Protecting our data: UK Government publishes Data Protection and Digital Information Bill
In July this year, the UK Government published its newly reformed data protection bill, the Data Protection and Digital Information Bill. Introduced to Parliament last month, it follows last year’s consultation on the UK’s existing data protection provisions.
Aiming to improve upon previous regulations and simplify our data protection landscape, what will the new bill have in store for organisations that handle and store data?
Stephen Bailey, Global Privacy Services practice lead at NCC Group, provides his thoughts on the Bill.
What are the aims of the Bill?
Though there is clear crossover between existing data protection regulations and the provisions set out in the Bill, it is by no means a new set of all-encompassing data protection laws. Rather, it is a series of additions and instructions that seek to create an amended version of the UK General Data Protection Regulation, the UK Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.
The Bill relates to the regulation, processing, storage and maintenance of personal, customer and business data – therefore impacting most organisations that work within the UK, or share data with entities based here.
The Government has been clear in its intentions that this is to simplify the data protection legal landscape the UK operates within, by reducing the admin burden placed on organisations; at the same time, it recognises the absolute importance of maintaining the UK’s already high data protection standards, to ensure the protection of business and people alike.
In the Government’s response to the initial consultation to reform the UK’s data protection laws – called Data: A New Direction – there was mention of a potential privacy management programme, as part of an aim to reduce burdens on business. The response stated that the privacy management programme would allow for a more flexible, risk-based approach and would replace aspects of the current accountability framework; changes would impact data protection officers, data protection impact assessments, and records of processing activities. While this Bill does not explicitly include a privacy management programme, the core elements that were to be included in it are there.
What are some of the key updates within the Bill?
The Bill has been discussed at length over the last year, and this first draft introduces some interesting new provisions. It is, understandably, complex, and therefore its impact could be extensive – even affecting how births and deaths are registered, with an electronic register set to be introduced in England and Wales.
The Bill is separated into six key sections: data protection, digital verification, oversight and regulation, business and customer data, other forms of digital information, and final provisions.
On the first section – data protection – it is important to reinforce that the UK has some of the highest data protection regulations across the globe. That said, the legal landscape it creates is a complicated one. The Bill intends to provide greater clarity on data protection laws, especially for research organisations. For example, it includes provisions on smart data schemes to allow for the secure sharing of customer data, such as the information used by communications providers or financial institutions. It also clarifies the information standards published under section 250 of the Health and Social Care Act 2012.
With regard business and consumer data, the Bill will also provide Government with the power to order those holding data to share customer or business data with both third parties and customers. It would enable the Government to issue data sharing obligations, to enable better information sharing between organisations, and improve the certainty and stability of cross-border flows of personal data. In particular, it could allow for a more effective and efficient flow of data for law enforcement and national security services.
On oversight and regulation, sections of the Bill seek to extend the scope of existing powers; for example, extending data sharing powers under Section 35 of the Digital Economy Act (2017). Section 35 specifically relates to disclosure of information to improve public service delivery, tying back to the Bill’s aim to better benefit both people and businesses through increased data sharing.
The Bill will also reform the ICO in several areas, including its governance, enforcement powers, data protection complaints processes and development of statutory codes of practice. While the way data breaches are reported and responded to will remain the same, the provisions ultimately seek to modernise the ICO, by providing it with the power to take stronger action against organisations that breach data protection rules. It will enable the ICO to hold organisations accountable to parliament and the public – something the ICO was previously restricted in doing.
The Bill is an interesting step forward for the UK’s data protection strategy, though it is of course important to remember that this is the first draft; there are likely be changes to it as it makes its way through Parliament. Given this, it is perhaps too early to determine what this means for UK-EU data adequacy.
Any effort to improve the use of data and digital information is welcomed, whether that is through improved regulation, clarification of responsibilities, or improved data sharing. Of course, the safety of this information must be pursued at all times, to protect the privacy and security of our data as we navigate an ever more digitally enabled way of working and living.