The UK’s data reform consultation, what is in it and what does it mean for the future of UK data policy?
One year on from the publication of the UK’s National Data Strategy the consultation Data: A new direction launched on 10 September seeks to deliver on the second mission of the National Data Strategy to develop a pro-growth and trusted data regime for the UK.
The consultation is a welcome and significant document seeking feedback on detailed proposals and options for the reform of the UK’s data protection framework as well as posing more open questions, such as around the intersection of how data protection can facilitate the responsible development of artificial intelligence (AI), where the Government is seeking further input from industry academia and civil society.
The proposals seek to build on the current UK General Data Protection Regulation (UK GDPR) framework, such as its data processing principles, its data rights for citizens, and its mechanisms for supervision and enforcement. These key elements remain at the heart of the UK’s approach to data rights and will continue to underpin the protection of personal data and control of individuals over how their data is used.
Reforming the data protection framework is a complex discussion that must be balanced, open and thorough. However, this is a welcomed opportunity to consider how the data protection rules could work better for citizens and businesses as well as keeping pace with the way modern societies expect to be able to use, access and share data.
The UK will also need to consider how any changes to its data protection framework will impact its standing as a jurisdiction seen to hold a high standard of data protection. Implementing common sense reforms that maintain the confidence of key partners, such as the EU, will be vital to show the UK remains in step with a global trend towards strong privacy protections while also giving businesses the confidence to invest in data innovation in the UK.
Responding to the release of the data reform consultation, techUK said:
“The consultation opens a significant discussion in the UK about the future of the UK’s data protection regime. The approach is firmly rooted in the GDPR framework, and the consultation includes some sensible ideas about how it can be improved. However, both businesses and civil society will want to take a close look at the proposed reforms to privacy management frameworks, the grounds for data processing and international data transfers.
Encouraging innovation need not come at the cost of weakening of data protection standards. The objective must be to ensure that innovation is enabled, citizens are able to exercise their rights and the UK is seen a secure location for international data. Businesses will want to see the UK maintain its data adequacy agreement with the EU.”
The consultation will run for 10 weeks closing on 19 November, further details can be found here.
The consultation sets out guiding principles for the reforms it proposes as well as five chapters focusing on:
- Reducing barriers to responsible innovation
- Reducing burdens on businesses and delivering better outcomes for people
- Boosting trade and reducing barriers to data flows
- Delivering better public services
- Reform of the Information Commissioner’s Office
A summary of these can be found below. Please note this does not cover every aspect of the consultation and those interested in responding should read the full document which can be accessed here.
The Government has also published an impact assessment of the proposed changes which can be found here.
Guiding principles:
The consultation sets out six guiding principles which include:
- Ensuring the UK’s data protection regime should create a net benefit for the whole of the UK
- Making sure the regime is future-proofed, supportive and adaptable to new technological innovations
- Deliver a high standard of data protection for citizens whilst offering organisations flexibility in determining how to comply most effectively
- Ensure organisations that currently comply with the existing regime should remain compliant bar small changes
- Ensure the Government’s approach to data protection should actively take into account the benefits of responsible use of personal data, while maintaining public trust
- Underpin the regime with effective, risk-based and preventative supervision and maintain the ICO's status as a world leading independent regulator
Chapters:
1. Reducing barriers to responsible innovation:
This chapter seeks to make common sense amendments to the processing of data and provide certainty to organisations and citizens on the bases for data processing. This includes proposals to:
- Provide greater clarity and certain for the bases under which data and be processed for scientific research and university research
- The creation of a limited exhaustive list of legitimate interests for which organisations may process dat. This would provide more certainty for organisations and consumers and include such purposes as; for delivering statutory public communications and public health and safety messages by non-public bodies; improving or reviewing an organisation’s system or network security; improving the safety of a product or service and for monitoring, detecting or correcting bias in relation to developing AI systems.
This chapter also asks broad questions about key concepts and rights in relation to AI systems. This section of the consultation is more open, and the Government is seeking a wide range of views to inform its next steps. techUK members and wider stakeholders will want to take a close look at these proposals before responding. The proposals include:
- How to clarify the concept of fairness and how it is applied and assessed in automated decisions.
- What legal bases should be applied for processing data that is used for training AI systems.
- How could the Government clarify the limits and scope of what constitutes ‘a decision based solely on automated processing’ for compliance with Article 22 of the UK GDPR
- Whether Article 22 should be removed with automated decision making permitted as long as it meets the other requirements of the data protection framework.
