Recently, the volume and velocity of big political announcements, has made following the direction of government policy from one day to the next a challenging task. This has prompted many to admit to longing for a more predictable, and boring form of politics. The uninitiated may hope that the government’s plans for data protection reforms could offer some respite. However, despite the proclamations of “a new direction” for data protection over a year ago, and the recent introduction of a new Bill, the legislative process has stalled. The future direction and extent of the reforms are now uncertain, and susceptible to political turbulence.
Richard Parker, legal director at Hill Dickinson LLP, who advises clients in the life sciences, health and care sectors on all aspects of information governance, has been following the reforms and explores how we got here, the uncertainty about which direction we will be heading in next, and the detail of the Bill.
What was said
In September 2021, the government launched a consultation on data protection reforms in the UK, Data: a new direction. Then culture secretary, Oliver Dowden MP, said: “Now that we have left the EU, we have the freedom to create a bold new data regime: one that unleashes data’s power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection.”
Following a consultation process, the government introduced the Data Protection and Digital Information Bill. The new culture secretary, Nadine Dorries MP, said: “Out of the EU, our new Data Reform Bill will ensure everyone can take back control of their personal data,” and promised an end to “pointless paperwork”.
The Bill had its first reading in parliament in July 2022 and was due its second reading in September 2022. However, following a cabinet reshuffle by Liz Truss, this was postponed, “to allow ministers to consider the legislation further’.
At the Conservative Party Conference in October 2022, another new culture secretary, Michele Donelan MP, stated: “We inherited GDPR from the EU, and its bureaucratic nature is still limiting the potential of our businesses … we will be replacing GDPR with our own business and consumer-friendly, British data protection system … it will be simpler and clearer for businesses to navigate … No longer will our businesses be shackled by lots of unnecessary red tape … a truly bespoke, British system of data protection”.
As always, the devil is in the detail, and the detail. Ministers can be forgiven for needing extra time to consider the Bill. In keeping with tradition for data protection legislation, the Bill’s 192 pages, 113 clauses and 13 schedules are not an easy read, even for veterans of previous reforms. However, once digested, the reality is not easily reconciled with the rhetoric.
Whether the Bill accomplishes the aim to do away with “pointless paperwork” and “unnecessary red tape” will be hotly debated. The “bureaucracy” is not eliminated entirely, but mostly replaced with similar, but modified, requirements. The net margin of deregulation for organisations will therefore require careful comparison of the old and new schemes and will vary from one organisation or context to another. The costs of migrating to a new regime, as well as the burden of complying with diverging regimes in the UK and EU (for organisations established or targeting individuals in both territories), will also need to be factored in.
Furthermore, the Bill modifies – rather than “replacing” – the existing UK General Data Protection Regulation (GDPR) retained from EU law after Brexit and the accompanying Data Protection Act 2018 (DPA). It is not “a truly bespoke, British system of data protection”; at best it is an off-the-rack European system of data protection inherited from our neighbours, albeit with substantial alterations. Nor is it “simpler and clearer … to navigate”; particularly given there is no consolidation of the EU-derived GDPR and DPA into a single Act.
Therefore, whatever it was that the culture secretary was announcing at conference, taken at face value, it was not this Bill. What was announced would require such a substantial rewrite of the Bill that it would be easier to start afresh, suggesting something more ambitious, dramatic, and divergent is in the works. But even that statement is in doubt only weeks after it was made, as the latest changes at the top of the government appear to usher in a more frugal, circumspect, and technocratic government to reassure the markets. This may point things in yet another new direction, prioritising stability of the regulatory framework rather than diverging from EU law at this challenging time, with the risks to the free flow of personal data across the English Channel that entails.
Time will tell, but it is already looking ambitious for the Bill, in any form, to complete its passage into law before the next general election. Nonetheless, many of the reforms as they stand have found support during the consultation so are likely to proceed in some form at some point, so remain worthy of analysis.
The detail – data protection reforms
Definition of personal data
Data protection legislation only applies to personal data. However, despite a long line of legislation and case law, in practice there remains significant debate and uncertainty about the boundaries between personal data on the one hand and truly anonymous data on the other, and in what circumstances the former can become the latter. Such concerns present significant risks and disincentivise exploiting data’s full potential, and most respondents to the consultation agreed that greater clarity in legislation would be beneficial.
