The Ministry of Justice (MoJ) has recently released its response to two significant reviews of the data protection framework that are likely to lead to important changes in the UK data privacy laws.
Recommendations for changes to the Data Protection Act 1998 (the Act) are set out in two papers published by the MoJ at the end of November. Firstly, the MoJ has confirmed that it will implement the key recommendations of the Data Sharing Review Report delivered by Dr Mark Walport of the Wellcome Trust and the Information Commissioner, Richard Thomas, in July (the Report). Whilst supporting all of the Report's recommendations as good industry practice for organisations dealing with personal data, the MoJ has indicated that only some will require amendment to the Act.
Secondly, the MoJ published a response to its own consultation on the Information Commissioner's powers and funding that arose out of the Report's recommendations (the Consultation).
The aim of both reviews was to make recommendations aimed at increasing the public confidence in the sharing and handling of personal data in both the public and private sectors and to aid the Information Commissioner's Office (ICO) in carrying out its functions more effectively. In particular, some of the key proposals are:
- The ICO's existing power to carry out Good Practice Assessments (GPA) is to be extended so that it will not need to obtain consent to the GPA in the case of public authorities. This allows the ICO to assess the processing of personal data by public authorities for the following of good practice and to report on its results. The same right has not been extended in relation to private sector bodies. However, the ICO has been encouraged to consider how the refusal or withdrawal of consent for a GPA should be factored into decisions on whether to undertake enforcement action.
- As an incentive to encourage participation in a GPA, organisations that have given their consent for the assessment are to be exempted from the ICO's new power to impose a civil penalty for any breaches of the Act discovered during the GPA. The exemption will not apply to the ICO's powers to issue information and enforcement notices.
- A new "fast-track" procedure to remove or modify any legal barriers to data sharing is to be created by granting the Secretary of State the power to permit or require the sharing of personal information between particular persons or bodies. The introduction of any such data sharing scheme will be subject to review and scrutiny by both Parliament and the ICO.
- The ICO's powers of inspection are to be strengthened by enabling it to specify the time and place by which organisations must provide information requested under an information notice. In addition, the ICO is to have the power to require any person, on premises where the ICO is executing a warrant, to provide any information as is appropriate to that investigation.
- In agreeing with a recommendation of the Report, the MoJ confirmed that it would not be introducing a breach notification law requiring organisations to inform the ICO of any significant data breaches. The MoJ considered that such notifications were a matter of good practice in the event of a breach likely to cause substantial damage or distress and did not believe it was necessary to introduce a mandatory requirement. The ICO is to be mandated to produce guidance on when notification of breaches should be made and failure to notify will be taken into account by the ICO when considering enforcement actions. (This is separate from the planned breach notification rules for communications network and service providers currently being debated in Europe.)
- The ICO is to be given a statutory duty to prepare, publish and review a code on the sharing of personal data with the purpose of providing practical guidance to the public and promoting good data sharing practice. The code will be given authoritative status and breaches of it will be taken into account by courts, the Information Tribunal and the ICO in the context of any legal or enforcement proceedings.
- The Report had encouraged the Government to bring into effect the new power of the ICO to impose civil penalties for serious breaches of the data protection principles likely to cause substantial damage or distress to individuals. However, the MoJ has indicated that it is still working with the ICO to determine the size of such penalties but did conclude that it "saw the merits" of introducing a model similar to that of the Financial Services Agency. The Consultation also highlighted the importance of ensuring the ICO and FSA continue to engage to minimise or eradicate any duplication of regulation.
- The flat fee of £35 for notification to the ICO is to be replaced by a new tiered structure based on the size of organisations by number of employees.
No exact timeframe has been given for the recommendations endorsed in the reports. The reports themselves indicate that those proposals requiring secondary legislative change will be "brought as and when appropriate", although the MoJ has separately indicated that the changes required to increase the ICO's powers will be introduced as soon as parliamentary time allows.