2. Reducing burdens on businesses and delivering better outcomes for people:
This consults on proposals to make the UK’s future data protection regime incentivises organisations to invest more effectively in the governance, policies, tools, people and skills that protect personal data. Allowing individuals to have even greater confidence that their personal data is being used responsibly. It includes proposals to:
- Implement a more flexible and risk-based accountability framework which is based on privacy management programmes. This is based on the Canadian approach to privacy management and would create a less prescriptive approach to the privacy policies organisations must create in order to allow organisations to set policies more relevant and proportionate to their data processing activities. However while the Government believes that placing privacy management programmes at the heart of accountability creates an opportunity to remove overly burdensome requirements from legislation it expects that a strong privacy management programme is likely to exhibit many of the same features of how businesses manage personal data under the current legislative framework.
- To help facilitate the implementation of the privacy management programme the Government also proposes to remove the necessary requirement for an organisation to appoint a Data Protection Officer (DPO) and to carry out a data protection impact assessment. They are also conusultaing on changes to the record keeping and breach reporting requirements of the GDPR.
- Under the privacy management programme, organisations will still be required to have in place risk management processes, including the processes which allow for the identification, assessment and mitigation of data protection risks. Organisations will remain liable for investigation and the same level of fines under the old regime should they fail to meet the data protection standards of the UK GDPR.
3. Boosting trade and reducing barriers to data flows
The UK will maintain the existing framework for international data transfers, only permitting the transfer of personal data across borders when additional legal safeguards are met, such as the presence of a data adequacy agreement, the use of standard contract clauses, organizational arrangements, codes of conduct and specific derogations. The UK however will consult to allow for the greater use of some of these safeguards to suit more data transfer situations and seek to embed additional flexibility in the system so the UK can respond to new international transfer methods. These proposals include:
- Taking a more risk and outcomes-based approach to UK data adequacy decisions, including the ability to make adequacy regulations for a group of countries that share a data protection framework and ending the requirement to assess re-destinations for adequacy every four years, instead moving to a general monitoring approach.
- Exempt ‘reverse transfers’ from the scope of the UK international transfer regime. This reform would make transfers that have been received by an organisation in the UK and are being sent back to the original transferor exempt from the international transfer regime meaning a specific UK clause or transfer mechanism would not have to be added to the process.
- Allow companies to design their own transfer mechanisms based on the provisions in the New Zealand Privacy Act 2020.
- Support the greater use of certifications and derogations for international transfers.
- Empower the Secretary of State to formally recognise new alterative transfer mechanisms should these arise.
4. Delivering better public services
This chapter aims to build on the UK’s experience of using data to fight the COVID-19 pandemic and make reforms that the Government believes are in the public interest and will provide benefits for collaboration between the public and private sectors. These include proposals to:
- Clarify that private companies, organisations and individuals who have been asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground for processing the data and therefore would not need not identify a separate lawful ground. The Government however does not plan to introduce a general requirement that would compel disclosure of personal information to law enforcement or intelligence agencies.
- Clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies.
- Introduce compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data.
- A request for feedback on whether to extend the list of situations under the GDPR where special category data can be processed in where there is substantial public interest to do so.
5. Reform of the Information Commissioner’s Office
The Government wants to empower the Information Commissioner not just to protect data rights but also to unlock the power of data. It is therefore suggesting reforms to the structure of the ICO to bring it in line with other UK regulators and to set new strategic objectives for the regulator that better align with the role of data in the modern economy. Some of these changes include:
- The Government proposes to introduce a new, statutory framework for the ICO takes greater account of the regulators increasingly important role in economic growth, innovation and competition. The Government will also propose the ICO deliver a more structured and transparent international strategy.
- The Government is proposing a new power for the Secretary of State for DCMS to prepare a statement of strategic priorities to inform how the ICO sets its own regulatory priorities. Such a step would bring the ICO into line with regulators such as Ofcom, Ofwat and Ofgem.
- Proposals to reform the structure of the ICO to include an independent board and a chief executive officer. The board would be led by a chair with non-executive directors. The chief executive officer would have responsibility for the running of the organisation, while answering to the board.
- The Government proposes introducing a requirement for complainants to attempt to resolve their complaints directly with the relevant data controller before lodging a complaint with the ICO. This is aimed at reducing the burden on the ICO and the number of vexatious complaints received.
- To compliment this the Government will, consult on placing a requirement on data controllers to have a simple and transparent complaints-handling process in place to deal with data subject complaints. This currently not a requirement under the existing legal framework.
The consultation principally relates to regulation and legislation contained with the GDPR, Data Protection Act 2018 and Digital Economy Act 2017.
This blog is part of a series exploring the UK's upcoming reform to its data protection regime. Learn more here.
Sue Daley
Sue leads techUK's Technology and Innovation work.
Neil Ross
As Associate Director for Policy Neil leads on techUK's public policy work in the UK. In this role he regularly engages with UK and Devolved Government Ministers, senior civil servants and members of the UK’s Parliaments aiming to make the UK the best place to start, scale and develop a tech business.
Margherita Certo
Margherita is the Head of Press and Media at techUK, working across all communications and marketing activities and acting as the point of contact for media enquiries.