Now that the UK has left the EU, the government wants to create a new data regime, which will build on UK GDPR. As the first step towards reforming the regime, the ‘Data: a new direction’ public consultation was launched by the Department for Digital, Culture, Media and Sport on 10 September 2021 and closed 19 November 2021.
The consultation was split into 5 chapters.
B P Collins’ corporate and commercial team will be summarising some of the key proposals from each of these chapters as well as the relevant comments from the Information Commissioner’s Office’s (ICO) and The Law Society’s responses over the next few weeks.
This week we begin with a summary of Chapter 1 of the consultation – Reducing barriers to responsible information. But before we do, here’s a reminder of the current data protection regime in the UK, which primarily consists of the retained EU version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR) along with the Data Protection Act 2018.
There are 7 key principles of data protection. These 7 principles are:
- Data must be processed in a lawful, fair and transparent way
- Purpose limitation
You must be clear from the outset why you are processing data and what you intend to do with it.
- Data minimisation
You should identify the minimum amount of personal data you need to fulfil your purpose. You should hold that information, but no more.
- Accuracy
You should take all reasonable steps to ensure that the personal data you hold is not incorrect or misleading as to any matter of fact.
- Storage limitation
You must not keep personal data for longer than you need it.
- Integrity and confidentiality (security principle)
You must ensure that you have appropriate security measures in place to protect the personal data you hold.
- Accountability principle
You must take responsibility for what you do with the personal data and how you comply with the other principles. You must have measures and records in place to demonstrate compliance.
Chapter 1 of the consultation – Reducing barriers to responsible information.
Legitimate interests
‘Legitimate interests’ is one of the lawful bases that controllers can rely on to process personal data.
Currently, a controller has to carry out a three-stage ‘balancing test’ to rely on legitimate interests:
- Identify a legitimate interest;
- Show that the processing is necessary to achieve it; and
- Balance it against the individual’s interest and ensure that the individual’s interest does not outweigh that legitimate interest.
The consultation proposes that there should be an exhaustive list of activities where legitimate interests would outweigh the data protection rights of individuals. For these activities, no balancing test would need to be carried out.
For any activities not on the list, or when the data being processed is sensitive or relates to children, the balancing test would remain in place.
Both The Law Society and ICO are concerned by the introduction of such a list as the balancing test provides protections for individuals. They argue that an exhaustive list may not provide adequate safeguards. The Law Society suggests that a limited list could be introduced instead, which would be updated over time to allow for flexibility.
Data processing for research purposes
Another proposal is to create a simpler framework for data processing carried out in relation to research. This would be achieved by bringing the relevant research-specific provisions on data protection together. It has also been proposed to make it easier to use, share and re-purpose data for research as well as potentially introducing research as a separate ground for processing.
The ICO has welcomed these proposals but The Law Society has pointed out that the proposed definition for research may not be sufficient and should allow more room for interpretation and innovation.
Re-use of data
The government proposes to clarify the rules surrounding the general re-use and further processing of data including circumstances where personal data may be re-used by a different controller than the original controller who collected the data. The ICO has stated that this proposal may bring benefits but could also lead to the re-use of data in unanticipated ways.
AI and machine learning
There are many proposals regarding AI and machine learning especially clarifying the principle of fairness in the context of AI and people’s rights in relation to automated decision-making.
The Law Society has stressed that this is a fast-developing area and there needs to be more thought on transparency, oversight of algorithms and regulations when AI is used in the justice system. Furthermore, The Law Society wants to ensure that individuals still have protections with regards to decisions based solely on automated decision-making.
The ICO has recommended that it should be involved with the development of fairness in AI as it is well placed to cooperate with other regulators in this field. The ICO has also stated that the right to human review of automated decision-making should not be removed.
Anonymisation of data
Another proposal is to set out clearer standards for anonymisation. Recital 26 UK GDPR refers to ‘all the means reasonably likely to be used’ to re-identify the person and costs and time required for identification, available technology at the time of processing and technological developments to understand whether data is anonymous.
However, it has been argued that this does not provide a clear test for whether data is considered anonymous and both The Law Society and ICO agree that there should be a clearer test.
The ICO is currently developing its own guidance on data anonymisation and welcomes proposals that would align the data protection regime with its work. The Law Society stresses the importance of distinguishing anonymisation of data (where UK GDPR will not apply as the data subject is no longer identifiable) and pseudonymisation (where UK GDPR will apply to data which cannot be attributed to a specific data subject unless there is additional information).
Next week we will be summarising Chapter 2 – Reducing burdens on businesses and delivering better outcomes for people.
For more advice or information on data protection, contact Alex Zachary and Holly McNeil from our Corporate and Commercial team on enquiries@bpcollins.co.uk or call 01753 889995.
For more complimentary legal articles to your inbox, please email enquiries@bpcollins.co.uk.