The ICO exists to empower you through information.

Annex One – Technical drafting comments

Share Download options

Pages

Format

This annex complements the Information Commissioner’s response to the Data Use and Access (DUA) Bill. It draws on my office’s experience regulating the current legislative framework to provide detailed technical advice. It summarises where we:

  • think drafting changes could provide further clarity; or
  • do not think drafting reflects the policy intent.

It should be read alongside the accompanying response from the Information Commissioner. Clause numbers reflect the version of the Bill as at introduction to Parliament on 23 October 2024.

Customer data and business data

Clause 22 – regulations under this Part

This clause considers the provision for different areas of the legislation. Subclause (3) specifies that the Secretary of State or the Treasury must consult persons likely to be affected by the regulations and sectoral regulators with functions in relation to data holders likely to be affected by the regulations. We believe an explicit duty to consult the ICO should be set out in the drafting. The current reference to “sectoral” regulators creates ambiguity about whether this includes cross-economy regulators, such as the ICO.

Digital verification services

Clause 46 – Information disclosed by HM Revenue and Customs

This clause relates to "personal information" disclosed by HM Revenue and Customs for the purpose of enabling a person to provide digital verification services. Subclause (5) uses the defined term "personal information" rather than "personal data" and provides a definition of personal information that differs from the accepted definition of personal data in the data protection legislation. It is unclear if this is by design and we would suggest amending the clause to bring it into line with other definitions of personal data.

Clause 49 – Code of practice about the disclosure of information

This clause relates to the Secretary of State preparing and publishing a code of practice about the disclosure of information under section 45. Subclause (3) explains that a public authority must have regard to the code of practice when disclosing this information and goes on to define a public authority in subclause (11). However, this definition of a public authority differs from other definitions found elsewhere, such as part 2 of the DPA 2018 (chapter 2, section 7). This is not necessarily problematic, but we would need assurance that the definition would not be cross-applied.

Data protection and privacy

Clause 67 – Meaning of research and statistical purposes

The research, archive and statistics (RAS) provisions allow data to be kept indefinitely, provide exemptions from some data subject rights, and allow an assumption of compatibility for the re-use of data (unless the data was originally collected under consent).

Clause 67 draws on wording from recital 162 of the UK GDPR. It only allows processing for statistical purposes to benefit from the RAS provisions if:

  • the results of the statistical processing are aggregate data that is not personal information; and
  • neither the original personal information, nor the results, are used to make decisions about the original data subjects.

Our view is that aggregate data may sometimes also be personal data (if the ‘key’ that would allow de-aggregation and reidentification of a data subject is retained). This means that this drafting would prevent a data controller from benefitting from the RAS provisions if they have taken steps to aggregate personal data, but retained the ‘key’ that would allow de-aggregation.

We assume this is the government’s intention.

Clause 68 – Consent to processing for the purposes of scientific research

This clause incorporates the “broad consent to processing for research purposes” wording from recital 33 of the EU GDPR into the legislation. We have some comments about the clarity and structure of this clause. In particular:

  • we suggest that the text inserted would be better placed under article 7 rather than under article 4(7), as we consider that it provides detail on the conditions for consent, rather than the definition of consent.
  • Regardless of which article the new text is inserted into, we consider that the words “it does not fall within that definition because (and only because)” should come before each of the criteria (a) to (d), rather than as part of (a). So that it applies to each of (a) to (d).
  • Regardless of which article the new text is inserted into, we consider that using the word ‘purposes’ in subsection (b) risks introducing confusion about the level of specificity required for purposes in other parts of the legislation (particularly in relation to privacy information, where we would generally consider that ‘scientific research’ is a specific enough purpose). We therefore suggest that it would be preferable to say “(b) at the time the consent is sought, it is not possible to be specific about the precise research activities for which the personal data will be processed”.

Clause 71 – The purpose limitation

We consider the addition of “or on behalf of the controller” in article 5(1)(b) is inconsistent with the language used elsewhere in the legislation (where there appears to be no need to specify that provisions apply both when a controller is acting in its own right and when it instructs a processor to act on its behalf).

We think this wording is unnecessary and there is a risk that including it here but not elsewhere could be taken to be more significant than it is. It may also be misinterpreted as meaning that processors have a responsibility to assess compatibility (rather than just to act on the instruction of their controller).

Clause 72 – Processing in reliance on relevant international law

Whilst we do not, in principle, oppose allowing specified relevant international law to provide a legal basis for a public task. However, in our view the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019, does not provide UK Communications Service Providers with any specific authority or powers that provide such legal basis. In any case, we consider that it is not necessary to add this particular agreement to the schedule of relevant international law, as this processing can already take place under the legitimate interests lawful basis for processing.

Clause 74 – Processing of special categories of personal data

Referring to the change made to the definition of ‘sensitive personal data’ in the Investigatory Powers Act 2016, we think this would be better phrased as “processing of data relating to a deceased individual that would be that kind of processing if the data was personal data related to a living individual”. This is because information about a deceased person would not be personal data.

