We expect to see updates to data protection legislation following the Queen’s Speech in May, which included a Data Reform Bill. This followed the UK Government’s consultation towards the end of last year.
The content of the new Bill is expected to reflect the proposals put forward for consideration in the consultation.
According to the briefing note that accompanied the Queen’s Speech, the main elements of the Bill are:
- creating a UK-centric data protection regime;
- modernising the Information Commissioner’s Office (the ICO); and
- increasing industry participation in Smart Data Schemes.
In addition, the Bill is expected to focus on making the existing legislation, the UK GDPR and Data Protection Act 2018, clearer and easier to follow.
The consultation was particularly concerned that uncertainty around the appropriate circumstances in which the legitimate interest justification should be relied upon had created over-reliance on the ‘consent’ justification. Accordingly, one of the consultation’s proposals was to create a “limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test”.
Creating a UK-centric regime
It is intended that the Bill will create a “clearer regulatory environment for personal data use that will fuel responsible innovation and drive scientific progress”. Proposals from the consultation include incorporating a definition of ‘scientific research’ into the UK legislation as well as expressly stating the situations in which personal data can be further processed. Also proposed is permitting further processing for an incompatible purpose “when it safeguards an important public interest”.
The briefing note states that the Bill is intended to reduce the administrative burden on UK businesses. The consultation proposed that this could be achieved by amending the UK GDPR requirements by, for example, removing the requirements for: prior consultation with the ICO in advance of carrying out data processing, designating a data protection officer, undertaking a data protection impact assessment, and keeping records in line with Article 30 requirements. The Government may also amend the threshold for breach reporting to counteract the issue of over-reporting.
Further, measures may be introduced to allow for more efficient data sharing between public bodies. In the aftermath of the COVID-19 pandemic, the Government is proposing to “clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies”.
Modernising the ICO
The effect of the upcoming reforms will be to both grant the ICO more powers whilst making it more accountable to Parliament and the public. Though the reforms are yet to be drafted, the consultation proposed increased oversight by the Secretary of State for Digital Cultural, Media and Sport, and a change to the structure of the ICO, installing a Board and CEO to replace the current sole corporation model.
Furthermore, the Government wants to place extra duties on the ICO, such as the duty to have regard to competition and the duty to co-operate and consult with other regulators such as the Digital Regulation Cooperation Forum. The consultation also suggested granting increased investigatory powers such as the power to commission third party technical reports and the power to compel witnesses to answer questions at interview.
Smart Data Schemes
The reforms are intended to make more widespread use of Smart Data Schemes. Smart Data is the mechanism that grants third parties access to customer data. It is commonly associated with banking and allows customers to, for example, view multiple bank accounts within a single app, or SMEs to access streamlined accounting services. Essentially, the schemes are designed to simplify data processes in a secure way with the consent of the data subject.
Ultimately, the Government intends for the Bill to make data protection legislation clearer, easier to follow and more efficient and hopes that as a result the reforms will generate more than £1 billion in business savings over a ten year period. No doubt this intention will be welcomed by all those involved in data protection compliance but we will wait to see what reforms are come forward.
Call us for free on 0330 912 0294 or complete our online form below for legal advice or to arrange a call back.