitimate Interest would not change that decision. This is because the data protection considerations come after the details that inform the decision at to whether (or not) to disclose personal data.
In other words, there is very little will change in relation to the Recognised Legitimate Interests described above. Controllers will still assess the situation prior to disclosure and the data protection elements are a secondary consideration, and only relevant in support of the decision to disclose personal data.
This is why I have concluded all the Recognised Legitimate Interests are unnecessary in DP terms (except for one which we will come to next). I am quite relaxed about the Recognised Legitimate Interests in the Bill (except for the one which we will come to next) because nothing has really changed.
Real reason for Recognised Legitimate Interests
The Recognised Legitimate Interest the Government has wanted for some time has been piggy backed on all the others mentioned above. It reads as follows:
“the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and
the request states that the other person needs the personal data for the purposes of carrying out processing … [for its public task or in its official authority under UK law]. The actual words used are “…described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3)”.
This means any public body can ask any other controller (usually private sector) to disclose any personal data because they are needed for its functions.
And what is the purpose of this disclosure? Because other Recognised Legitimate Interests do not apply, this purpose has nothing to do with law enforcement, protecting the vulnerable, national security, defence, public security or emergencies.
In summary, any old purpose will suffice so long as:
(a) it does not fall within the list in the last paragraph and
(b) the controller can claim that it is necessary for the functions of the public body asking for personal data.
And who enforces claims that the data subject has been wronged? Well it’s the ICO (who current policy is not to do much enforcement against the public sector).
In summary, the provision allows any public body to obtain any personal data from anybody else and places responsibility on the ICO to police every voluntary disclosure to the public sector via this provision.
Anybody should be able to see that this is not a viable system of regulation.
As a result, the provision risks degrading into an unregulated, “free for all”, voluntary data exchange with the public sector (which, of course, certainly since the ID Card Act debates of 2005, successive Governments have always wanted).
Undermining of the role of Parliament
Parliament has given, for example, HMRC powers to demand personal data; these have been debated and contested. By contrast, this new voluntary approach negates the need for future debate over statutory powers because, in our example, HMRC can merely ask via the new voluntary disclosure route.
To explain how this could work, suppose you get the following request from HMRC:
“We are investigating certain matters relating to taxation; can we have a copy of all your personal data relating to the following list of your employees. Such a disclosure of personal data would be lawful as it is a Recognised Legitimate Interest”.
So suppose you respond with:
“It would help us to decide whether to disclose if you could give us the further details: […followed by a list of questions pertaining to the disclosure].
Now you get the response:
“We do not want to answer your questions because it could have an impact on our inquiries. We have given you a clear statement that this disclosure is lawful and necessary for our public task. Because the disclosure is a Recognised Legitimate Interest, no reason has to be provided to you. We confirm that there is no impediment to your disclosure of personal data to us.”.
So over to you. Would you disclose? Is this an invitation to disclose you can’t refuse.
Now I am sure many brave data protection staff would say “no” but the decision to disclose does not depend on the bravado of DPOs. I am fairly confident that many senior managers will conclude: “We don’t want to upset HMRC, for the sake of a quiet life and good relations we will disclose”.
In this way, the statutory route for disclosure gives way to the new, possibly “voluntary” route, where most controllers will “comply with the request”, albeit with gritted teeth. HMRC’s statutory powers to demand personal data are unused (when Parliament expects them to be used) and held in reserve.
This explains why the first Recognised Legitimate Interest should be removed from the Bill.
Winter Data Protection Courses
Amberhawk is holding our first session on the changes to the UK’s data protection regime arising from the Data (Use and Access) Bill, by Zoom, on Tuesday January 28th 2025: (10.00am-4.30pm; £275+VAT).
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course: London on January 20-24 (5 days: Monday to Friday: 9.30am to 5.30pm) and on March 17 to March 21 (same timings).
- Data Protection FOUNDATION Course: London on March 11-13 (Tuesday to Thursday, 3 days: 9.45am to 5.00pm).
- Remember our specialist DP qualification for those in Education.
More details on the Amberhawk website: www.amberhawk.com or email [email protected].
References
House of Lords Delegated Powers and Regulatory Reform Committee, 9th Report of Session 2024–25, HL Paper 49 (28 November 2024).