On 10 September, the Government published a wide-ranging consultation on the future of data protection law and regulation. It is relevant for all organisations in terms of understanding and influencing the future of data protection law in the UK. The consultation document runs to 146 pages and covers a lot of ground, including regulation of Artificial Intelligence (AI), but organisations are not expected to respond to all of it.

We have highlighted below the key aspects that we think are going to be relevant to clients in the health, emergency service, housing and regulatory sectors, as, if enacted, they may lead to significant changes in how you comply with data protection law:

• Radical reform of ‘accountability’ requirements in the UK GDPR: These would be replaced with requirements to have a ‘risk-based privacy management programme’ in place. Whilst the government has suggested that the approach should be flexible, the proposed framework in the legislation appears quite prescriptive and looks similar to the ICO’s recently published accountability framework. The consultation goes on to suggest a number of other changes as part of this:

1. Removing the statutory ‘Data Protection Officer’ role: Instead, you would need to have a person responsible for the privacy management programme and overseeing data protection compliance. It appears that this will apply to all organisations, not simply those who are required to have a DPO at the moment.
2. Removing the need to undertake specific data protection impact assessments: The government has said this will be mitigated by the requirements of the privacy management programme.
3. Removing the need to maintain a ‘record of processing activity’ under Article 30 UK GDPR: The government’s view is this is ‘box-ticking’ and can be met in other ways such as privacy information for individuals, although undertaking data-mapping is an important part of data protection.
4. Re-wording the breach reporting requirements: The government proposes breaches will need to be reported ‘unless the risk to individuals is not material’. Our initial view is that this change maintains some of the problems and uncertainty of the existing threshold, but the government has proposed that the ICO should produce guidance and examples of what is a non-material risk.
5. Reintroducing voluntary undertakings as a regulatory outcome from ICO investigations: These were previously used as part of the Data Protection Act 1998 regime and are a feature of other countries’ data protection regulatory frameworks.

• Reintroducing fees for subject access requests and potential cost limits for compliance: The government proposes to introduce a fee regime ‘similar to that in the Freedom of Information Act 2000’ for SARs (i.e. a ceiling of work for complying with SARs), although it is not clear what tasks would be included within the limit – for instance, the cost of determining whether or not information is exempt does not count towards the cost of compliance with FOI requests, and removing exempt information from SARs can be a very time consuming task.

• Creating a new, single framework for processing data for research purposes: The government’s view is that research provisions which are currently spread across data protection law should be consolidated into one place, and a specific new legal basis for ‘research’ should be created. Our view is that this is attractive, but the limits of what is ‘research’ can be ambiguous. The challenge is that research will generally be applied into a service or product, and therefore the implications of this proposal then need to be worked through into how personal data used in/generated from research is then applied. The interactions of such provisions with the law of confidentiality also need to be considered.

• Clarifying the circumstances in which data is to be regarded as anonymous: A new statutory test of anonymisation (but based on existing case law) is proposed to give greater legal certainty.

• A new legal basis for public and private sector bodies to process health data for reasons of substantial public interest in relation to public health and emergencies, without the need for the processing to be overseen by a health professional or undertaken under a duty of confidentiality. Safeguards are proposed to be put in place around this though. Further changes are being examined to the circumstances in which processing may be said to be in ‘the substantial public interest’ more generally. This could help, for instance, housing associations where the legal basis may be buried or split within different legal bases.

• Changes for law enforcement processing, including absorbing the role of the Biometrics and Surveillance Camera Commissioners into the ICO: There is a respectable argument for simplifying the number of (quasi-)regulators operating in this space, but our experience has been that the Surveillance Camera Commissioner has produced some of the most useful and practical guidance of all regulators. If this change is to occur, it will be important that the benefits of the guidance produced by the SCC are not lost. Changes are also proposed to certain requirements for law enforcement bodies processing biometric data to promote transparency.

How to take part in the consultation

The consultation can be found here. You can respond to the consultation online until 19 November 2021.

How Capsticks can help

Our team at Capsticks consists of experts in all areas of information law concerning healthcare and housing organisations, regulators and emergency services. We give practical advice on the full range of advisory, transactional, regulatory and litigated issues including effective information sharing between organisations, complex subject access requests, and responding to information security incidents and cyber-attacks.

We are happy to collate responses to the consultation on your behalf. If you would like to discuss any of the themes raised in the consultation, or compliance with data protection law more generally, please speak to Andrew Latham, Saira Ramadan or Serena Patel.