The Information Commissionerâs Office (ICO) recently released its response to the UK government consultation, âData: A new directionâ. The consultation was conducted by the Department for Digital, Culture, Media and Sport (DCMS).
The ICO is independent from the government. It is the United Kingdomâs regulatory body established to uphold information rights in the public interest. The ICO carries out its duties as set forth in the UK legislative framework and it advises the government on data protection.
The ICOâs response is divided into five broad subjects: reducing barriers to responsible innovation; reducing burdens on businesses and delivering better outcomes for people; boosting trade and reducing barriers to data flows; delivering better public services; and ICO reform.
1. âReducing Barriers to Responsible Innovationâ
The ICO welcomed the governmentâs intention to have further clarification of the topics of data anonymity, data use for research purposes, and the reuse of data for purposes other than that for which it was collected.
The government proposed removing the âbalancing testâ. This is the requirement to determine âwhether the legitimate interests being pursued by an organisation or third party when processing data are outweighed by the impact on the fundamental rights and freedoms of individualsâ. Under current UK law, data controllers must identify lawful grounds under the UK General Data Protection Regulation (UK GDPR) before processing personal data. These grounds include processing that is necessary for the legitimate interest of a data controller (Article 6(1)(f) UK GDPR)âwhich can only be relied on as long as the organisationâs interests are not outweighed by the interests of the individual (hence the âbalancing testâ).
The suggested replacement is to have an âexhaustive list of types of data processing activitiesâ where the test would not be required. This proposal is concerning to the ICO because such a list could be âtoo broadâ. The ICO recommended that greater certainty is required, particularly as the balancing test is already well established, given that the UK GDPR has been in effect since 2018.
2.âReducing Burdens on Businesses and Delivering Better Outcomes for Peopleâ
âReform of the Accountability Frameworkâ
The ICO responded to the proposal to remove the requirement for businesses to appoint a data protection officer (DPO). Under the new proposals, businesses could allocate data protection compliance responsibilities to a specific individual but not necessarily a DPO. The ICO recognised âit is reasonable for many organisationsâ to assign the responsibilities in a manner which they see fit. However, the ICO pointed out that DPOs can be valuable and they have âsignificant skills and experience and professionalismâ, so there may be economic consequences to the removal of the requirement for DPOs.
- âBreach reportingâ: The ICO âsupport[s] proposals â¦ to clarify the threshold for reporting data breachesâ. The regulator acknowledged that âorganisations are sometimes unclear on when and whether they should report a personal data breach, and that this can result in over-reporting of low-risk incidentsâ. Despite the guidance currently provided by the ICO, the agency said that more legislative clarity would be welcome.
- Data protection impact assessment (DPIA) changes: The consultation proposed removing DPIA requirements to allow organisations to take different approaches more suitable to their specific circumstances when identifying and minimising risk. Whilst the ICO agreed that there is the possibility for more flexibility regarding DPIAs, it noted that any reform to risk assessment requirements should not result in a reduction of quality in such assessments. The ICO called for further details on how businesses can assess data protection risk, particularly in cases of ânew or novel processingâ where new technology is involved.
Subject Access Requests
The government is intending to permit organisations to charge fees for responding to data subject access requests (DSARs). There is concern from the government that under the current regulations DSARs are often not requested for their true purpose and can instead simply be tools for disruption. To combat this, the government proposed to introduce a fee structure similar to that of the Freedom of Information Act 2000 (FOI) which would impose a cap on spending for requests. This would allow organisations to refuse requests that exceed the cost limit. The ICO stated that whilst it is good that there could be guidance on refusing DSARs when considered vexatious, the guidance should ensure that access to DSARs is not undermined.
Privacy and Electronic Communications
The government outlined two proposals regarding consent requirements for cookies. The first would permit all organisations to use data analytics through cookie pop-ups without user consent, or allow information collection from cookies for other (as yet undefined) limited purposes. The ICO agreed that the existing cookies approach âis not effective,â as people tend to accept prompts for cookies without reading the details, so a change is needed.
