Businesses involved in processing personal data should be aware that the government is proposing to make a number of changes to the law in this area as set out in the Data Protection and Digital Information Bill.
Generally the changes seem intended to reduce some of the administrative burdens faced by businesses in complying with the current law.
Data Subject Access Requests: Under the current law, a data controller can only refuse to comply with a subject access request which is “manifestly unfounded or excessive” which is generally quite difficult to justify. Under the proposed new law this will change to “vexatious or excessive.” Examples of vexatious requests include those which are not made in good faith, are an abuse of process or are intended to cause distress. A controller can refuse to comply with or make a charge for dealing with a vexatious request. One of the factors a business can take into account when considering if a request is vexatious or excessive is the resources of the business. It will also be made clear that the time limit for a business to respond to a request begins, where applicable, from when the business receives any information requested to confirm the identity of the data subject making the request or payment of any charge.
Businesses will still need to exercise caution when considering whether refusing or charging for a request can be justified.
Legitimate Interests: One of the legal grounds most relied upon for justifying the processing of data is that it is in the legitimate interest of the data controller. In order to rely on this legal basis for processing, the controller’s interests need to be balanced against the interests, rights and freedom of the individual whose data is being processed.
Under the proposed new law, there will be a new category of “recognised legitimate interests” where this balancing is not required. These include processing for the purposes of, for example, safeguarding national security, the detection, investigation or prevention of crime and safeguarding vulnerable individuals and all seem generally to be for the benefit of government or public sector organisations. They are unlikely to be relevant to commercial organisations who rely upon legitimate interests to process data who will continue to need to carry out legitimate interest assessments.
Complaints: The new law will require individuals who wish to complain about the processing of their data to complain initially to the controller before a complaint is raised with the ICO. The controller will need to provide a complaint form and acknowledge a complaint within 30 days and take appropriate steps to respond without undue delay.
The ICO has a right to refuse to intervene if a complaint has not been made to the controller, the controller has had less than 45 days to respond to a complaint, or if the complaint is vexatious or excessive.
Cookies: Under the current law only cookies which are “strictly necessary” for the use of a website can be set without the consent of the user. Under the proposed new law, the types of cookie (or similar technology) which can be placed will be expanded to include in summary:
The definition of what constitutes “strictly necessary” has also been widened.
The Government would like in future to make more radical changes which could mean that users would need to opt out of receiving types of cookies. This is not contemplated by the Bill and would be dependent upon the government being satisfied about the availability of effective technical means for users to manage their preferences.
In the meantime, businesses should note that the potential penalties for breach of the legislation relating to cookies is to be substantially increased from the current maximum of £500,000 to the higher of £17.5m or 4% of annual worldwide turnover.
Data Protection Officers: It is proposed that the obligation on organisations engaged in operations requiring regular and systematic monitoring of individuals on a large scale to designate a data protection officer will be replaced with an obligation to appoint a “senior responsible individual”. The new obligation will be triggered where the controller is a public body or where, taking into account the nature, scope, context and purpose of the processing, the processing is likely to result in a high risk to the rights and freedoms of individuals. This differs from the current requirement to appoint a data protection officer which arises where the core activities of the controller require regular and systematic monitoring of data subjects on a large scale. The responsibilities of a senior responsible individual are broadly similar to those of a data protection officer.
Data Protection Impact Assessments: The requirement to conduct data protection assessments in all of the circumstances listed in article 35 of the GDPR is to be removed.
Instead, controllers engaged in high risk processing must conduct a simpler assessment of the purpose of the processing, whether it is necessary for the purpose, the risks to the individual and how the controller proposes to mitigate the risks. It is proposed that where high risk processing is identified, there will also no longer be a requirement to consult with the Information Commissioner.
Record keeping: The requirement to keep records of data processing remains for controllers or processors of more than 250 employers. It also applies to those whose processing presents a high risk to individuals (as opposed to any risk under the current legislation).
The details which need to be recorded have been revised. Controllers will need to keep records of where the personal data is located, the purpose of processing, any transferees or proposed transferees with whom the data will be shared, the proposed retention period, any special categories of data or criminal conviction data and security arrangements for the data.
There will no longer be a requirement to record contact details of the controller or data protection officer nor other categories of data or of data subjects held.
Reform of the ICO: The Bill proposes that the ICO (Information Commissioner) will be replaced by a new corporate body, the Information Commission of between 3 and 14 members. In performing its principal functions of securing an appropriate level of data protection and promoting trust and confidence in the processing of personal data, the ICO will need to bear in mind factors such as the promotion of innovation and competition, the prevention or detection of crime and national security.
Concerns have been raised that this may give rise to a dilution of the ICO’s independence and so affect the exercise of its powers.
The bill is intended to ease some of the administrative burdens faced by businesses in complying with the GDPR. This note does not cover all of the proposed changes. Generally, the proposed changes are more in the nature of tweaks than substantial revision, but some of the changes may be significant.
Businesses that have established procedures for complying with the current law and who process data of individuals in the EU may choose for consistency to continue to follow the rules set out under the current law which mirror the EU GDPR rather than adopting revised practices for the UK only.
It remains to be seen how the EU will view the final form of the proposed legislation and whether its adoption might affect the EU’s finding that the UK provides adequate protection for the processing of EU citizens.
The bill is still proceeding through parliament and so is not yet in final form. Some of the proposed changes may be subject to revision. We will produce a more detailed review and commentary when the legislation is finalised.
In the meantime, if you have any questions about data protection compliance, please contact Julian Milan email@example.com 08081668827.