The Information Commissioner’s Office (ICO) recently released its response to the UK government consultation, ‘Data: A new direction’. The consultation was conducted by the Department for Digital, Culture, Media and Sport (DCMS).
The ICO is independent from the government. It is the United Kingdom’s regulatory body established to uphold information rights in the public interest. The ICO carries out its duties as set forth in the UK legislative framework and it advises the government on data protection.
The ICO’s response is divided into five broad subjects: reducing barriers to responsible innovation; reducing burdens on businesses and delivering better outcomes for people; boosting trade and reducing barriers to data flows; delivering better public services; and ICO reform.
1. ‘Reducing Barriers to Responsible Innovation’
The ICO welcomed the government’s intention to have further clarification of the topics of data anonymity, data use for research purposes, and the reuse of data for purposes other than that for which it was collected.
The government proposed removing the ‘balancing test’. This is the requirement to determine ‘whether the legitimate interests being pursued by an organisation or third party when processing data are outweighed by the impact on the fundamental rights and freedoms of individuals’. Under current UK law, data controllers must identify lawful grounds under the UK General Data Protection Regulation (UK GDPR) before processing personal data. These grounds include processing that is necessary for the legitimate interest of a data controller (Article 6(1)(f) UK GDPR)—which can only be relied on as long as the organisation’s interests are not outweighed by the interests of the individual (hence the ‘balancing test’).
The suggested replacement is to have an ‘exhaustive list of types of data processing activities’ where the test would not be required. This proposal is concerning to the ICO because such a list could be ‘too broad’. The ICO recommended that greater certainty is required, particularly as the balancing test is already well established, given that the UK GDPR has been in effect since 2018.
2.‘Reducing Burdens on Businesses and Delivering Better Outcomes for People’
‘Reform of the Accountability Framework’
The ICO responded to the proposal to remove the requirement for businesses to appoint a data protection officer (DPO). Under the new proposals, businesses could allocate data protection compliance responsibilities to a specific individual but not necessarily a DPO. The ICO recognised ‘it is reasonable for many organisations’ to assign the responsibilities in a manner which they see fit. However, the ICO pointed out that DPOs can be valuable and they have ‘significant skills and experience and professionalism’, so there may be economic consequences to the removal of the requirement for DPOs.
- ‘Breach reporting’: The ICO ‘support[s] proposals … to clarify the threshold for reporting data breaches’. The regulator acknowledged that ‘organisations are sometimes unclear on when and whether they should report a personal data breach, and that this can result in over-reporting of low-risk incidents’. Despite the guidance currently provided by the ICO, the agency said that more legislative clarity would be welcome.
- Data protection impact assessment (DPIA) changes: The consultation proposed removing DPIA requirements to allow organisations to take different approaches more suitable to their specific circumstances when identifying and minimising risk. Whilst the ICO agreed that there is the possibility for more flexibility regarding DPIAs, it noted that any reform to risk assessment requirements should not result in a reduction of quality in such assessments. The ICO called for further details on how businesses can assess data protection risk, particularly in cases of ‘new or novel processing’ where new technology is involved.
Subject Access Requests
The government is intending to permit organisations to charge fees for responding to data subject access requests (DSARs). There is concern from the government that under the current regulations DSARs are often not requested for their true purpose and can instead simply be tools for disruption. To combat this, the government proposed to introduce a fee structure similar to that of the Freedom of Information Act 2000 (FOI) which would impose a cap on spending for requests. This would allow organisations to refuse requests that exceed the cost limit. The ICO stated that whilst it is good that there could be guidance on refusing DSARs when considered vexatious, the guidance should ensure that access to DSARs is not undermined.
Privacy and Electronic Communications
The government outlined two proposals regarding consent requirements for cookies. The first would permit all organisations to use data analytics through cookie pop-ups without user consent, or allow information collection from cookies for other (as yet undefined) limited purposes. The ICO agreed that the existing cookies approach ‘is not effective,’ as people tend to accept prompts for cookies without reading the details, so a change is needed.
