The government has now released its responses to the results of its "Data: a new direction" consultation, which it launched on 10 September 2021.
During the consultation period the government engaged with a wide variety of bodies, including academia, tech, industry and consumer rights groups.
The consultation proposed a number of wide-reaching reforms to help the government achieve its ambition of the UK becoming the most attractive global data marketplace. It encompasses the reduction of barriers to responsible innovation, the reduction of burdens on businesses, the delivery of better outcomes for individuals, the boosting of trade and reduction of barriers to data flows, better delivery of public services and the reform of the Information Commissioner's Office (ICO).
The current UK data protection regime consists of the UK GDPR, the Privacy and Electronic Communications Regulations (PECR) and the Data Protection Act 2018 (DPA 2018). The consultation responses will assist the government in fleshing out the terms of the Data Reform Bill, and we can expect to see wide ranging changes to existing legislation when the Data Reform Bill becomes law. The Bill is expected to be published later this year.
The government proposed a large number of changes in the consultation, and the proposals it states it will be taking forward are largely based around introducing flexibility whilst retaining key safeguards. There is some work still to be done on clarifying how some of the proposals will work in practice, which will be set out in the Data Reform Bill.
In this guidance note we have briefly outlined some of the key changes which the government proposes to proceed to legislate upon. We will be providing updated guidance and commentary as the Data Reform Bill progresses.
Reducing barriers to responsible innovation
The government has recognised that the use of personal data is key to much research, but that the existing laws around the use of personal data in research can be complex and can potentially amount to barriers to effective research. In the consultation, the government invited views on a number of proposals to allow for an increased usage of personal data in research.
A number of these changes involve consolidating existing legislation and guidance. For example, the government proposes to include a statutory definition of 'research' using one of the recitals (i.e. guidance notes) from UK GDPR, and to move a description of broad consent (which is where scientific researchers can use a less specific form of consent where the purpose of processing cannot be fully identified at the point of location) from a recital into the actual legislation. The government had proposed that research be, itself, a lawful basis for processing personal data, but has decided not to take this proposal forward, as researchers are comfortable with the existing lawful bases for processing personal data.
Re-use of personal data
The consultation contained some interesting detail regarding re-use of personal data. The UK GDPR requires that further processing be compatible with the original purpose for which it was collected and sets out rules to be followed. The question of whether the further processing is compatible with the initial purpose is not always easy to answer. The government plans to simplify the existing legislation to make it clearer how and when further processing can be carried out, including clarifying that further processing cannot take place when the original basis for processing was consent. The government has other proposals in the area of further processing which it will consider further to clarify the position.
If 'legitimate interests' is the basis of processing, data controllers are currently supposed to complete a three-part test involving identifying the legitimate interest, demonstrating that the processing is necessary and cannot be achieved in a less intrusive manner, and balancing their interest in the processing against the rights of data subjects.
Legitimate interest assessments can be time-consuming, and the government has recognised that some organisations tend to over-rely on consent where they may be able to use legitimate interests. The government had mixed responses to its proposal that a list of processing activities be created where no balancing test would be required. It has decided to create a limited list of processing activities and to retain the right to add to this list.
AI and machine learning
Artificial intelligence is an area where the government sees the UK as being a leader, as reflected in the National AI Strategy which was published in September 2021. Successful use of AI depends upon the collection and use of personal data, and the consultation contained a number of proposals around responsible and innovative uses of personal data.
The majority of respondents to the consultation disagreed with a proposal that organisations be empowered to use personal data more freely to test and train AI, indicating that the existing legislation already allows for adequate usage of personal data for training AI. The government will however go ahead with a new condition to allow the processing of sensitive personal data to monitor and correct bias in AI systems, with no balancing test but subject to safeguards such as limitations on re-use and mandated security measures.
Article 22 of UK GDPR contains provisions on solely automated decision-making processes. There is some uncertainty over how this article operates and the government proposed removing it. This was opposed by the majority of respondents, with some arguing that this would damage the UK's reputation. The government has abandoned this proposal but will be considering further amendments to Article 22.
The difference between anonymised and pseudonymised personal data is important as once data is properly anonymised it is no longer classified as personal data and is outside the scope of data legislation. It is not always easy to understand the difference between anonymisation and pseudonymisation, and the government proposes clarifying in legislation when data is to be regarded as anonymous, by stating that the test be whether the data can be re-identified in relation to the means available to the controller.
