Am yr ICO
The Information Commissioner has responsibility for promoting and enforcing the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR) and the Privacy and Electronic Communications Regulations 2003 (PECR). He is independent from the government and empowers people through information, promoting openness by public bodies and data privacy for people. The Commissioner does this by providing guidance to the public and organisations, solving problems where he can and taking appropriate action where the law is broken.
Introduction
The Data (Use and Access) (DUA) Bill was introduced to Parliament on 24 October 2024. It is another milestone in the evolution of the UK’s data protection regime. I am pleased that the government has prioritised these necessary reforms for the new Parliament.
Responsibility for developing public policy leading to changes in the legislative framework sits with the government and Parliament. The Information Commissioner’s Office (ICO) is independent from government. Our role is to carry out the tasks and duties set out in the current legislative framework for data protection and any future iterations. We also provide independent, expert advice on the implications of any proposals to alter data protection and information rights law, based on our experience of regulating the existing regime.
I welcome the Bill as a positive package of reforms. It allows us to continue to operate as a trusted, fair and independent regulator, whilst improving the way we operate. The Bill maintains high standards of data protection and protects people’s rights and freedoms, whilst also providing greater regulatory certainty for organisations and promoting growth and innovation in the UK economy.
My office has been engaged in the development of the Bill for several years. I had continued dialogue on data protection reforms with government departments responsible for the Bill. The process began in 2021 with a public consultation 1, followed by the Data Protection and Digital Information (DPDI) Bill, which fell at the end of the last Parliament. From this, the current DUA Bill has been developed. I have constructively and robustly engaged in the policy development process, in line with the requirements of article 36(4) of the UK GDPR, providing my expert advice throughout.
I will continue to provide appropriate and constructive input and feedback during the parliamentary scrutiny and approval process.
Analysis
This response primarily focuses on key measures in the Bill about the data protection framework, analysed in line with the ICO’s enduring objectives. Annex One contains technical feedback on several drafting points.
However, I also welcome the renewed focus on broader measures distinct from data protection framework that will support growth, trust and engagement with the digital economy and improved delivery of public services. A number of reforms in the Bill will boost innovation and open up opportunities for the development of new data-driven business across a wide range of economic activities.
Smart data
The government has significant ambition for smart data schemes. These will make it more efficient for people to use and access their personal information. It will also act as a lever for innovation and economic growth. The government is making progress with programmes of work that allow both industry and the public to use personal information in beneficial ways. As such, I welcome Part One of the Bill, covering customer and business data. These are initiatives that provide people with control and increased access to the information that organisations hold about them. This can lead to significant positive effects, empowering people to use their personal information for their own benefit.
The ICO has frequently provided advice and guidance to the government on similar initiatives, such as Open Banking and the Midata 2 programme. I believe that establishing and maintaining people’s trust is vital to ensuring the success of these projects. This should continue to be at the heart of the powers that this part of the Bill introduces.
The ICO advocates a privacy-by-design approach to personal information processing. Any data controller involved in a ‘smart data’ initiative will need to ensure they identify data protection risks from the outset, building mitigations into their programme rather than bolting them on at a later stage.
Digital verification services
I am supportive of the government’s development of the digital verification trust framework. The digital verification scheme is designed as an alternative to the physical identity route, increasing protections for people’s privacy whilst delivering economic benefits. The ICO has and will continue to provide regulatory advice to government on data protection matters in the development of the scheme.
My focus is on helping government get the data protection considerations right. I want public trust and confidence in both this and other digital identity systems, with appropriate protections in place for people’s information rights.
Information standards for health and social care in England
The Bill will also introduce information standards for health and social care in England, amending part 9 of the Health and Social Care Act 2012. These changes will drive greater standardisation of information technology, addressing functionality, portability, storage and access requirements and security. This will be legislative underpinning to infrastructure changes needed to support those delivering health and social care for the public. The Secretary of State will oversee compliance with the standards and have the ability to publicly censure organisations failing to comply. The Bill also enables the development of a supporting information technology accreditation scheme.
Data protection law can help organisations to share personal information responsibly. People need to trust that their medical information is in safe hands. Organisations must be clear and transparent about how they will use people’s personal information. Health and care records are highly sensitive, so I expect organisations to prioritise data protection and build it into all new initiatives from the start, including any flowing from these information standards. I will continue to engage with government as proposals around this reform develop, including the consultation on NHS reforms, to offer my expertise in taking a data protection by design approach.
