DCMS Data Consultation: the ICO’s Response

Following our article outlining the key points from the Department for Digital, Culture, Media & Sport’s (DCMS) consultation on future data protection reform, ‘Data: a new direction’, we now explore the response from the Information Commissioner’s Officer (ICO).

Whilst broadly welcoming of the proposals from the DCMS as a driver for business innovation, the ICO is cautious that any reforms made do not sacrifice the rights of the individual or compromise the independence of the regulator.

Given the length of its response (some 89 pages long), it would be impractical to cover the full details, but it is worth highlighting a few interesting points:

Research purposes and further processing

The ICO acknowledges that the existing law on processing personal data for scientific research purposes can be confusing, and is therefore generally supportive of the proposals to provide greater clarity in this area. However, it has encouraged the government to consider and consult on how any legislative changes would interact with international research collaboration, as it is mindful that previously changes in this space  have caused misunderstanding and reluctance by institutions to share data for secondary research.

The ICO sets out its own views on each of the consultation’s specific proposals, which would merit an article in itself, and is worth a read for those involved in the research sector.

In relation to facilitating the re-use of data, the ICO agrees that reforms are needed, again to provide greater clarity, but it has requested further details as to how the government plans to make sure the information is protected and transparency is ensured. 

Reform of the legitimate interests legal basis

The consultation proposes introducing a list of pre-determined data processing activities, for which organisations will not need to apply the legitimate interests balancing test. For the listed processing activities, the legitimate interests balance would automatically be treated as having been struck in favour of the relevant processing.

The ICO endorses such a process as creating more certainty and predictability, but it rightly highlights the need for the government to ensure that the list clearly sets out the nature, context and detail of each processing activity. The revised legal framework would need to set clear parameters, as otherwise there is a real risk of organisations shoehorning processing activities into broad pre-determined categories, in order to argue that legitimate interests automatically outweigh individuals’ rights and freedoms.

The ICO also has also requested further detail about how the proposal would interact with people’s rights, for example the right to object which is available where the data controller is relying on legitimate interests. This is to ensure that the reforms do not have a detrimental or disproportionate effect on individual rights, which also need to be prioritised alongside achieving greater certainty for data controllers.

Subject access requests (SARs)

Although highly supportive of the consultation’s recognition of the importance of SARs, the ICO shows a reluctance to endorse the proposals to introduce a regime where a nominal fee can be charged for responding to a SAR and SARs can be refused on cost grounds. The DCMS proposed a costs ceiling that would apply in a similar way to the Freedom of Information (FOI) request regime, however the ICO has emphasised that the two regimes have significant differences. The information sought under a subject access request is likely to have a greater impact on data subjects’ lives, with the ICO giving the examples of care records and information about health and benefits or insurance decisions.

The ICO is concerned that allowing data controllers to refuse to comply on costs grounds would have a disproportionate effect on the vulnerable and is clear that any change must come with safeguards to ensure that everyone can exercise their rights, including for example a meaningful right of appeal. The ICO has asked the government to research this further and give more detailed consideration as to how any safeguards would work in practice to prevent potential equality issues.

Data Protection Enforcement

Unsurprisingly, the ICO welcomes the proposal to increase fines that can be imposed under PECR, so that these are equal to those under the UK GDPR. It also welcomes the proposal to allow the ICO to issue assessment notices so that it can carry out on-site audits of companies suspected of infringements of PECR. However, it has invited the government to go further and align the whole of the PECR enforcement toolkit with that of the DPA 2018.

Reforms to the ICO

Dealt with last in the consultation, the proposals to reform the ICO are understandably the ICO’s biggest area of interest and cause for concern.  

The ICO has two primary concerns about the proposals:

  • Although the ICO welcome the move to a Board and Chief Executive model (with the Chair of the Board being given the title of Information Commissioner), it is concerned that the final decision on appointment of the Chief Executive would sit with Ministers. Instead the ICO is of the view that the Board should be responsible for appointing the Chief Executive, with the Board then holding the Chief Executive to account.
  • Similarly the ICO is concerned that the Secretary of State would have the power to approve (or to choose not to approve) ICO Guidance and Codes of Practice.

The ICO prides itself on its independence and is rightly concerned that both changes would be at odds with safeguarding this independence and undermine public trust in its role. To put the ICO under the influence of the government would be at odds with the need for the public to have a genuinely effective and independent data protection regulator and the ICO’s concerns about this change have been echoed in the legal and technology sectors.

Although we have only touched on a few issues from the ICO’s response, we can broadly surmise that it is supportive of the consultation’s intention to simplify rules around data protection and reduce the compliance burden for businesses. Such changes will promote innovation and allow the UK to thrive on both the national and international stage, but should not be done without first giving careful consideration to protecting the rights of the individual. However, this support is somewhat overshadowed by the ICO’s concerns about the proposals to reform the ICO itself and it will be interesting to see how, and if, the government responds to this point.

If you would like any further advice or information on what the consultation’s proposals might mean for you and your business, please contact the Ashfords Data Protection team.

Send us a message