Reducing burdens for businesses and delivering better outcomes for individuals
The government wants to develop a data regime that takes an agile regulatory approach with a lighter compliance burden, but with high governance standards to protect individuals' rights. The proposals included introducing "privacy management programmes" for organisations based on core elements of accountability, whilst removing the requirements to have a data protection officer, undertake data protection impact assessments and to maintain a record of processing activities.
Privacy Management Programmes
Concerns were raised in the consultation about the privacy management programme, with respondents indicating that it could cause confusion, generate mixed outcomes, and entail additional regulatory costs for businesses. The government plans to proceed with this proposal but to address the concerns raised in the drafting of the legislation. There will be penalties for failures to comply with the new regime which mirror the current sanctions, being a maximum of the greater of £8.7m or 2% of annual worldwide turnover.
Removal of data protection officers, data protection impact assessments and records of processing activities
Whilst the majority of respondents disagreed with the proposal to remove the requirement to have a data protection officer (DPO), the government has decided to proceed with replacing the DPO with a designated senior individual whose role seems similar to a DPO, except that this individual does not need the degree of independence required of DPOs.
The majority of respondents disagreed with the proposal to remove the requirement to undertake data protection impact assessments, but the government is proceeding with its proposal to remove this requirement but require that appropriate risk assessment tools be used by organisations. It is unclear as yet what these tools may be.
The majority again disagreed with the proposal to remove the requirement to keep records of processing activities. However, the government plans to proceed with this proposal on the basis that privacy management programmes will still require organisations to document the purposes of processing but in a more tailored and less prescriptive fashion. It is not clear yet what records will be required under the privacy management programmes.
Subject access requests
The majority of respondents agreed that subject access requests can be time consuming and also are sometimes used to circumvent disclosure protocols (in particular where claims management companies use these to fish for information), but recognised the importance of individuals being able to access information held about them. Currently, a fee can be charged for responding to a subject access request if it is "manifestly unfounded or excessive" but the government plans to change this threshold to being "vexatious or excessive".
Currently, cookies can only be used either with consent from users (normally through a pop-up notice or banner), or in line with limited exceptions. The government plans to remove the need for websites to display cookie notices or banners, and to allow for cookies for non-intrusive purposes (such as measuring traffic to websites and improving organisations' offerings) to be placed on users' devices without consent. In the future, the government intends to move to an opt-out model of consent, meaning that cookies will be set without consent but websites must give clear information about how to opt out. This will not apply to websites likely to be accessed by children.
Currently, businesses can continue to contact individuals with further marketing material provided that the individuals were given the opportunity to opt-out of further contact at the time of providing their details – this is known as the "soft opt-in". The government proposes to extend the soft opt-in to non-commercial organisations such as charities.
International transfers of personal data
The UK currently relies upon the wording within GDPR as taken into UK GDPR in relation to international transfers of personal data. The government has set out its intention to create an independent framework for international transfers. It wishes to have an outcomes-based approach, and to make adequacy decisions based on countries meeting the UK standards of data protection. It also proposes to relax the requirement to review adequacy regulations every four years.
Where a country is not deemed 'adequate', appropriate safeguards are relied upon for international transfers (being normally the standard contractual clauses mandated by the European Commission as adapted for UK usage by the ICO). The government proposed allowing organisations to set their own transfer mechanisms but has dropped this proposal. It will however proceed with creating a new power for the government to create new mechanisms for transferring data overseas if the recipients meet the outcomes required by UK law.
Delivering public services
The government has highlighted the benefits of collaboration between the private and public sector, and its desire to create a joined up and interoperable data ecosystem for the public sector so that data may be shared across the whole of the UK within the public sector.
The government made a number of proposals under this heading, but is currently only taking a small selection forward. It will continue to consider a number of other proposals such as allowing the law enforcement sectors to produce personal data codes of conduct, clarifying rules on biometric data in policing, reviewing the usage of algorithmic tools in the public sector, and defining what 'substantial public interest' means.
Joined-up public services
The government proposes to extend its current powers under the Digital Economy Act 2017 to enable personal data to be shared across the public sector to improve public services. This may involve the private sector providing support to the public sector but will not facilitate the sharing of data from the public to the private sector for any other reasons.
