About the ICO
The Information Commissioner has responsibility for promoting and enforcing the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA), the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR) and the Privacy and Electronic Communications Regulations 2003 (PECR). He is independent from the government and empowers people with information, promoting openness by public bodies and data privacy for people. The Commissioner does this by providing guidance to the public and organisations, solving problems where he can, and taking appropriate action where the law is broken.
Introduction
The Data Protection and Digital Information Bill (DPDI Bill 1) is an important milestone in the evolution of the UK’s data protection regime.
Responsibility for developing policy and for making changes to the legislative framework sits with government and Parliament. The Information Commissioner’s Office (ICO) is independent from government and our role is to carry out the duties set out in the current, and any future, legislative framework.
When the DPDI Bill was introduced, I welcomed it as a positive package of reforms that would allow the ICO to continue to operate as a trusted, fair and independent regulator. I noted that the Bill protected people’s rights and freedoms, whilst also providing greater regulatory certainty for organisations and promoting growth and innovation in the UK economy. I also provided government with detailed technical comments on a number of areas in which I thought the Bill could be improved. My views were published in May 2023 in the Information Commissioner’s Response to the Data Protection and Digital Information No 2 Bill and updated in December 2023 to reflect amendments made at Commons Report stage DPDI Commissioner's Further Response to the Data Protection and Digital Information Bill.
Updated Commissioner view
The Bill will soon return to Parliament for House of Lords Grand Committee scrutiny and government has introduced a number of new clauses. I have been consulted on the data protection changes and have provided my views to government, in line with the requirements of Article 36(4) of the UK GDPR. I have not had prior sight of all minor or consequential amendments.
Government amendments
Data protection framework
The amendments specific to the data protection framework are technical and aim to provide greater legal clarity and certainty, rather than make substantive changes to the existing requirements.
I welcome the government’s intent through these proposals to:
- make clear that the statutory override contained in the current DPA will not be changed by the Retained EU Law Act (REUL Act). This amendment ensures that data protection legislation is not inadvertently overridden by other legislation, for example in relation to data sharing. This will help to maintain high data protection standards and reduce potential future adequacy risks;
- ensure that the way time periods are calculated in data protection law is consistent. Currently time periods are calculated based on Article 3 of Regulation 1182/71, which is retained law from the European Union, and provides a standard way of interpreting time periods to ensure clarity and consistency. There are certain exceptions required where, for example, UK parliamentary process, takes a different approach. This amendment applies the necessary changes to the UK DPA 2018, the UK GDPR, PECR, eIDAS and EITSET regulations; and
- provide greater legal certainty in relation to international data transfers for controllers and processors transferring personal data for law enforcement purposes by modifying Part 3 of the DPA.
Online Safety Act
The Bill currently updates the Online Safety Act to establish a data preservation process. Following instruction by a coroner, this will require OFCOM to issue data preservation notices to online service companies to ensure they retain data that may later be requested by a coroner when carrying out an inquest into a child's death by suspected suicide or that OFCOM may need in order to report to the coroner on the operation of a particular online service in such circumstances. Government is now broadening the scope of the power so that it applies to all child deaths being investigated by the coroner or procurator fiscal, rather than limiting it to deaths by suspected suicide. Given the nature of online services, the retained information could include the personal data of other users of the service with whom the child has interacted.
I recognise the constraints on coroners’ time in identifying cases where the reported circumstances of the death suggest that there is at least a reasonable prospect that the use of online services could be a factor before an investigation commences, and the risks associated with them not having access to the information when needed. I am reassured that the power includes a limit on the time for which information must be retained, and a duty on OFCOM to cancel a notice if it is informed by the investigating authority that the information in question no longer needs to be retained. I also note that, in any case, any re-use of data retained for this purpose will be subject to the usual data protection purpose limitation provisions.
