On 27 April 2017 (during the 'wash-up' period prior to the formal dissolution of Parliament), the Digital Economy Act received Royal Assent. The Act covers a variety of different measures designed to improve internet connectivity and afford greater protection for internet users. These range from the creation of 'Universal Service Obligation' for fast broadband services to the creation of an age-verification system for viewing online pornography.
Two particular areas of relevance to data protection are as follows:
Digital government: sharing of personal data within the public sector
The Act contains seven chapters on 'Digital Government' which, in short, cover a range of instances where personal data may be shared between public sector bodies. This reflects a departure from the longstanding position that an individual dealt with each public authority separately and confidentially.
For instance, the first chapter permits extensive sharing of personal data between public authorities including gas and electricity companies under prescribed circumstances, on the basis that this will improve efficiency and service delivery amongst public services.
Other provisions cover data sharing by civil registration officials; allowing for the exchange of personal data in connection with a person owing debts to a public authority or the Crown. Equally, personal data may be disclosed for the purposes of taking action in connection with fraud against a public authority.
Revenue authorities are permitted to share information for research and statistics, provided that such information does not specify a person and from which that person's identity is unlikely to be deduced. They may also disclose non-identifying information where this would be in the public interest.
Various provisions relating to the confidentiality of personal information are included in the Act and it may be a criminal offence to disclose confidential personal information in contravention of the provisions. However, there are a number of exemptions permitting disclosure of confidential information and these have attracted wide spread criticism, with some questioning whether there is a risk of excessive disclosure.
During the course of the Bill's progress through parliament, the ICO made a number of recommendations on additional safeguards that should be added to these data sharing provisions. As a result, public authorities are required to issue a code of practice consistent with the ICO's data sharing code of practice, and to have regard to the ICO's codes of practice on privacy impact assessments and privacy notices.
The ICO will no doubt be pleased that such measures have been built into the provisions. However, a research report from Civica Digital and the UK Authority indicates that the ICO's recommendations may not have been enough to provide those affected with confidence in the new data sharing provisions. In fact, it indicates that 75% of respondents felt there was a conflict between the Digital Economy Act and the General Data Protection Regulation, which are pulling data sharing in different directions. Tension between the two could put a brake on growing confidence about data sharing, even though individuals, as well as public sector organisations, could benefit from increased efficiency and the reduction of fraud.
Statutory direct marketing code
Section 96 of the Act requires the ICO to prepare a direct marketing code of practice in relation to carrying out direct marketing activities. Although the Information Commissioner published its existing guidance on direct marketing in 2013, this guidance has no formal status. With this in mind, the Information Commissioner has welcomed the provision for a direct marketing code of practice which, despite not being legally binding, would be admissible in evidence and must be taken into account by the Information Commissioner, a tribunal or a court in relevant cases. When published, the code of practice will be a helpful tool in the ICO's fight against nuisance marketing communications.