On 16 June 2022, the UK government’s Department for Digital, Culture, Media and Sport (“the DCMS”) published its response to its Data Reform consultation. The response sets out the UK government’s key data protection reform proposals which will be incorporated into the UK’s new Data Reform Bill.
Here are the key takeaways of the Data Reform proposals:
One of the focus areas of the proposed reform is to facilitate the innovative use of data by removing several barriers which are said to hinder innovation in organisations.
The DCMS recognises that the current laws around the use of personal data for research purposes are complicated. All too often, organisations find it difficult to establish legal certainty for when using data for vital and pioneering research. The proposed reforms focus on removing unnecessary hurdles to better enable researchers to unlock more personal data for responsible research uses. Some of the proposals are:
The DCMS believes that the re-use of personal data (often referred to as “further processing”) can provide innovative benefits. As such, it plans to widen and clarify the circumstances in which data may be re-used and provide clarity on how organisations can better differentiate between new and further processing.
Often businesses and organisations seek to rely on their legitimate business interests as the required legal basis for processing personal data. In order to do so, under the UK GDPR, a balancing exercise must be undertaken weighing the business' legitimate interests against the rights of the relevant data subjects. The DCMS has recognised many organisations’ concerns about the time and effort these legitimate interests impact assessments can take.
In answer to these concerns, the DCMS proposes to introduce a limited, exhaustive list of legitimate interests for which organisations could use personal data without applying the legitimate interests balancing test. The list is likely to include processing activities undertaken to prevent crime or report safeguarding concerns, or which are necessary for other important reasons of public interest.
The DCMS also proposes to clarify when personal data can likely be regarded as anonymous and issue guidance as to how organisations can establish whether an individual is identifiable or not.
The DCMS has recognised that data protection legislation can place a disproportionate burden on some organisations. It therefore plans to reform the accountability framework by introducing a more flexible system underpinned by risk based “privacy management programmes”.
In doing so, the DCMS proposes to remove the existing requirements for:
These can be replaced with risk assessment tools which are appropriate to the organisation. This is intended to transition the position under UK law from a “one size fits all” model towards a more flexible approach which reflects the volume and sensitivity of personal data processed by the specific organisation.
Article 33 of UK GDPR requires that an organisation must inform the ICO of a personal data breach “unless it is unlikely to result in a risk to the rights and freedoms of natural persons". The DCMS has recognised that this threshold has led to the reporting of relatively minor breaches. Whilst the UK government sought opinions as to whether a higher reporting threshold would reduce the number of notifications, the ICO highlighted that an indirect reduction of the number of reportable incidents would impact the amount of “valuable intelligence data” received. Ultimately, the DCMS decided not to pursue a higher threshold for breach reporting.
The DCMS outlined that the right of access is “one of the key rights of the data protection framework”, however, it did acknowledge that dealing with such requests can be time-consuming and resource intensive. Whilst the regime is not expected to change substantively, a critical change is anticipated in respect of the threshold for refusing to respond to a Subject Access Request. The consultation identified that the “manifestly unfounded” threshold was too vague and created a significant barrier for organisations to refuse unreasonable requests which had the intention of disrupting an organisation.
The DCMS confirmed that the government intends to bring the Subject Access Requests threshold in line with the Freedom of Information Act regime where a request can be refused for being “vexatious or excessive”. The DCMS refused to permit a recommended cost ceiling for Subject Access Requests. However, the DMCS has noted that it is considering the impact of Subject Access Requests on SMEs.
The DCMS requested views on the effectiveness of the Privacy and Electronic Communications Regulations 2003 (PECR) which sets out privacy rights in respect of electronic communications. PECR provides supplementary rules to the UK GDPR in respect of cookies, direct marketing communications and communications security.
As PECR’s enforcement provisions were born out of the Data Protection Act 1998, they are currently much weaker than the UK GDPR and DPA 2018. The consultation asked for views as to whether PECR should be ‘upgraded’ to allow the ICO to levy fines in line with the UK GDPR and DPA 2018 of up to £17.5m or 4% of global turnover. The majority of respondents supported the proposal and it is hoped that aligning the two regimes will bring greater clarity for organisations in respect of those enforcement provisions.
The reforms appear to be focused on providing organisations with greater flexibility over their use of personal data while still committing to a high level of data protection. Organisations should be reassured that if they already comply with the UK’s current data protection regime, they will still comply with the new regime. If anything, the proposed Data Reform is designed to make the lives of businesses and organisations a little easier.