Data protection reforms
I am particularly pleased to see that the government is committed to modernising the data protection landscape and continues to listen to the ICO on the areas we consider most important. When I took office in 2022, I was vocal about any potential reforms that would reduce the ICO’s independence, regulatory certainty for organisations or protection for the public. The government has decided not to pursue the proposal that the ICO must follow a statement of strategic priorities. Several of my regulatory counterparts are under similar duties. Whilst I was content to support the previous package of reforms, I welcome the government’s recognition of stakeholder concerns about perceived challenges to our regulatory independence and the decision not to take it forward.
Responsible innovation and growth
Alongside offering strong protections, the data protection framework should be as easy to navigate and use for organisations as possible. Responsible use of personal information that people can trust has significant potential to contribute to the UK’s economic prosperity. There are changes in the Bill that will meet these objectives and I am pleased to see them included.
Automated decision-making (ADM) with proper protections can bring benefits for people and organisations, including increased efficiency. The Bill will revise the provisions so that, apart from cases using special category data, ADM resulting in a legal or similarly significant effect will no longer be expressed as a prohibition with exceptions. Instead, ADM will be possible regardless of the organisation’s lawful basis, as long as suitable safeguards are in place. Most significantly, this will now allow organisations to rely upon legitimate interests for this type of processing. In my view, this strikes a good balance between facilitating the benefits of automation and maintaining additional protection for special category data.
The Bill recognises that organisations are unsure about whether their purpose for processing constitutes a legitimate interest, particularly when it is commercial. The Bill gives more confidence to organisations about when they can rely on the legitimate interests lawful basis. It specifies when the existing legitimate interests lawful basis applies, and in Schedule 4 sets out ‘recognised legitimate interests’ where no balancing test is required. An example is crime prevention and safeguarding, where nervousness about sharing data can cause real harm.
It also provides more certainty for organisations to further process personal information. Schedule 5 sets out further processing purposes that organisations can assume are compatible. Organisations will still need to consider necessity and proportionality. However, in taking this approach, the government has taken on the responsibility for assessing where the balance lies between legitimate interests and people’s rights and freedoms, and whether further processing is compatible at a generic level.
Reforms to the international data transfers policy framework will enable personal information to flow more easily from the UK to other countries that offer the same level of protection. The government is providing greater clarity to stakeholders on how it will make ‘adequacy’ decisions, so that personal information can flow unhindered. The guidance also helps organisations understand their obligations more clearly when putting in place alternative transfer mechanisms, such as contracts.
The Bill includes reforms for consent requirements for storage and access of people’s terminal equipment (the ‘cookies’ rules) in PECR. This means that organisations need consent for fewer low-risk purpose cookies, which should reduce consent fatigue and allow organisations to more easily collect information for statistical purposes and improve their websites. The government has also extended the code of conduct making provisions to PECR. Codes of conduct that address compliance under both UK GDPR and PECR will be helpful for organisations whose activity takes place under both pieces of legislation.
Effective public service delivery and protecting public safety
Using personal information is vital for public service delivery and the protection of public security. To support these objectives, the government has made some key changes. They include shifting the responsibility for deciding whether organisations can use personal information for public tasks from private firms to the public bodies they work with.
There are also several measures which make it easier for law enforcement agencies to navigate between their responsibilities under both UK GDPR (general processing) and part 3 of the DPA(law enforcement-specific processing). These measures include:
- inserting a definition of consent for law enforcement processing into part 3 of the DPA where there currently isn’t one;
- aligning time limits for responding to subject access requests (SARs);
- enabling competent authorities to use a legal professional privilege exemption for non-disclosure of information for SARs, consistent with UK GDPR;
- introducing provisions for competent authorities to develop codes of conduct;
- a new national security exemption for specific provisions within Part 3 of the DPA to align with the UK GDPR; and
- allowing joint controllership arrangements between law enforcement bodies and the intelligence services when required to protect national security.
The government is also extending data sharing powers under Section 35 of the Digital Economy Act 2017. This allows information sharing to improve delivery of public services to business undertakings.
Safeguarding and empowering people
I welcome the changes that provide more certainty to organisations and empower them to use personal information responsibly. This will generate social and economic benefits, while still ensuring people are protected. This includes changes to support organisations to use personal information for research, the importance of which was demonstrated powerfully during the Covid-19 pandemic.
