Parliamentary wheels are in motion for some important changes to the data protection regime over the coming months as the Government recently published the Coroners and Justice Bill. This Bill primarily deals with criminal law reforms but, as indicated in our January e-bulletin, notable new powers are introduced in the field of data protection. Although the majority of these reforms directly impact the public sector, with overall reform of the UK registration regime also on the cards, all private and public data controllers should keep an eye on the progress of the Bill:
- Assessment Notices – As anticipated, the draft Bill provides for a new Information Commissioner (ICO) power to issue an assessment notice on (an as yet undesignated list of) public sector bodies. Essentially the ICO will be able to compel those public bodies to submit to a data protection compliance audit on demand. The ICO has expressed disappointment that the Bill's powers are less extensive than those originally sought – i.e. to take action against all data controllers (whether public or private), as well as having powers to investigate data processors. The ICO has also voiced concerns that there seems to be little or no sanction in the Bill against a public body that fails to comply with an assessment notice.
- Government Information Sharing – To remove allegedly "unnecessary" legal obstacles to data sharing, Ministers (including Scottish Ministers in relation to their devolved powers) will be able to issue an "information-sharing order" to enable public authorities to share information including personal data. As well as covering data disclosures between departments and from authorities to government, "sharing" is given a wide definition and will include situations where information is used for a different purpose other than the purpose for which it was collected. Ministerial orders may be issued where these are necessary to achieve what are termed "relevant policy objectives" subject to proportionality and "striking a fair balance" between the public interest and the persons affected. Orders (which may also modify or override conflicting Acts of Parliament) will be issued in draft for consultation and review by the ICO who can report back privacy concerns within a 21-day period. The high-level provisions also provide for a legally enforceable data sharing code of practice to be issued by the ICO with practical guidance on how personal data may be shared lawfully.
- Registration Fees – the Bill paves the way for an overhaul of registration (or notification) fees for UK data controllers under the Data Protection Act. A new tiered fees regime, touted as a means to increase funding available to a hard-pressed ICO, will replace the £35 annual flat fee currently payable by all UK registered organisations. Fee levels are not finalised, although it is expected that the amount payable will depend on the size of the data controller organisation. It seems these will be categorised as small, medium or large, based on current EU law definitions, with large enterprises expected to see their registration fees increase to up to £1,000 annually.
On a separate but related administrative change, it seems probable that the new UK Information Commissioner will be Christopher Graham. Mr Graham, a former BBC journalist, is currently Director General of the Advertising Standards Authority and subject to Parliamentary review of the appointment, has been recently announced as the Ministry of Justice's preferred candidate to replace current ICO incumbent Richard Thomas (on expiry of his tenure in June 2009).