The Bill introduces amendments to the definition of personal data with the aim of providing greater clarity. Achieving this aim is not helped by the amendments being scattered throughout the GDPR and DPA, rather than consolidated into a single new definition. Nonetheless, the net result is a tighter definition of personal data.
The updated definition is now, explicitly, more context and time-specific. If you cannot identify the individuals using reasonable means at the time of your processing – and it is unlikely anyone who could do so will get the data as a result of your processing – the data is not personal data. This will make it easier to be satisfied that data in your hands is anonymous, even if there is a hypothetical possibility that someone, somewhere, someday, might be able to identify the individuals concerned.
Whether you consider this to be a clarification or a more substantial change – and whether that is a good or a bad thing – will depend on your existing perspective. From a legal standpoint, there is considerable authority within existing UK and EU legislation and case law that supports the gist of the new definition; however, it is a narrower definition than many privacy campaigners argue for. Either way, the new definition, if it becomes law, will provide greater certainty about the scope of the legislation in the UK.
One of the major changes under the GDPR was the introduction of new accountability and governance requirements.
The Bill would abolish most of these requirements. However, on closer analysis, they are almost all resurrected in new guises and contain similar requirements. For example:
- The requirement to have a data protection officer (DPO) is replaced with a requirement to have a senior responsible individual with similar responsibilities (although, notably, they should form part of the organisation’s senior management, rather than being independent of it)
- The requirement to maintain records of processing activities (ROPAs) is replaced with a duty to keep records
- The requirement to undertake data protection impact assessments (DPIAs) is replaced with a requirement to assess high risk processing
The new proposals tend to have a less prescriptive process for identifying when the obligations kick in, but the overall trigger of remains where there is likely to be a ‘high risk’ to individuals. The substance of the requirements is also different, tending to provide a little more flexibility. However, the overall practical effect of these changes is difficult to discern and will depend upon the organisation and what they do with personal data. Most small and medium-sized enterprises (SMEs) undertaking low risk processing will not have to comply with the original requirements in the first place. Those who already undertake high risk processing or have 250 or more employees will likely have to comply with the new obligations as they did the old ones. Many will prefer to keep their existing arrangements in place than take advantage of new flexibilities.
Therefore, it is difficult to identify who, exactly, will benefit. One example given in the government’s press release is: ‘a small business such as an independent pharmacist won’t have to recruit an independent DPO to fulfil the requirements of UK GDPR, provided they can manage risks effectively themselves, and they will not have to fill out unnecessary forms where the risk is low’. This is an interesting example because it illuminates the nuanced nature of the reforms. It is true under the Bill an independent DPO will not be required, nor will the new accountability requirements automatically apply. However, it seems likely that even a small high street pharmacy will conclude that it is (or at least at risk of being seen as) processing health data on a sufficiently large scale to be undertaking high-risk processing, triggering the requirements for a senior responsible individual, risk assessments and record keeping under the new regime. Further, the high information governance and risk management standards required of pharmacies, under NHS terms of service, professional regulatory standards, and not least expectations of the public, will continue to apply and influence the appetite to take advantage of deregulation.
New lawful bases and compatible processing
All processing of personal data must have a lawful basis listed within Article 6 of the GDPR. The existing lawful basis of ‘legitimate interests’ requires the data controller to balance the legitimate interests being pursued with the individuals’ interests, rights, and freedoms. The Bill introduces a completely new lawful basis of ‘recognised legitimate interests’ which are listed in a new annex to the GDPR and require no such balancing test. In other words, the Bill deems the recognised interests, where they apply, to always trump the interests of the individual.
Alongside this, the Bill also introduces a new list of conditions under which further processing of personal data is automatically deemed to comply with the purpose limitation principle (ie that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes). Therefore, where any of these conditions apply, what individuals were told their data would be used for will have no bearing on how it is actually used.
On closer inspection, the lists as they currently stand have all have a public interest nature (eg tasks of public authorities, national security, emergencies, crime, safeguarding, etc.) so are relatively uncontroversial. By the same token, they will have a minimal impact on the freedom of private businesses to exploit personal data for their own purposes.
However, the kicker is that the lists are not set in stone but can be amended by the government via regulations rather than through an Act of Parliament. Such powers are known as ‘Henry VIII clauses’, a reference to King Henry VIII’s supposed preference for legislating directly by proclamation rather than through parliament. The government will be required to have regard to the interests and fundamental rights and freedoms of individuals before making changes to these lists, but any ability of the government to deem certain processing as automatically lawful and compatible with the purposes for which it was collected, without full parliamentary scrutiny or a case-by-case balancing exercise by data controllers, is likely to generate plenty of debate.
