The opportunity to reflect on and review the UK data protection legal framework and regulatory regime is a welcome one.
Three years have passed since the introduction of the Data Protection Act 2018, and the pace and scale of innovation means the data landscape has changed significantly. How we deliver high standards cannot be static. Digital technologies are one of the engines driving the UK’s economic growth. The digital sector contributed £151bn in output and accounted for 1.6 million jobs in 20191. In June this year it was announced that the UK now has one hundred tech companies valued at $1bn or more, more than the rest of Europe combined2.
It is important government ensures the UK is fit for the future and able to play a leading role in the global digital economy. I therefore support this review and the intent behind it.
As the proposals are developed, the devil will be in the detail. It will be important that Government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator.
The energy powering these new technologies is our data: about our behaviour, our interests, our spending patterns, our loves and likes, our beliefs, our health, sometimes even our DNA – the very building blocks that make us who we are. The economic and societal benefits of this digital growth are only possible through earning and maintaining people's trust and their willing participation in how their data is used. Data-driven innovations rely on people being willing to share their data. ICO research shows that people who have heard about a data breach have lower levels of trust and confidence in all organisations using their data.
We need a legislative framework with people at its heart and I am pleased to see the consultation recognise the importance of maintaining and building public trust. It is crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards.
I support the intention of the proposals to make innovation easier for organisations. I agree there are ways in which the legislation can be changed to make it simpler for companies to do the right thing when it comes to our data. Perhaps most notably, it is vital that the inevitable regulatory and administrative obligations of legal compliance are proportionate to the risk an organisation's data processing activities represent. That means finding proportionate ways for organisations to demonstrate their accountability for how they collect, store, use and share our data. They must ensure data is safe and is not used in ways that might cause harm. And they must ensure that all people are able to exercise rights over their personal data.
To ensure high standards are met, and that people have the trust and confidence to contribute positively to the digital economy, the UK needs a strong, effective regulator. I welcome the proposals to ensure the ICO's powers are effective, and my office will be engaging closely with Government to ensure we have the resources we need to fulfil our role.
I also welcome the proposal to introduce a more commonly used regulatory governance model for the ICO. A statutory supervisory board with separate Chair and CEO will be better suited to the ICO’s role as a whole economy and public sector regulator with extensive domestic and international responsibilities.
I welcome too the recognition of the value of an independent ICO. An independent regulator assures the public of their protections and maintains trust in data-driven innovation. By holding government and public institutions to account, an independent ICO also builds trust in innovative uses of data in the public sector, and trust in democracy itself. And the independence of the regulator is key to the high standards that will help deliver future global trade and adequacy agreements.
Despite this broad support for the proposals to reform the ICO's constitution, there are some important specific proposals where I have strong concerns because of their risk to regulatory independence. For the future ICO to be able to hold government to account, it is vital its governance model preserves its independence and is workable, within the context of the framework set by Parliament and with effective accountability. The current proposals for the Secretary of State to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence. I urge Government to reconsider these proposals to ensure the independence of the regulator is preserved.
Recognition of the ICO as a strong, independent regulator is also important in how the UK is seen globally. As Chair of the Global Privacy Assembly I have seen first hand a clear trend towards high standards of data protection around the world. I welcome the recognition of the value of our high data protection standards in international trade. These standards make it easier to sell products and services. This is good for the public and good for business. Any reforms to the UK data protection regime should therefore always be weighed in terms of their impact on the ease with which data is able to flow between international jurisdictions.
The observations set out in this consultation response are based on our experience of dealing directly with how data protection law impacts people and business. My office has carried out a great deal of work to provide regulatory clarity to businesses through our extensive guidance and tools, as well as initiatives like our regulatory sandbox and grants programme. We also have strong insight into the concerns faced by the public and the regulatory challenges faced by small and medium sized organisations through the hundreds of thousands of calls and enquiries our teams respond to each year.
Data protection is not just an academic exercise, or the province of regulators or data protection officers. It matters to all of us, and has the power to affect every aspect of our lives. I, and my office, remain committed to supporting the Government to ensure a data protection framework that works for everyone, and is fit for both the challenges and the opportunities ahead. The ICO has provided support throughout the development of these proposals, and stands ready to implement the reforms that Parliament decides upon.
Elizabeth Denham CBE
UK Information Commissioner