Updated position on existing provisions in the Bill
Personal data definition
In my initial published response to the Bill in May 2023, I commented that an implication of the drafting might be that, “if the controller does not intend to identify people for its own purposes, and judges that a third party is unlikely to obtain the information, then it’s not personal data, irrespective of how easily people could be identified”. Since my response, government has addressed my concern in this respect by confirming that this is not its intention and that “the subjective intention of the controller is not intended to be a relevant consideration in this clause”. Ideally, for regulatory certainty, I would prefer this intent to be made explicit in the legislative text, explanatory notes to the Bill, or in the parliamentary debate. However in the absence of this, I will make this clear in future ICO guidance.
Areas of ongoing concern
I note that many of the technical comments I included in my previous responses to the Bill remain unaddressed. In particular, I would like to see government give further consideration to my views on defining high risk processing.
High risk processing
I maintain my view that the Bill should contain additional detail and provisions to clarify high risk processing. This is important to provide more certainty for organisations about the requirements they must fulfil and, where possible, simplify the self-assessment of processing activities. Further changes would also ensure that the ICO's ability to enforce against non-compliance with relevant requirements is not weakened.
In my view it would be preferable to:
- set out on the face of the Bill the activities that government and Parliament view as high risk processing, similar to the current list set out at Article 35(3) of the UK GDPR; and
- ensure the definition of high risk processing remains future proof, include a provision setting out that the ICO has the ability to further designate processing activities which fall into the high risk category and are at least subject to the updated accountability requirements. This would be similar to the current provision set out at Article 35(4) of the UK GDPR in respect of data protection impact assessments, but with a parliamentary approval mechanism to ensure accountability, and could be achieved by amending clause 20 of the Bill.
I have expanded on my position on high risk processing in Annex One.
Power to require information for social security purposes
The decision about whether the proposed power to require information for social security purposes is justified, necessary and proportionate is ultimately one for Parliament to determine. This includes scrutinising the evidence base from the proof of concept exercises and the explanations from government about what the proposed power is and how it would operate.
I understand and recognise the scale of the problem with benefit fraud and error that government is seeking to address and accept that the measure is in pursuit of a legitimate aim. I am not aware of any alternative, less intrusive, means of achieving the government’s stated policy intent based on their analysis.
However, in order for this measure to be deemed a necessary and proportionate interference into people’s private lives, to be in accordance with the law and to satisfy relevant data protection requirements, the legislative measure must be drafted sufficiently tightly to expressly minimise the level of data collected and so that is clear what information will be processed and for what purpose. At this point in time, I do not feel that the drafting achieves this and have provided further detail in Annex One.
Conclusion
Overall the Bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding people’s rights, providing regulatory certainty and clarity for organisations, and improving the way the ICO regulates. I will continue to engage with government and Parliamentarians to provide my independent advice on further changes during the remaining phases of the parliamentary process.
Annex One – Additional comments on previously tabled amendments and ongoing drafting concerns
High risk processing
I have given further consideration to the issue of high risk processing during the passage of the Bill, and continue to be of the view that the current approach leaves a significant gap in the legislation by removing:
- the certainty that Article 35(3) provides by specifying particular processing activities as high risk and subject to the requirement to complete a data protection impact assessment (DPIA); and
- the ICO’s ability to designate certain processing activities as high risk and subject to the DPIA requirement. This weakens protections for key areas such as processing of children's data for profiling or automated decision-making, marketing, or offering online services directly to them, or use profiling or special category data to decide on access to services, amongst several others.
Additional specificity about high risk processing subject to accountability requirements would provide greater certainty, but I have concluded that it will not be possible to be exhaustive, given the huge potential for variation in both types of processing and the risks that can occur from these, and the continued emergence of new, technology-enabled types of data processing.
To restore the necessary safeguards and ensure that the ICO can enforce against non-compliance in this area my view is that it would be preferable to:
- set out on the face of the Bill the activities which government and Parliament view as high risk processing, similar to the current list set out at Article 35(3) of the UK GDPR; and
- include a provision setting out that the ICO has the ability to further designate processing activities which fall into the high risk category and are subject to the updated accountability requirements - similar to the current provision set out at Article 35(4) of the UK GDPR but with a parliamentary approval mechanism to ensure accountability.
