Following the Government’s worrying consultation on data use, the Data Protection and Digital Information Bill has now been launched in Parliament by Nadine Dorries and is even more disturbing than expected.
In essence, the Government wants to take a ‘less prescriptive and more proportionate’ approach to protecting our data to ‘save UK businesses up to £1 billion over 10 years’. While changes to the UK GDPR won’t impose substantial new demands on business, the Bill will significantly reduce existing protections for our personal data, while enabling increased access by private companies. It will also allow new and significant regulatory powers for the Secretary of State.
The Bill is complex and will take a while to fully interpret. However what is clear is that:
The formerly independent Information Commissioner’s Office will come under political control with:
- the DCMS Secretary of State (SoS) able to appoint the ICO Board, amend the Commissioner’s salary, and veto any of the ICO’s guidance, thus exposing the ICO to ‘political direction, corporate capture and corruption’;
- Ministers able to set the ICO’s priorities, with a new duty to regard “economic growth, innovation and competition issues” that suggest the watchdog’s first priority will be the interests of commerce rather than the rights of citizens.
There will be sweeping new regulatory powers for the Government to rewrite the law with greatly reduced Parliamentary scrutiny, enabling them to:
- Compel organisations to share all the personal data they hold with government and enforcement authorities.
There will be reduced protection for our personal data:
- giving data controllers discretion to decide when personal data can be classified as ‘anonymous’ and so fall beyond data protection law;
- amending the definition of ‘scientific research’, so extending commercial access to personal data;
- allowing the processing of data for scientific research without the need to obtain specific consent from individuals. Instead, there will be a broad consent process allowing data to be re-used for projects that were ‘unknown’ at the time of consent.
The Bill will reduce controls on data collection and processing by:
- abolishing the statutory requirement for organisations that process data to have an independent Data Protection Officer. Instead, a senior employee, potentially without the relevant expert knowledge, will be designated to oversee an organisation’s compliance with data protection rules;
- introducing a new, flexible accountability regime that allows businesses to decide on the extent to which they will be compliant, based on the scale and their perceived risks of their operations;
- allowing personal data to be transferred to other countries where standards of protection may be lower and where data may be available for purchase by transnational companies;
- removing the requirement for organisations to obtain ‘opt-in’ consent from people before placing non-essential cookies on their devices.
Finally the Bill will reduce our rights by
- Providing an initial list of ‘legitimate interests’ for those processing data, outlining the circumstances in which they can dispense with carrying out a balancing test. The testrequires an organisation to weigh up whether the rights of a data subject are being overridden by the organisation’s interests in processing their data;
- Only requiring human oversight of the decisions taken by AI systems for ‘significant’ decisions which are yet to be determined;
- Expanding the grounds on which organisations can refuse to respond to individual’s requests (Subject Access Requests) to know what information the organisation holds on them. These grounds include whether or not the request may be ‘vexatious’ or ‘excessive’ (e.g. made in bad faith, meant to cause harm, or an abuse of process).
The Bill is expected to have its second reading in September, but how quickly it passes through Parliament may depend on who wins the Conservative leadership battle. In any event, we should be thinking about how to campaign effectively against this legislation as a matter of urgency.
KOPN Health Data Working Group
(A fuller interpretation of the Bill will be posted shortly on the Data Working Group page.)