Update: Data Protection and Digital Information Bill No.2
Last year the government introduced the Data Protection and Digital Information (DPDI) Bill, which included measures to weaken protections for personal data, including patients’ NHS data. (A brief analysis of this Bill’s implications for NHS data use can be found here). Then in September the Bill was put on hold.
A revised version of the Bill (the Data Protection and Digital Information Bill No. 2) has now been introduced and awaits its second reading. Much of this Bill remains the same as its predecessor and, for now, the overall legal framework for data protection is still provided by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act (2018) and the Privacy and Electronic Communications (2003).
The main difference between the original and revised Bill is that the new version is even more business friendly than its forebear.
Key changes include:
Scientific research: Currently, data protection legislation allows organisations to ignore some of the provisions of the UK GDPR when processing personal data for scientific research purposes. The first DPDI Bill introduced a new definition of scientific research that covered anything that could ‘reasonably’ be described as scientific. The revised Bill clarifies that this definition explicitly includes commercial activities.
The role of the data protection officer (DPA): The original Bill removed the requirement for an organisation to appoint an independent DPA. Instead a ‘senior responsible person’ (SRI), employed by the organisation, would provide oversight of its data use. According to the revised Bill, an organisation will only need to appoint a SRI if its data controller or processor is a public body, or if it carries out processing that poses a ‘high risk’ (i.e. has the potential for any significant physical, material or non material harm to individuals).
Legitimate interests: The first Bill introduced the concept of ‘recognised legitimate interests’, where processing activities can be assumed to satisfy a ‘legitimate interests’ balancing test. The revised Bill gives examples of types of processing accepted as “necessary for the purposes of a legitimate interest and indicates that any legitimate commercial activity can claim legitimate interest, as long as the processing is ‘necessary’ and the balancing test is carried out. The Bill also provides the Secretary of State with powers to create, vary or remove ‘legitimate interests’ in future.
Record keeping: Under the revised Bill, data controllers and processors will only have to keep records of data processing activities where these are likely to result in “high risk to the rights and freedoms of individuals”. Examples of high risk include the extensive processing of special category data (e.g. by medical insurance companies) or the use of innovative technologies to process large volumes of personal data.
Automated decision-making: The original DPDI Bill sought changes to UK GDPR measures concerned with automated decision making. These included defining a decision that’s based solely on automated processing as one that involves no human intervention. The revised Bill extends this by saying that whenever there is meaningful human involvement in a decision, the extent to which the decision has been reached by means of profiling must be considered. This could be significant because the UK GDPR (Article 22(1)) gives individuals the right not to be subject to a decision based solely on automated processing (including profiling) that will have a legal or similarly significant effect on them. It is not clear if the intention behind the DPDI Bill 2 is to remove this right. In any event, the Bill empowers the Secretary of State to publish further guidance on the interpretation of “meaningful human involvement”.
Adequacy: The Bill introduces a new ‘data protection test’ for the Secretary of State when making a decision on adequacy – i.e. when assessing if another country, sector or international organisation provides an essentially equivalent level of data protection to the UK’s. The ‘data protection test’ will be met if the standard of data protections provided by a third country or organisation is “not materially lower” than the UK standard. In effect, the Secretary of State will have the power to recognise countries where data protection is weaker as having an adequate level of data protection, and so enable organisations to transfer data overseas more easily.
Relationship to Retained EU Law (Revocation and Reform) Bill. Under the ‘sunset’ provision of the REUL Bill that is currently going through Parliament, almost 4,000 pieces of EU legislation that temporarily became part of UK statute law after Brexit will disappear at the end of December this year, unless actively adopted. This potentially includes existing data protection legislation such as the UK GDPR. It is currently unclear whether the DPDI Bill (No 2), if passed, will co-exist with current protection legislation or whether the DPDI Bill will replace this if the REUL receives Royal Assent.
Relationship to the Bill of Rights Bill: Serious concerns have emerged that the government is presenting one Bill (DPDI 2) for detailed Parliamentary consideration despite knowing that such considerations are made redundant by other legislation, namely the Bill of Rights Bill, also awaiting its second reading. It’s argued that the Bill of Rights will subjugate DPDI2 and devastate the existing data protection landscape. As Hawktalk put it,
“The human rights challenges arising from the No.2 Bill …. are a mere pinprick compared with the privacy wasteland promised by the UK Bill of Rights.”Halktalk
The KONP Data Working Group is currently redrafting its briefing paper on the implications of the Data Protection Bill (and its relevance in the context of the UK Bill of Rights) prior to asking KONP campaigners to write to their MPs on the main concerns identified.
The test looks at whether or not an organisation’s legitimate interests and the necessity of processing personal data outweigh the interests, rights and freedoms of the data subject).