Artificial intelligence (AI) and automated decision-making
One area where the government has previously indicated it may use such powers is to simplify data use by researchers and developers of AI and other cutting-edge technologies. For example, a specific ‘recognised legitimate interest’ and condition for compatible processing could be introduced for testing and training of AI and bias monitoring and correction, an area that can be difficult to navigate. However, for now, this is not being introduced. The government has a forthcoming paper on AI governance which is expected to take a more holistic view on the regulation of AI rather than focusing purely on the protection of personal data.
The Bill also modifies the restrictions on solely automated decision-making that produces legal or similarly significant effects for individuals. In summary, the right for individuals to have human involvement in such decisions is maintained, however the government will now also be able to define via regulations which types of decisions fall within the scope of the restriction. The explanatory notes explain this will enable the government ‘to keep pace with the fast-moving advances and adoption of technologies relevant to automated decision-making, and with societal expectations of what constitutes a significant effect in a data protection context’. This is another Henry VIII power likely to generate plenty of debate.
The existing legislation already contains substantial allowances and exemptions to facilitative scientific research and statistical processing, however the government’s proposals to introduce further changes to support research found significant support amongst respondents.
The Bill introduces new clauses aimed at reducing uncertainty and removing unnecessary barriers to research in a number of ways. This includes clarifying the meaning of scientific research and statistical processing, allowing consent for a broad area of research where precise purposes may be unclear at the outset (eg for cancer research in general rather than a specific study), and deeming use for data for research/statistical purposes as compatible with original purposes, subject to safeguards to avoid harm to individuals. A new exemption on the requirement to provide updated privacy notices to individuals, where disproportionate effort is involved, is also being introduced.
Overall, these changes, along with the new definition of personal data, will no doubt be welcome to researchers and give greater certainty in their use of personal data in research. However, they will require careful application in practice and it is worth bearing in mind that these changes only apply to data protection and other governance and ethical requirements are unaffected (eg consent for participation in clinical trials).
Data subject rights
The government’s original proposal to introduce a nominal fee for subject access requests has not been taken forward. However, the threshold for refusing or charging for data subject rights requests will change from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’, arguably a slightly lower threshold. There will also be on obligation on data subjects to attempt to resolve complaints directly with data controllers/processors prior to involving the regulator.
Information Commissioner’s Office (ICO)
The Bill makes changes aimed at modernising the ICO, giving parliament and the public a better ability to hold it to account, and providing a clearer framework of objectives and duties. These continue to underline the importance of the regulator upholding data rights and encouraging the responsible use of personal data, but now have greater emphasis on considering growth, innovation, and competition.
The information commissioner, John Edwards, said he was “pleased to see the government has taken on our concerns about independence“ raised during the consultation. However, there is at least a hint that he considers the Bill as it stands requires further work, stating: “We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”
The Bill introduces a new ‘data protection test’ for international transfers and transfer risk assessments. In essence, for either the government to assess a country as having adequate data protection laws such that data can flow freely to it from the UK, or for an individual data controller/processor to assess the risks of sharing data with a non-adequate country, the test will be whether the regime is ‘not materially lower than the standard of protection’ in the UK. The explanatory notes make clear that this will be a holistic approach – not a point-by-point comparison – in contrast to the EU’s approach which, in summary, requires the regime to be ‘essentially equivalent’.
Implications for adequacy
At present, the European Commission has recognised the UK data protection regime as adequate (and vice versa), to allow the free flow of personal data between the UK and the EU. Altogether, the Bill would see the UK data protection regime diverge from the EU data protection regime in a number of meaningful ways. Some of these changes are relatively trivial but some are much more fundamental: for example, ‘recognised legitimate interests’, adjusted accountability requirements and a less stringent test for international transfers of data. The introduction of new Henry VIII powers also means that the UK regime may be less static in future.
Should the divergence tip the delicate balance between Brexit freedoms and the adequacy of the UK’s data protection regime too far in the eyes of the commission, the free flow of data between the UK and EU could be at stake. The government has stated that it is “perfectly possible and reasonable to expect the UK to maintain EU adequacy” despite these changes. It is too early to speculate at this stage and any process to review and revise the UK’s adequacy status will not happen overnight. However, what is certain that the Commission will be watching developments in the UK very carefully, as should any organisations who rely on adequacy for free flow of data across the continent.
