We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Data Protection Reform?

Looking at the contents of the Government’s new Bill suggests it may be more about Digital Information than Data Protection:

  • Personal Data Processing (1-23)
  • National Security & Intelligence Services (24-6)
  • Information Commissioner’s Role etc. (27-43)
  • Miscellaneous (44-5)
  • Digital Verification Services (46-60)
  • Customer & Business Data (a general framework for services like Open Banking) (61-77)
  • Privacy and Electronic Communications (78-86)
  • Trust services (87-91)
  • Public service data sharing etc (92-99)
  • Information Commission Governance (100-106)

Even those first 23 clauses, which are about the day-to-day processing of personal data, are largely clarifications or re-phrasings of existing (UK) GDPR and Data Protection Act provisions, so seem unlikely to result in organisations changing their existing processes.

The Act is presented as a series of amendments to existing laws, which makes it hard to interpret, but things I spotted include:

  • New (narrower) definition of personal data (c1). The original GDPR definition (Art.4(1)) depends on the phrase “identifiable natural person” but didn’t answer the question “identifiable by whom?”. For a while there were two conflicting German cases, one saying “by the data controller”, the other “by anyone in the world”. The DPDIB goes for the former. As far as I know this was never resolved at EU level: perhaps because, when designing processes, it doesn’t really matter. Any collection of data is likely to include some people who the data controller can identify – customers, staff, those who have self-identified, … – so you have to have a process for people “identifiable by me” anyway. And if you have such a process it seems like a lot of work to develop a parallel process to work out which records are “not identifiable by me” and handle those differently.
  • Research and Statistical Purposes (c2,3,9&22). These sections largely consist of text copied or redrafted from the GDPR’s many Recitals (notably 156-162) and Articles (principally 89) on “scientific research”. It has been suggested that the new definition in c2 expands such research to cover both commercial and non-commercial activity, but I can’t see anything in the original GDPR (several different language versions) that currently limits those provisions to “non-commercial” activities. Indeed the current ICO guidance says “It can also include research carried out in commercial settings, and technological development, innovation and demonstration”.
  • Recognised legitimate interests (c5 & Annex 1). These seem to be a list of purposes that could have been covered by the existing “public interest” and “legitimate interest” justifications. Worryingly, although the category name still mentions “legitimate interest”, there doesn’t seem to be any requirement to consider the interests or fundamental rights and freedoms of individuals, as under the old Article 6(1)(f) Legitimate Interests. We have found that balancing test really useful to reassure both ourselves and our users that we are applying appropriate safeguards, for example when processing to ensure system, network and data security.
  • Automated decision-making (ADM) (c11). This seems to answer another long-standing (since 1995!) open question: whether a “right not to be subject” to ADM is a preemptive ban on making such decisions, or creates a right of human review of individual decisions. In the UK, under the DPDIB, the answer seems to be a ban on ADM using special-category data (unless “necessary for reasons of substantial public interest”, in Art.9(2)(g)) but a right of review otherwise.
  • Data Protection Impact Assessments (c17&18). These have been relabelled as Assessments of High Risk Processing, and several sources of guidance have been removed, but the basic idea remains: when planning processing the controller must think about potential risks to individuals’ rights and freedoms and take documented measures to ensure any high risks are mitigated. Jisc has found this a very useful tool in planning our own services and reassuring their users (see for example our published DPIAs on network security and learning analytics).

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *