On 10 September 2021 the government announced ‘Data: a new direction’, a consultation on reforms to data protection law in the UK. The consultation closes on 19 November 2021.
The headline aim of the proposals is to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data. The scale of the proposals and the government’s ambition becomes clear from the 146-page consultation document, which is packed full of proposed changes to the UK General Data Protection Regulation, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003, plus dozens of questions for consultees.
The changes are numerous, wide-ranging and far-reaching, and often very bold – departing from what are now fundamental elements of the existing UK legislation and the EU GDPR upon which it was originally based. The changes are clearly big and bold enough to raise a serious question as to whether the EU will continue recognise the UK as providing adequate data protection safeguards (so as to ensure free flow of data between the EU and the UK) but the government believes it is ‘perfectly possible and reasonable to expect the UK to maintain EU adequacy’.
If implemented, many of these changes will have a big impact on data protection practices by public and private bodies alike. The most notable proposals for those operating in the health, care and life sciences sectors are:
- Introducing a new data protection accountability framework – with a requirement for organisations to run a privacy management programme, which in turn replaces the existing requirements for data protection officers, data protection impact assessments, consultation with the ICO prior to high risk processing, and records of processing activities. That’s right: those new requirements that came in under GDPR in 2018 may all be swept away. The threshold for reporting breaches to the ICO may also be raised.
- Introducing a fee regime (similar to that for Freedom of Information requests) for subject access requests – potentially allowing controllers to charge for or refuse requests based upon the cost of dealing with them. Many organisations in the health sector who complained when the right to charge fees was removed may now get their way.
- Requiring a data protection complaints process – controllers will need to have a clear and transparent complaints process in place and data subjects will be obliged to use that process prior to lodging a complaint with the ICO.
- Amending and expanding upon existing lawful bases for processing personal data – the legislation will make explicit that private organisations can rely on ‘public task’ when processing personal data on behalf of a public body. New lawful bases will be introduced off the back of the COVID-19 pandemic, for example in relation to sharing personal data in a public health emergency. Most interestingly (and at odds with the EU GDPR), a list of defined important legitimate interests will be introduced that can be relied upon as a lawful basis without any balancing test against the rights of data subjects. If implemented, this opens the door to a raft of new lawful bases for processing data that do not sit comfortably with the EU GDPR.
- Clarifying the legal test for anonymous data – to provide greater certainty as to when data is truly anonymous and specifying de-identification of data as a legitimate interest in itself that does not require a balancing test. This is intended to help free up the creation and use of anonymous datasets within the sector.
- Simplifying and freeing up use of data in scientific research and AI systems – consolidating the research-specific provisions of the legislation to make it simpler to use data for scientific research. Monitoring, detecting or correcting bias in relation to developing AI systems will be defined as legitimate interest that does not require a balancing test, and new conditions for processing special category personal data within such systems will be provided. The scope and requirements of automated decision-making rules will also be refined and clarified. This is all aimed at reducing the perceived barriers to effective use of AI systems created by the current legislation.
- Reforming current privacy and electronic communications regulations – including expanding the circumstances in which browser cookies can be installed and electronic communications can be sent, without explicit consent.
- Reforming the UK approach to adequacy and the international transfer mechanisms available – focusing on a risk- and outcomes-based approach, with a view to expanding the list of countries covered and providing clearer options for lawful international transfers of data.
This is of course only a set of proposals ahead of a lengthy consultation, so it will be many months before we find out which proposals make their way into draft legislation. However, the scale and ambition of the proposals are so bold that there is every reason to think this truly does mark a new direction in data protection within the UK.