Clause 77 – Information to be provided to data subjects

Article 14(5) currently allows an exception from providing transparency information where an organisation has not collected personal data directly from the data subject and providing this information would constitute a disproportionate effort. This clause mirrors this exception within article 13 where organisations have collected personal data directly from a data subject for research purposes. However, it does not include the following wording from article 14: “likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended”. We think this could be interpreted as meaning that where organisations have collected data directly from the data subject, it is not possible to claim exception from providing transparency information on these grounds (eg where full transparency may undermine research objectives, or the cost of providing privacy information would impair the objectives of the research).

Clause 80 – Automated decision-making

In reference to part 4 processing, this clause provides that if there is no opportunity for human involvement in an automated decision, then that decision will be “a decision based on entirely automated processing”. It is, however, silent on what the effect is if there is an opportunity for human involvement. Our understanding is that the government’s intention is that a mere ‘opportunity’ for human involvement in a decision will not be sufficient to take a decision outside of the scope of “a decision based on entirely automated processing”. Organisations would have to exercise this opportunity to have this effect. It would be useful to make the intent clear in the drafting or the explanatory notes.

Clause 84 and schedules 7, 8 and 9 – Transfers of personal data to third countries etc: general processing

We think the changes to chapter 5 of the UK GDPR may benefit from further clarity in some areas. For example, referring to both tests for adequacy (article 45B) and for appropriate safeguards (article 46(6)) as the “Data Protection Test” may lead to confusion. Although our guidance can clarify this, we would prefer for the government to make this explicit in the legislation. There are also areas where the drafting of the provisions seems to introduce a level of ambiguity, although it is seeking to clarify existing practice when the government assesses the adequacy of third countries.

We welcome the legislative language confirming that adequacy regulations approving the transfer of data to a third country or international organisation ‘may only be made’ if the Secretary of State considers that the data protection test is met. The schedule also specifies that the Secretary of State may have regard to any matter they consider relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom, when deciding to make adequacy regulations. The government has been clear on its position that adequacy regulations must meet the data protection test, and that in their view there is no conflict.

However, the interaction between article 46(6) and the requirements of article 45B (2), which sets out the factors that the Secretary of State must consider when determining if the data protection test has been met, would benefit from being clearer. It would be helpful to clarify that the matters the Secretary of State may consider do not outweigh or take precedence over the need to meet the data protection test. We would welcome explicit clarification in the legislation that there is a distinction between the decision-making about which countries to make adequacy regulations for and the decision about whether any such country meets the data protection test. This would improve regulatory certainty.

In terms of the scope of adequacy regulations, article 45B(3)(c) states that they are to apply to transfers “from the UK”. This may be restrictive to controllers based outside the UK but caught by the scope of the UK GDPR due to article 3(2), who would otherwise benefit from the adequacy decision.

Schedule 8 also introduces change to the international transfers regime for Part 3 of the DPA, for transfers for the purposes of law enforcement. Whilst these are largely analogous to the changes made for chapter 5 of the UK GDPR, there are also changes to clarify that law enforcement Competent Authorities can make transfers. Whilst we welcome the intent of these changes to provide certainty, we think there are some improvements that could render these clauses more useful to Competent Authorities. We remain engaged in discussions with the Home Office on the practical impact of these changes.

Clause 88 – Joint processing by intelligence services and competent authorities

The proposed new section 82A(2) states that, “the Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service". As a joint controllership arrangement is only possible once the designation has been made, we suggest that the drafting needs to reflect this. To the effect that the Secretary of State may only designate processing by a qualifying competent authority that will be carried out following the issue of the designation notice by the authority as a joint controller with at least one intelligence service.

Clause 103 – Court procedure in connection with subject access requests

The government's intention behind this new clause is to replicate section 15(2) of the Data Protection Act 1998. We do not believe this is necessary given the existing rules around court procedures. However, we agree that its insertion will help add assurances that the information in question should not be disclosed to the data subject until the court has made its determination regarding entitlement. We consider that the inclusion of "as is available to the controller" in s.180A(2) narrows the current position of the courts and conflicts with court procedure rules. This drafting leaves the information that is ‘available’ to the controller open to interpretation and introduces the potential for controllers to further complicate the proceedings to determine the data subject’s right of access by raising arguments as to the availability of information for the court to deal with.

In our view, removing "as is available" and including alternative drafting which makes clear that the controller must provide the information the court requires to make their determination would simplify and clarify this clause. We consider subsection (4) of this provision unnecessary and believe it should be removed. One of the effects of clause 78 (searches in response to data subjects' requests) is to confirm that “the information” as referred to in s.180A(1) (and used throughout s.180A) refers only to such information as the controller is able to identify as a result of reasonable and proportionate searches. The inclusion of s.180A(4) is therefore unnecessary, in that it simply serves to confirm the position arising as a result of both the current interpretation of the access provisions and of clause 78. We consider this may add undue confusion and therefore suggest this subsection is removed.

Other provisions about use of, and access to, data

Clause 122 – Retention of information by providers of internet services in connection with death of a child

The Bill updates the Online Safety Act to establish a data preservation process. Following instruction by a coroner, this will require Ofcom to issue data preservation notices to online service companies to ensure they retain data that a coroner may later request when carrying out an inquest into a child's death, or that Ofcom may need in order to report to the coroner on the operation of a particular online service in such circumstances. Given the nature of online services, the retained information could include the personal data of other service users with whom the child has interacted.

We recognise the constraints on coroners’ time in identifying cases where the reported circumstances of the death suggest that there is at least a reasonable prospect that the use of online services could be a factor before an investigation begins, and the risks associated with them not having access to the information when needed. We are reassured that the power includes a time limit for retaining information, and a duty on Ofcom to cancel a notice if it is told by the investigating authority that it no longer needs to retain the information in question. We also note that, in any case, any re-use of data retained for this purpose will be subject to the usual data protection purpose limitation provisions.

Clause 124 – Retention of biometric data and recordable offences

This clause enables a law enforcement authority to retain fingerprints and DNA profiles where a person has been convicted of an offence equivalent to a recordable offence in a jurisdiction outside England and Wales and Northern Ireland. The amendment to s18E of the Counter Terrorism Act (CTA) proposes the insertion of a new subsection 5A. This would require a person outside England and Wales to be treated as having been convicted of an offence, even though the relevant court in the other country or territory made a finding equivalent to finding that the person is not guilty by reason of insanity. In England and Wales, a verdict of not guilty by reason of insanity may result in an order for absolute discharge (as opposed to a hospital or supervision order). It would be helpful to understand why a similar finding of insanity in another jurisdiction would need to be treated as equivalent to a conviction in England and Wales.

Clause 126 – Retention of biometric data from Interpol

This clause enables fingerprints and DNA profiles obtained as part of a request for assistance, or notification of a threat, from Interpol and held for national security purposes by a law enforcement authority to be retained until the authority is informed that the request or notification has been withdrawn or cancelled.

It is not clear whether the proposed new s18AA CTA will cover diffusions as it refers to ‘requests for assistance’ (rather than cooperation) and these are sent to the UK ‘via INTERPOL’s systems’ rather than via the country’s National Central Bureau. If it is not intended to cover diffusions 3, it is not clear that they are intended to fall within the description of ‘other international exchange routes’.

Clause 130 – Recognition of overseas trust products

This clause amends the eIDAS regulations covering overseas trust services. Article 45A addresses the legal effects of overseas electronic signatures etc. This article considers how the Secretary of State must be satisfied about the reliability of the products providing these services and, in doing so, have regard to the law in the other country or territory. It is unclear who has the expertise to make such an assessment (ie whether this is for the Secretary of State to determine or whether there is an expectation that ICO will undertake the assessment). This requires further clarification.

Schedule 4, Lawfulness or processing: recognised legitimate interests

General

We think it would be helpful if the explanatory notes could explicitly state that, in all the proposed new recognised legitimate interests, an assessment of necessity involves consideration of the proportionality of the processing activity. As our current guidance advises, a processing activity will not be necessary if it is not a targeted and proportionate means of achieving the stated purpose.

Disclosure for purposes of processing described in Article 6(1)(e)

We suggest that this heading does not reflect the content of these new clauses and would be better expressed as “disclosures for the purposes of satisfying requests that a controller has confirmed relate to its Article 6(1)(e) purposes” or similar. This would better reflect the purpose for which the disclosing data controller has to establish necessity.

We note the Bill shifts responsibility for assessing whether a requesting controller needs personal data in order to perform its public task away from third party data controllers that might receive requests for such information. Instead it places that responsibility with the controller seeking the information for the purposes of delivering the public task. Our guidance will emphasise that controllers requesting personal data from third parties should do so responsibly and ensure that they do not request more data than is necessary for their purposes. Otherwise they may find themselves non-compliant when they receive any data that they have requested unnecessarily. We note, however, that this clause does create an accountability gap. The requesting controller will only become accountable when it receives any data, not when it requests it. Equally, we will only be able to exercise our powers to address any excessive processing of data and related harms to people at this later point.

Schedule 5, Annex 2 (paragraph 2) – Disclosure for the purposes of archiving in the public interest

This clause enables further processing of personal data for the purposes of archiving in the public interest to be considered as compatible processing, even if the original processing was based on the consent of the data subject.
We have some reservations about diluting the concept of consent to allow this processing. This is because we consider that when people give their consent to their personal data being processed, they have a reasonable expectation that they will retain control over how it is used, apart from in some very limited circumstances.

However, we also appreciate the challenges faced by the archiving sector in this context. We welcome the limitation of the drafting to only address the specific problem advised by archivists (that of disclosures at the request of third-party archiving bodies) and note the remaining need to satisfy the fairness principle. If possible, it would be helpful to define what is meant by ‘generally recognised standards’ in the legislation, otherwise we will seek to address this in ICO guidance in consultation with the archiving sector.

3 Member countries may request cooperation from each other through a mechanism known as a ‘diffusion’. Diffusions are circulated directly by a member country’s National Central Bureau to all or some other member countries. Diffusions must comply with INTERPOL’S Constitution and the Rules on the Processing of Data.