Provisions in the Bill that will meet these objectives and which I am pleased to see include:
- clarifying the definition of what constitutes scientific research;
- making the research, archive and statistical purposes provisions easier to navigate and understand; and
- simplifying the requirements when organisations rely on these provisions for processing.
I also welcome the fact that the government has taken the power to add new protections for people as and when the need arises, by allowing new categories of special category data to be added in the future. This will ensure that the law is flexible and future-proofed with respect to people’s most sensitive information.
There is also more clarity for organisations about how they should respond to information rights requests. I welcome the changes to the way organisations handle complaints from people about how their personal information is processed in accordance with the law. The Bill will require organisations to put a complaints process in place. This means that they will have to consider complaints from people in the first instance before they are escalated to the ICO. This is more likely to result in direct and swift resolution of people’s complaints and concerns.
Enhancing regulatory effectiveness
It is vitally important to maintain a strong and effective regulator. I am pleased that the government has made changes that will significantly improve the ICO’s ability to function effectively. Among these is the strengthening of our enforcement powers for both the UK GDPR and PECR.
I prefer to work with organisations where I can, supporting them to build in data protection from the start. However, the additional powers will help me to take action, where needed, to ensure people are protected quickly and effectively.
One of the most significant changes is the increase in fines for breaches of PECR, helping us tackle predatory marketing calls which often target those at most risk of harm. The Bill also brings improvements to the personal data breach reporting regime under PECR, aligning more closely with the UK GDPR. This will ensure greater consistency for organisations as well as greater operational efficiency for the ICO.
There is also an updated regulatory toolkit for the UK GDPR, which will include new powers to require organisations to produce reports on specified matters. All of these will also be mirrored in the new enforcement regime for PECR.
I can also increase the efficiency of our enforcement processes by serving our legal notices to data controllers electronically without their prior consent. Although a small change, this will be particularly helpful when working with overseas data controllers.
I will also be required to fulfil new obligations to establish stakeholder panels to inform the content of our codes of practice and to develop and publish impact assessments on our key regulatory products and interventions. This will contribute to my commitment to regulating transparently, empathising with those affected by our actions and building in a range of perspectives to the development and delivery of my regulatory interventions.
Strengthening regulatory independence and accountability
The Bill makes significant changes to the way the ICO operates to ensure that we remain an effective and trusted regulator. The changes also bring our governance structure in line with that of comparable regulators. In my view, our refreshed governance arrangements will maintain our independence and enhance our accountability.
Having an independent regulator, that is also properly accountable to Parliament, is vital for a data protection regime to function properly. It is also key to maintaining the UK’s adequacy status from the EU, which we know is a priority for so many of our stakeholders.
Our governance structure will be modernised to a Board and chief executive model. Given the breadth and complexity of our regulatory remit, this will enhance our resilience and diversity at senior decision-making level. His Majesty will appoint the Chair of the Board via Letters Patent, the same process used for my appointment. As I proposed, the chief executive will be appointed by the Chair and Board, rather than the Secretary of State. This will avoid any perceived conflict of interest.
Conclusion
The data protection changes proposed in the Bill are pragmatic and proportionate amendments to the UK regulatory landscape. They align well with the ICO’s enduring objectives and provide sufficient flexibility for us to respond effectively to the regulatory challenges and opportunities posed by the rapidly-evolving, data-driven environment we oversee.
My engagement with stakeholders on data protection reform has made it clear that our relationship with the EU remains of central importance. The certainty a positive adequacy decision from the EU provides is a top priority. I welcome government’s renewed commitment to the importance of maintaining our adequacy status. Whilst ultimately a decision for others, in my view the proposed changes in the Bill strike a positive balance and should not present a risk to the UK’s adequacy status.
While overall the Bill represents a positive and balanced package of reforms, as with any legislation there are some points that would benefit from additional clarity. These technical points, which I have already shared with government during our ongoing engagement, are summarised in Annex One. These reflect my formal response to the government’s consultation of the ICO under article 36(4) of the UK GDPR.
2 Midata was a scheme that the government was developing until 2022, and has now been paused. It was looking to enable consumers to gain greater access to their personal data in a machine readable portable format.
In the banking sector, Open Banking enables businesses to offer services to their customers using their personal data.
The Commissioner’s most recent consultation responses on Open Banking, Smart Data and Midata scheme development can be found here.