It is right for government to state from a public policy point of view what processing activities it considers high risk, and for Parliament to have the ability to debate and scrutinise this, hence the suggested inclusion of an updated Article 35(3). However, there will be limitations on the level of granularity that can be achieved on the face of the statute and there is the disadvantage that legislation is not updated easily, whereas technology and processing activities move on rapidly.
Therefore, I believe it would be beneficial to provide the ICO with a power to designate additional activities as high risk and subject to the revised accountability requirements but with enhanced parliamentary scrutiny. This will ensure that the ICO can bring to bear its significant knowledge and expertise in further developing a list of activities which it considers high risk, consulting widely with stakeholders, and presenting these to Parliament for scrutiny and approval.
I note here that clause 20(4) of the Bill sets out a new task for the Commissioner at Article 57(1)(k), to produce and publish a document containing examples of types of processing which he considers are likely to result in a high risk to people’s rights and freedoms (for the purposes of Articles 27A, 30A and 35). While this provides helpful clarity of the Commissioner’s view, it only has the status of guidance. Organisations would not therefore be required to implement the new accountability requirements for these examples. It is therefore possible that where new types of high risk processing emerge, even where these are added to ICO guidance, people are not afforded the protections of, for instance, a requirement for organisations to do proper risk assessments on that processing.
In contrast, Article 35(4) of the current UK GDPR, requires that the Commissioner, “shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment pursuant to paragraph 1”. This formulation makes clear that the activities contained in such a list, which can currently be found on the ICO's website, are subject to the requirement to undertake a DPIA.
In my view the new Article 57(1)(k) duty set out in the Bill is likely to leave significant room for challenge from controllers should I opt to pursue enforcement action on the new accountability requirements. In my view clause 20(4) could be amended to make clear that the Commissioner may designate the types of processing which shall be subject to the new accountability requirements subject to parliamentary approval.
Power to require information for social security purposes
Overview
The Department of Work and Pensions (DWP) interprets its current powers as limiting requests for information from third parties, such as banks, to an individual basis where there is already suspicion of fraud. DWP must currently identify a specific individual by name or description (for example, account number, sort code or address) to a bank so it can check that individual’s capital holdings or whether they show signs of living abroad. This cannot be done swiftly at scale, and by the point of identification of an individual who DWP want to verify, it is likely that benefits will have been acquired fraudulently for some time.
The amendment compels organisations to provide the DWP with a ‘tipping off’ list of people of interest that they may wish to prioritise for further investigation for potential benefit error or fraud. Initially this will involve financial institutions querying their account data to search for specified triggers set by DWP.
It is intended to facilitate the provision of data on a significant scale but is only meant to require sharing of information that confirms the identity of relevant people on the basis that their accounts meet certain criteria. It should not be confused with pre-existing powers the DWP already possess to obtain more detailed information about people in receipt of benefits where it has reason to believe that fraud is occurring.
DWP will use the data supplied to decide whether further investigation is warranted and, if it is, rely on its pre-existing powers to obtain any extra information about the account that may be relevant, such as detailed transaction information.
Necessity and proportionality
DWP maintains that the measure will save up to £600m over five years (and is forecast to save significantly more over 10 years); it will require the minimum data from the data holders in order to determine where there is potential fraud and overpayment; and is targeted – with a relationship between DWP, the account holder or benefit recipient and the data holder required.
In my view, given the level of fraud and error and the predicted savings arising from this proposal, the power could be capable of satisfying the proportionality requirement, provided that it is drafted sufficiently tightly to clearly minimise the level of data collected. However, I do not think the current drafting is sufficient to ensure this and have concerns that it could be interpreted more widely.
I would expect government to keep this measure under close review during, and after, implementation to ensure that thresholds for collecting data are as targeted as possible and minimise information obtained about people who have not committed fraud.
Scope of information
I remain of the view that the provision should explicitly state that only the minimum information to identify relevant persons of interest can be obtained. While I understand that DWP’s intent is to include detail of what this means in practice in a proposed code of practice, it is important to provide this clarity of scope in the legislation.