The government also proposes that where a private sector body is undertaking a public task (for example, where private sector healthcare organisations delivered public health services during the pandemic) it should be able to rely upon the public body's lawful grounds for processing.
From a regulatory perspective the government plans to proceed with a number of proposals to change the way that the ICO undertakes its work, how it is governed and the powers at its disposal.
One of the concerns that the government sought to address through the consultation was the perceived overburdening of the ICO with small complaints from individuals, alongside reports to the ICO of relatively minor data breaches to 'err on the side of caution'. We often see these trends in our work advising on ICO intervention or investigations: there are many breaches that are reported, and complaints made, to the ICO that pull valuable resources away from organisations but do not trigger an investigation or follow-up action by the ICO. The transparency of the ICO's work and strategic aims has also been called into question through the consultation process, notwithstanding that the ICO already has a number of reporting and other mechanisms in place to ensure that its work as a regulator is both relevant and transparent.
Who's in charge?
The government's proposals to shake up the way in which the ICO is governed have been given the green light. Whilst the practical impact of those reforms on organisations and individuals alike remains to be seen in the detail of the proposed legislation, we know that the ICO, in line with other regulators such as the FCA, will move to a more corporate structure, with a Board, Chief Executive, and Chair. Given the move away from a single 'Information Commissioner', the ICO may also get a new name and re-brand once the legislation comes into force.
Objectives and reporting
In addition to more open and transparent reporting by the ICO on its functions and objectives, including annual reporting on KPIs, there is also likely to be an overhaul of the ICO's strategic framework and priorities. A new 'principal objective' underpinning its work is intended to ensure that data rights are upheld and that 'trustworthy and responsible data use' is encouraged. In addition, the ICO will also be required to have regard to competition, growth and innovation in the way it works, helping to drive the government's political agenda of being the 'most attractive global data marketplace'.
Transparency in ICO investigations
Where the ICO decides to investigate a breach or complaint, there is often a concern that the process is too opaque, and organisations do not know what to expect. As a result, the ICO will now be required to provide anticipated timelines for each phase of an investigation at the outset, which should provide more transparency and certainty to those regulated and investigated by the ICO.
Data breach reporting
The government does not now intend to formally change the threshold for reporting data breaches to the ICO to those that pose a 'material risk' to individuals. Given the subjective nature of 'materiality', the way that risk can develop over time, and the useful insight the ICO receives on data breach trends and cyber risks through those notifications, the government proposes instead to work with the ICO to update guidance on breach reporting and make the relevant thresholds clearer: whether this provides any real change in over-reporting or reduces the perceived burdens on organisations remains to be seen.
Complaints take up a significant portion of the ICO's time and resources. In order to allow the ICO to use those resources in a more risk-based way, and give it a more agile approach to investigating, the government plans to give the ICO more discretion as to which complaints it investigates. This is likely to include some form of requirement that individuals try to resolve complaints with the relevant data controller first, before seeking any resolution through the ICO. Whilst a gateway stage to formal ICO complaints will no doubt be welcomed by organisations, until we see the detail of the legislation there are likely to be questions around the types of processes that organisations will need to have in place to satisfy any new requirements.
The ICO is also likely to have increased and more varied enforcement powers available to it, including the power to commission technical reports where relevant to any investigation it undertakes, and the power to be more flexible in the timing of issuing fines. Similar to the powers enjoyed by other regulators, the ICO will also have the power to compel individuals to attend interviews with the ICO and answer questions, subject to appropriate safeguards being put in place.
The government plans to provide the ICO with additional powers to take enforcement action against organisations on the basis of the number of calls generated (rather than the number of calls connected, which is the position in the current legislation), and to introduce a 'duty to report' on communications providers. The government may introduce further requirements on telecoms companies to block calls if these measures do not produce a tangible reduction in nuisance calls.
Finally, the enforcement powers available to the ICO under PECR will also be upgraded to level the playing field with the UK GDPR and DPA 2018 enforcement powers. This will include ensuring that breaches of PECR - for things such as repetitive nuisance calls and spam marketing emails and texts - can result in fines of up to £17.5million or 4% annual turnover rather than the current limit of £500,000.
For more information about the current data protection regime and the planned changes please contact the Trowers & Hamlins data team.