The second proposal would permit organisations to store and collect information from user devicesâwithout consent, for a limited purpose. The ICO stated that it supports the exploration of consent preferences but highlighted that effective enforcement would be necessary. The regulatory body invited the government to discuss enforcement powers with the ICO in this respect to ensure the ICO has the jurisdiction to manage this issue.
3.âBoosting Trade and Reducing Barriers to Data Flowsâ
The UK was granted adequacy status this year by the European Union for the purposes of data transfers. This permits UK organisations to transfer data to and from the EU without the need for additional safeguards.
It is the UK governmentâs responsibility to assess (with the ICOâs assistance) whether other (non-EU) countries have adequate data protection laws to safeguard the data of UK citizens. The UKâs assessment can, in turn, impact its adequacy status in the eyes of the EU. As adequacy status can be revoked, it is important to have robust assessment criteria.
In the consultation, the government proposed a ârisk-based approachâ for adequacy assessment of other countries. The ICO is mindful of the importance of UK adequacy status and would like clarification on how this would work in practice. Furthermore, rather than the current periodic reviews of UK adequacy decisions (every four years), it proposed ongoing monitoring. The ICO stated that it was concerned about how this would be carried out, what would be monitored, and how changes to status would be considered. The ICO also stated that it was concerned that this might impact the governmentâs ability to detect changes that may present increased risks for people, and to subsequently act on them.
Alternative Transfer Mechanisms (ATMs)
There is also a plan for âorganisations to create or identify their own alternative transfer mechanisms without approval by the ICO, in addition to those listed in Article 46 of the UK GDPRâ. This would give greater flexibility than standard contractual clauses (SCCs) and binding corporate rules (BCRs). However, the main example of such a mechanism in the DCMSâs consultation is a âbespoke contract without ICO approvalâ. The difference between this and tailored SCCs is unclear. Whilst the ICO welcomed the flexibility this would bring, it remained wary of the risk of inconsistency in levels of protection. The ICO stated that the risks associated with any new ATMs would have to be âappropriately assessed and mitigatedâ.
A derogation is an exemption from the rule that transfers of personal data from the UK are not permitted unless covered by a UK adequacy decision or appropriate safeguards. The current accepted interpretation is that derogations should be used in exceptional circumstances only. The UK government intends to make âexplicit that repetitive use of derogation[s] is permittedâ. The ICO was wary in its response to this, encouraging the UK government to consider whether further safeguards could be introduced where derogations are used.
4. Delivering Better Public Services
Use of Personal Data in a Health Emergency
The government has proposed, following the COVID-19 pandemic, to allow public and private organisations to lawfully process health data for reasons of substantial public interest during public health emergencies or other emergencies, without such processing being overseen by healthcare professionals or being undertaken under a duty of confidentiality. The ICO has, in response, recognised that whilst health professional oversight might not always be possible, a requirement for a duty of confidentiality should remain as a minimum in order to prevent public trust from being undermined.
5. âICO Reformâ
Governance Model and Leadership
The ICO stated that it was concerned by the suggestion that future ICO chief executive appointments would be made by the secretary of state, potentially affecting the independence of the ICO. Concerned about the publicâs perception of its independence, the ICO recommended that the appointment be made by the ICO chair and board, in consultation with the secretary of state, using a model that has been adopted by other economic regulators.
What Does This Mean for Businesses?
Whilst this consultation is revealing of the UK governmentâs intention to âtake back controlâ of its data protection laws, the ICOâs response highlighted the ways in which the proposals might not work and the consequences they could have. A particular area of concern will be any act that threatens the UKâs adequacy status, awarded by the EU commissioner in June 2021.
As these reforms are all at the proposal stage, no change is coming yet, but it is likely that modifications to the current data protection framework will start to appear in the near future and organisations will need to adapt accordingly.