The second proposal would permit organisations to store and collect information from user devices—without consent, for a limited purpose. The ICO stated that it supports the exploration of consent preferences but highlighted that effective enforcement would be necessary. The regulatory body invited the government to discuss enforcement powers with the ICO in this respect to ensure the ICO has the jurisdiction to manage this issue.
3.‘Boosting Trade and Reducing Barriers to Data Flows’
The UK was granted adequacy status this year by the European Union for the purposes of data transfers. This permits UK organisations to transfer data to and from the EU without the need for additional safeguards.
It is the UK government’s responsibility to assess (with the ICO’s assistance) whether other (non-EU) countries have adequate data protection laws to safeguard the data of UK citizens. The UK’s assessment can, in turn, impact its adequacy status in the eyes of the EU. As adequacy status can be revoked, it is important to have robust assessment criteria.
In the consultation, the government proposed a ‘risk-based approach’ for adequacy assessment of other countries. The ICO is mindful of the importance of UK adequacy status and would like clarification on how this would work in practice. Furthermore, rather than the current periodic reviews of UK adequacy decisions (every four years), it proposed ongoing monitoring. The ICO stated that it was concerned about how this would be carried out, what would be monitored, and how changes to status would be considered. The ICO also stated that it was concerned that this might impact the government’s ability to detect changes that may present increased risks for people, and to subsequently act on them.
Alternative Transfer Mechanisms (ATMs)
There is also a plan for ‘organisations to create or identify their own alternative transfer mechanisms without approval by the ICO, in addition to those listed in Article 46 of the UK GDPR’. This would give greater flexibility than standard contractual clauses (SCCs) and binding corporate rules (BCRs). However, the main example of such a mechanism in the DCMS’s consultation is a ‘bespoke contract without ICO approval’. The difference between this and tailored SCCs is unclear. Whilst the ICO welcomed the flexibility this would bring, it remained wary of the risk of inconsistency in levels of protection. The ICO stated that the risks associated with any new ATMs would have to be ‘appropriately assessed and mitigated’.
A derogation is an exemption from the rule that transfers of personal data from the UK are not permitted unless covered by a UK adequacy decision or appropriate safeguards. The current accepted interpretation is that derogations should be used in exceptional circumstances only. The UK government intends to make ‘explicit that repetitive use of derogation[s] is permitted’. The ICO was wary in its response to this, encouraging the UK government to consider whether further safeguards could be introduced where derogations are used.
4. Delivering Better Public Services
Use of Personal Data in a Health Emergency
The government has proposed, following the COVID-19 pandemic, to allow public and private organisations to lawfully process health data for reasons of substantial public interest during public health emergencies or other emergencies, without such processing being overseen by healthcare professionals or being undertaken under a duty of confidentiality. The ICO has, in response, recognised that whilst health professional oversight might not always be possible, a requirement for a duty of confidentiality should remain as a minimum in order to prevent public trust from being undermined.
5. ‘ICO Reform’
Governance Model and Leadership
The ICO stated that it was concerned by the suggestion that future ICO chief executive appointments would be made by the secretary of state, potentially affecting the independence of the ICO. Concerned about the public’s perception of its independence, the ICO recommended that the appointment be made by the ICO chair and board, in consultation with the secretary of state, using a model that has been adopted by other economic regulators.
What Does This Mean for Businesses?
Whilst this consultation is revealing of the UK government’s intention to ‘take back control’ of its data protection laws, the ICO’s response highlighted the ways in which the proposals might not work and the consequences they could have. A particular area of concern will be any act that threatens the UK’s adequacy status, awarded by the EU commissioner in June 2021.
As these reforms are all at the proposal stage, no change is coming yet, but it is likely that modifications to the current data protection framework will start to appear in the near future and organisations will need to adapt accordingly.