Public bodies raise concerns about proposed new legislation - especially about penalties
Several public bodies have raised concerns about forthcoming legislation to keep UK data protection laws in line with the EU after Brexit, the Government has revealed.
A well-trailed “statement of intent” from the Department for Digital, Culture, Media and Sport (DCMS) has set out plans for a parliamentary bill to repeal the 1998 Data Protection Act and bring domestic legislation into line with the EU General Data Protection Regulation (GDPR), which comes into force in May next year.
As expected, the legislation confirms ministers’ determination to ensure that Brexit throws up no barriers to businesses sharing data about customers and other individuals across the EU. However it also ventures into some areas outside the EU’s jurisdiction - in particular national security.
If enacted, the promised Data Protection Bill will place several new burdens on data controllers in the public and private sectors. Among new offences to be created will be:
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data. The maximum penalty would be an unlimited fine.
- Altering records with intent to prevent disclosure following a subject access request. This would be based on an equivalent measure in the Freedom of Information Act 2000. Again this would carry a maximum penalty of an unlimited fine.
For criminal justice agencies, the statement says the legislation will introduce:
- A requirement for a mandatory data protection officer. “This is a new role and will advise data controllers on data issues, handle complaints and ensure compliance,” the statement says.
- A requirement on data controllers to prove any assessment that a request by an individual to obtain or verify information held about them is “manifestly unfounded or excessive”.
- More prescriptive logging requirements so a full audit trail is available of how data is collected, manipulated, shared and erased.
Although widely interpreted as being driven by the need to align with the GDPR, the statement says the Data Protection Bill will also ensure consistency with the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. This is a draft standard designed to provide a data protection framework for national security purposes - which is outside the scope of EU law.
Alongside the statement of intent, the DCMS has published the responses to a consultation on GDPR derogations, including several from local authorities and other public bodies.
Among the concerns of NHS Digital are the implications on data retained for research purposes and the impact of any restrictions on the use of the NHS number.
Meanwhile according to Somerset County Council, “the public sector now needs more specific guidance and legal certainty from government about the appropriate legal condition for sharing personal data in order to provide the kind of integrated health and social care which is foreseen in the 2014 Care Act”.
Several bodies have concerns about the enforcement regime. Leeds City Council calls for discretion to ensure that in the UK maximum administrative fines on public authorities are no higher than at present. Essex County Council recommends that an administrative fine system is developed for public authorities “which takes into account the grounds for issuing of a fine as well as the lack of funds available to public authorities, and that any fine issued simply moves taxpayer money from one public purse to another”.
Such pleas are unlikely to receive much sympathy from a government determined to signpost that it is moving above and beyond the strict requirements of the GDPR.
Introducing the statement of intent, Matt Hancock (pictured), minister for digital, said: “The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world. The bill will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
Image from GOV.UK, Open Government Licence v3.0