I accept that the effect of paragraph 1(2) in Schedule 3B is to limit the criteria or triggers that may be included in any information notice to those necessary for the purpose of identifying whether a benefit is being paid in accordance with the law. However, I am concerned that the drafting in para 2(1)(b) and (c) does not sufficiently limit the scope of the power to only obtaining information that would permit the identification of accounts and people that warrant further investigation. This leaves it open to being interpreted and applied more widely than DWP’s stated intention. For certainty and foreseeability and to support data minimisation, paragraph 2(1) should be more explicitly limited in this way.
In my view, this approach would permit the transfer of the type of information that DWP has advised it is looking to obtain but would also guard against the sharing of information which is over and above the minimum required to identify relevant accounts or individuals.
Scope of application
My understanding is that DWP intends to exercise its information notice power against a small number of financial institutions, implementing a test and learn process to determine the appropriate and proportionate amount of personal data required to deliver the policy intent. DWP has confirmed that as it looks to expand the use of the power in future to organisations outside of the financial sector it will do so via secondary legislation.
In my updated response to the Bill, published in December 2023, I expressed concern that, as drafted, the power states that the Secretary of State “may give an information notice to a person of a prescribed description” but did not clearly specify where such persons are prescribed.
DWP has explained that there is a regulation making power being added via the amendment (citing paragraph 5 of Schedule 11 in the Bill) to allow for extension of the power to new sectors. That provision refers to regulations made under paragraphs 1(1), 9(3)(a) or 12 of Schedule 3B. DWP has clarified that this has been drafted in line with the drafting convention already used in the Social Security Administration Act 1992 and the term “prescribed” denotes a regulation making power.
The clarification that DWP has provided allays my concerns in this regard and I welcome the fact that the requisite regulations will involve regulatory and parliamentary scrutiny, with additional impact assessments being undertaken for any extension of the power to new sectors.
Turning to the issue of benefits within scope of the power, it is a matter for Parliament whether to accept that this should be broad enough to use in relation to any specified benefit administered by DWP, regardless of whether there is currently evidence of a pressing problem with all that are in scope. Alternatively, the power could be restricted to specified benefits where there is currently evidence of a significant problem and a mechanism added to permit expansion to other benefits in due course, as evidence of a problem develops. Such a mechanism could be akin to the requirement to create regulations to specify the data holder to whom an information notice can be issued.
Use of information
The provision will permit the DWP to use the information gathered for its wider functions. The reference to department functions under s127 of the Welfare Act 2012 includes training and employment. The further processing provisions in the data protection framework, including the compatibility test and other gateways offer some protection but Parliamentarians may wish to consider whether the provision should be drafted more tightly to limit the use of the information to purposes that align to paragraph 1(2).
Code of practice
Full scrutiny of the measure from a data protection perspective is challenging given that DWP intends to set out further detail about how this measure will operate in a code of practice. I understand this may include relevant data protection requirements around transparency, lawful bases for processing and special category conditions, individual rights including complaints, security and data retention. Given the intention to address these issues via a code of practice, in my view the legislation should be clearer that DWP is required, rather than simply empowered, to produce it. Where a code of practice is created, DWP must lay it in Parliament but parliamentary approval is not required. Given that the code will address key aspects of how the power will operate, in my view parliamentary approval would be appropriate.
Ongoing engagement with stakeholders, including with the ICO, will be important as the detail of the code of practice is developed to ensure the right practical measures and safeguards are incorporated.
Automated decision-making (ADM)
I accept that the proposed approach as explained by DWP to the ICO does not involve automated decision-making within the meaning of Article 22 of the UK GDPR. However, the risk remains that processing could eventually move into this territory, particularly given the limits of the measure in identifying relevant individuals with multiple accounts. It will be important that DWP keeps this under close review going forward.
1 Since the DPDI (No 2) Bill was re-introduced to Parliament in the fourth session it has reverted to its original title (Data Protection and Digital Information Bill, dropping the reference to No. 2. Therefore for the remainder of this document we will refer to the current version as the DPDI Bill.