The detail – other reforms
Information standards for health and care
The need to radically improve the use of data, and connectivity and interoperability of IT systems, in the health and care sector, is well recognised by numerous government and NHS strategies, but remains a serious challenge. The Bill introduces the ability for the health secretary to establish IT information standards in health and care. Existing powers allow the creation of such standards for health and care organisations, but not the IT suppliers they rely on. In the explanatory notes, the government explains: ‘Even if existing legislative mechanisms were used to oblige health and adult social care providers to purchase information technology products and services with appropriate technical features (either directly or via professional regulation), this would be insufficient to bring the wholesale change to the supplier market that is needed. This is because the legislation does not concern the providers of the IT on which the processing relies and who can ensure that all information technology supplied meets relevant technical requirements’.
The proposals will allow information standards covering almost every aspect of IT in health and care, including:
- Design, quality, capabilities, characteristics
- Contracts or arrangements for marketing, supply, and provision
- Technical provision about functionality, connectivity, interoperability, portability, storage/access, security of information
- Reference to open or proprietary standards
They can apply to almost anyone involved in the provision of IT to the health and care sector, whether for payment or free of charge. This includes anyone involved in marketing, supplying, providing, or otherwise making available IT, an IT service, or a service which consists of processing information using IT (all broadly defined). But the standard will only apply so far as the technology is used, or intended to be used, as part of the health and care sector (including, but not limited to, the NHS).
Enforcement will involve both a carrot and a stick. Firstly, there will be the power to establish an accreditation scheme, allowing IT providers to demonstrate compliance with the standards. Secondly, there will be a name and shame scheme, through which the health secretary may serve notices requesting compliance and if not satisfied may publish a statement censuring the IT provider. In practice, the power is likely to be delegated to another body, such as NHS England (which by the time the Bill comes into force will likely have merged with NHS Digital which currently oversees such standards).
The Bill updates the Privacy and Electronic Communications (EC Directive) Regulations 2003 with the aim of cutting down on irritating consent pop-ups and banners on websites. Currently, users must give their consent for any non-essential cookies to be installed on their devices. The Bill will introduce new exceptions to the consent requirement for certain purposes that are considered to present a low risk to people’s privacy. It is also intended that, under the new rules, users will be better enabled to set an overall approach to how their data is collected and used online – for example via their internet browser settings – but the government recognises it needs to ensure the necessary technology is in place first. What does and does not require consent or could be managed by an opt-out (rather than opt-in) model, can be modified via regulations.
Many will see this as a welcome direction of reform, that the UK can lead the way on, but it is unrealistic to think a change in the UK law will see real changes any time soon. This will require EU cookie requirements to move in the same direction, and browser and website developers to put in place the new functionality. It is also likely that the use of ‘intrusive’ cookies – for example for user tracking and micro-targeted advertising – will remain very popular and continue to necessitate consent pop-ups and banners.
Digital verification services
The Bill establishes a framework for the provision of digital verification services (DVS) in the UK. This includes making provision for a trust framework of rules concerning the provision of DVS, a register of organisations providing DVS, a trust mark for use by registered organisations and an information gateway to enable public authorities to disclose personal information to registered organisations for identity verification purposes.
Smart data schemes
Smart data schemes allow for the secure sharing of customer data, upon the customer’s request, with authorised third-party providers and intermediaries. They then use the customer’s data to provide services for the customer, such as efficient switching and personalised market comparisons, account management, for example via account aggregation, and cross-sector user-centric control of data.
Open banking is a live example of a smart data scheme. The Bill makes provision for the government to establish new smart data schemes and roll them out to suppliers of other goods, services, and digital content.
Regulation of customer and business data
The Bill gives the government powers to establish new rules about customer and business data. The definitions of customer and business data are not limited to personal data, but cover a broad variety of information about goods, services and digital content provided by traders, customer feedback, and transactions. The powers could be used to require businesses to manage data in certain ways, make it available to customers and third parties, and give customers new rights in respect of such data.
Births and deaths
The Bill reforms the way in which births and deaths are registered in England and Wales, enabling the move from a paper-based system to registration in an electronic register.
News & Analysis