Other Author Kahroba Kojouri
The Information Commissioner’s Office (ICO) have issued their response to the UK Government’s Consultation proposing reforms to the UK’s Data Protection regime. While the ICO maintains that it supports the UK Government's review of the country’s data protection rules and the purpose behind that review, it raises many concerns about the proposals put forward by the Government.
The issues raised by the ICO have been categorised into the five broad categories identified in the Consultation:
1. Boosting trade and reducing barriers to data flows
- The ICO is supportive of the Government’s goal to remove unnecessary barriers to cross-border data flows by offering a more flexible and innovative approach to international data transfers, especially its proposal to approach adequacy assessments with a focus on risk-based decision-making and outcomes. However, the ICO believes that it is imperative that the approach taken to cross-border data flows continues to ensure that the UK maintains its existing high data protection standards. The ICO highlights that UK businesses have continually stressed the importance of securing the UK’s adequacy status with the European Union (EU) and the ICO believes that any change to the rules governing cross border data flows should consider the impact they may have on such adequacy decisions.
- The ICO disagrees with the Government’s proposal to replace the review of the UK's adequacy decisions about third countries every 4 years with ongoing monitoring of those countries on the basis that it may reduce the Government’s ability to detect and act on any increased risks to the rights of individuals.
2. Reduction of administrative burdens on businesses
- With respect to the Government’s proposal to remove the requirement to designate a Data Protection Officer (DPO), whilst the ICO recognises that it is reasonable for organisations to assign responsibility for data protection compliance in the manner that they regard as most appropriate, the ICO wants to highlight the significant skills, experience and professionalism that DPOs can bring to an organisation. The ICO also highlights that the Government must consider the overall impact of removing such a requirement on the economy more generally, considering the role has become a well-developed and skilled profession within the UK.
- Whilst the ICO thinks that there is room for flexibility with respect to the form Data Protection Impact Assessments (DPIAs) take, it opposes the Government’s proposal to entirely remove the requirement for businesses to conduct DPIAs. The ICO contends that DPIAs are a powerful tool which ensure that data protection is designed and considered by businesses from the start of a project. They also enable the ICO to intervene, where necessary, to ensure personal data is adequately protected.
- The ICO does not think that the current requirement for businesses to consult with the ICO prior to high-risk processing is a significant burden on businesses since the ICO receives very few requests each year. The ICO anticipates that removing this requirement would undermine the positive impact it has had, namely enabling the ICO to provide proactive support to organisations undertaking high-risk processing and helping businesses recognise the importance of assessing the risks to the personal data of individuals when undertaking processing activities.
- The ICO does not accept that allowing organisations to charge fees to respond to subject access and other requests to exercise rights under the legislation is the right approach to ease the burdens on organisations handling these requests. Considering that the use of certain types of personal data (e.g. health data) has a discerning impact on the lives of individuals, this change may seriously impede more vulnerable individuals with limited financial means from accessing their fundamental rights.
3. Reduction of barriers to responsible innovation
- One of the proposals in the Government’s Consultation is to create an exhaustive list of processing activities for which organisations can rely upon the legitimate interests lawful ground without the need to conduct a balancing test to determine if the rights and freedoms of data subjects override the interests of a business in processing data. The ICO is of the view that the proposal is not eradicating the requirement to perform the balancing test, instead, the Government will be responsible for conducting the test on behalf of businesses. As such, if the Government is going to make this change, the ICO's position is that the Government would need to set very clear parameters and outline the nature, context and detail of the processing, as these will be relevant to the assessment. The ICO is concerned that the processing activities provided in the Consultation that can benefit from this exemption are too broad and do not provide the required certainty.
- The ICO disagrees with the Government’s proposal to expunge the requirement for human oversight in respect of automated decision-making. It believes that the right not to be subject to a decision based solely on automated processing is important to ensure that any automated decisions are made fairly and, more importantly, maintain public trust. Instead, the ICO recommends providing human reviewers with information and skills that will enable them to effectively scrutinise decisions made by artificial intelligence or other automated systems.
4. Delivery of better public services
- The ICO is against the Government’s proposal to allow public and private organisations to lawfully process health data for reasons of substantial public interest during public health or other emergencies, without such processing being overseen by healthcare professionals or being undertaken under a duty of confidentiality. Whilst it agrees that it may be excessive to expect healthcare professionals to oversee the processing of health data at all times, it believes that the individuals processing such sensitive data must at the very minimum be obliged to do so under a duty of confidentiality.
5. Reform of the Information Commissioner's Office
- The ICO strongly disagrees with the Government’s proposal for the Secretary of State to appoint the CEO of the ICO in a revised regulatory structure and to approve the ICO's guidance before it becomes effective. The ICO believes that this will adversely affect the independence of the ICO, which is imperative for it to hold the Government to account. The ICO believes that a strong and effective regulator is essential to maintaining high data protection standards in the UK and maintaining the public's trust and confidence in those standards. These standards also contribute to an increase in international trade. Therefore, any reforms proposed should also always be assessed against their impact on how data will flow between different jurisdictions.
As is evident from the ICO’s response, and highlighted in our previous legal alert, one of the most critical risks associated with any changes to the UK’s data protection legislation relates to the UK’s adequacy status with the EU. The Consultation may prove that the high data protection standards maintained by the UK are more valuable to businesses and more beneficial to the UK’s economy than any loosening of restrictions on the use of data. The UK Government may be persuaded to take a more cautious approach to its reforms to the UK's data protection regime in light of the importance placed on the UK’s international status as a country that values the protection of personal data.