Bill to implement and extend GDPR passes its second reading in the House of Commons
The Government has tried to reassure parish councils and other small local authorities that a new data protection regime will not force them to hire full time data protection officers.
Culture Secretary Matt Hancock (pictured) told the House of Commons this week that he had received representations from the National Association of Local Councils "and many of my own parish councils" about the cost of complying with the EU General Data Protection Regulation (GDPR), which comes into force on 25 May.
Labour MP David Drew had raised the issue by saying that compliance could cost the smallest authorities some £3.5 million a year.
Hancock replied that the responsibilities of data protection officers can be implemented in different ways. "For instance, several parish councils can choose to share a single data protection officer, provided that he or she is easily accessible from each establishment. The system does not require the hiring of one person per organisation."
He added: "Organisations have already been set up to provide this service, and the service itself is important. In the case of a small organisation, such as a very small business or a parish council on a low budget, it is still important for data to be handled and protected carefully, because small organisations too can hold very sensitive personal information."
Hancock was speaking during the second reading in the Commons of the Data Protection Bill, which will implement the GDPR in UK law to enable the free flow of data following Brexit and replace and extend measures in the current 20-year-old Data Protection Act. The bill was passed to committee stage, which it is due to complete by 27 March.
”With greater control, greater transparency and greater security for our data, the bill will help to give us a statute book that is fit for the digital age as we leave the EU,” Hancock said.
During the debate, another opposition member, Daniel Zeichner MP, urged the Government to ensure that the legislation facilitates the effective use of NHS data. He recalled previous "false starts", in particular the care.data initiative.
"Despite good intentions, that programme clearly got it wrong," Zeichner said. "It failed to win public trust: there was widespread concern that the appropriate safeguards were not in place, and a failure properly to explain potential benefits to patients.
"It is easy to criticise, but winning trust is a very hard thing to do. The public are rightly concerned that data obtained for one use could then be applied in a different context, and could possibly be commercialised.
"We now have another programme under way, which we are told is GDPR compliant, and yet I wonder again just how many people are aware of it, and whether we can be sure that there will not be further problems."
Criticism of ICO
Meanwhile, Conservative James Cartlidge MP raised concerns about the quality of service provided by the Information Commissioner’s Office (ICO).
"I knew that some small businesses in my constituency were concerned about the impact of the GDPR, so I telephoned the Information Commissioner’s Office to find out what support was available to them," he said. "The only answer that the office could give to every question that I asked about how the GDPR would affect small businesses was 'Go to the website'."
"I am glad that there is a telephone line," Hancock said, assuring the house that the ICO "is obviously listening, with the aim of getting the guidance right and ensuring that, in lay terms, meeting the new standards is straightforward".