Now that the UK has left the EU, the government wants to create a new data regime, which will build on the retained EU version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR) along with the Data Protection Act 2018. As the first step towards reforming the regime, the ‘Data: a new direction’ public consultation was launched by the Department for Digital, Culture, Media and Sport on 10 September 2021 and closed 19 November 2021.
Last time, B P Collins’ corporate and commercial team looked at Chapter 3 of the consultation – Boosting trade and reducing barriers to data flows. This week it summarises Chapter 4 – Delivering better public services.
Following experiences learned during the Covid pandemic, the government has been reviewing the processing of health data and the relationship between public and private bodies.
Public task
Currently, controllers who are exercising official authority or carrying out a specific task in the public interest can rely on the ‘public task’ lawful basis to process personal data.
The government has proposed to allow private organisations and individuals to be able to use public task as a lawful basis for processing data if they are doing this on behalf of a public body. The government also proposes that private bodies can process health data for reasons of substantial public interest for public health and other emergencies.
The Law Society believes that private parties should only be able to use the public task ground narrowly and only when they process data for reasons of substantial public interest in relation to public health or emergencies.
The ICO is also cautious in allowing private parties to use the public task ground especially with regards to understanding how accountability would apply in practice. In terms of allowing private bodies to process health data for reasons of substantial public interest, the ICO has pointed out that this is currently allowed under UK GDPR if there is appropriate oversight. In the context of public health, the processing must be overseen by a healthcare professional and the ICO believes that this is an important safeguard to keep.
Compulsory reporting of automated decision-making
There is a proposal to introduce compulsory reporting on the use of algorithms in decision-making for public authorities in order to build trust and increase transparency. Both the ICO and The Law Society welcome this proposal and believe this would build trust in the use of such algorithms.
Data sharing between public and private bodies
The government also wants to expand s35 Digital Economy Act 2017 (DEA), which concerns the disclosure of information to improve public service delivery.
The ICO supports this proposal as this would allow for data sharing between public and private bodies. However, the ICO mentions that it would be important to consider whether such data sharing should use different controls to those provided under the DEA.
Next week we will be summarising the final chapter, Chapter 5 – Reform of the Information Commissioner’s Office.
For more advice or information on data protection, contact Alex Zachary and Holly McNeil from our Corporate and Commercial team on enquiries@bpcollins.co.uk or call 01753 889995.
To sign up for more free advice articles from across all of B P Collins’ practices, please email enquiries@bpcollins.co.uk