UK data reform plans revealed: a snapshot

June 2022

DCMS publishes response to data reform consultation

DPOs, Records of Processing Activities and DPIA requirements are all set to go under UK Data Reform plans, as the Government pushes ahead with it’s intention to require organisations to implement a Privacy Management Programme (PMP).

Plans also include changes to PECR (the UK’s Privacy and Electronic Communications Regulations) including permitting charities to use the soft opt-in and allowing analytics cookies without consent.

The Government has set out the detail of how it plans to reform the data protection landscape in its response to the Autumn consultation.

Key highlights

(This article is not intended to cover the wide-ranging detail of the plans. The full consultation response from the Government can be found here).

Accountability 

  • The Government plans to proceed with the requirement for organisations to implement Privacy Management Programmes (PMPs).
  • Organisations currently compliant with the UK GDPR will not need to significantly change their approach, unless they wish to ‘take advantage of the additional flexibility the new legislation will provide’.
  • Organisations will have to implement a PMP based on the ‘level’ of processing activities they’re engaged in and the volume and sensitivity of the personal data they handle.
  • The PMP requirement will be subject to the same sanctions as under the current regime.

Data Protection Officers

  • The requirement to designate a Data Protection Officer will be removed.
  • There will be a new requirement to appoint a senior individual responsible for data protection. It’s envisaged most of the tasks of a DPO will become ‘the ultimate responsibility of a designated senior individual to oversee as part of the privacy management programme.’

Data Protection Impact Assessments

  • Under the new PMP requirement, organisations will be required to identify and manage risks, but ‘they will be granted greater flexibility as to how to meet these requirements’.
  • There will no longer be a requirement to undertake DPIAs as prescribed by UK GDPR.  However, organisations will be required to make sure they have ‘risk assessment tools in place for the identification, assessment and mitigation of data protection risks across the organisation.’
  • Organisations will be able, if they wish, to continue to use DPIAs but can tailor them based on the nature of their processing activities.
  • Existing DPIAs will remain a valid way of achieving the new requirement.

Record of Processing Activities

  • Personal data inventories will be needed as part of organisation’s PMP, covering what and where personal data is held, why it has been collected and how sensitive it is.
  • Organisations will not have to stick to the prescribed requirements set out under Article 30, UK GDPR.

Reporting Data Breaches

  • No changes will be introduced to alter the threshold for reporting a data breach.
  • The Government will work with the ICO to explore the feasibility of clearer guidance for organisations.

Subject Access Requests

  • The Government plans to proceed with changing the current threshold for refusing or charging a fee for Subject Access Requests from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. It is said this will bring it in line with the Freedom of Information regime.
  • The Government does not intend to re-introduce a nominal fee for processing access requests.

Alongside changes to the current regime under UK GDPR, the Government plans include amendments to PECR. Key intended changes include:

Cookies

  • In the immediate term, the Government intends to permit cookies (and similar technologies) to be placed on a user’s device without explicit consent, ‘for a small number of other non-intrusive purposes’. It’s anticipated this will include analytics cookies which allow organisations to measure traffic to webpages and improve offerings to users.
  • It’s intended these changes will apply to connected technology, including apps on smartphones, tablets, smart TVs or other connected devices, as well as websites.
  • In the future, the Government intends to move to an ‘opt-out model of consent for cookies placed by websites’. The Government says its ambition is to improve the user experience and remove the need for ‘unnecessary’ cookie consent banners. It stresses an opt-out model would not apply to websites likely to be accessed by children (we’re assuming this means consent would be required) and its ambitions will be subject to an assessment that effective solutions are widely available for use.

Use of ‘soft opt-in’ extended

PECR fines to be increased

  • The Government plans to proceed with proposals to increase fines under PECR. This will allow the ICO to levy fines of up to £17.5m or 4% of a business’s global turnover.  This would bring fines in line with current fines under the existing regime.  Currently the maximum fine under PECR is capped at £500,000.

Political campaigning

  • The Government plans to consider further whether political communications should remain within the scope of PECR’s direct marketing rules (or be excluded).
  • It also intends to extend the soft opt-in so that ‘political parties and elected representatives can contact individuals who have previously shown an interest in the activities of the party (for example, by attending a conference or making a donation) without their explicit consent, provided they have been given an opportunity to refuse such communications at the point of providing their details’.

Human oversight of automated decision-making and profiling

  • The Government notes  the vast majority of respondents to the consultation opposed the proposal to remove Article 22.  The right to human review of automated decisions is considered a fundamental safeguard. It was confirmed this proposal will not be pursued.
  • The Government says it will be considering how to amend Article 22 to clarify the circumstances in which this must apply. It says it wants to align proposals in this area ‘with the broader approach to governing AI-powered automated decision-making’.  This will form part of an upcoming white paper on AI governance.

Legitimate Interests

  • The Government intends to create a limited list of defined processing activities where there would not be a requirement to conduct a balancing test for legitimate interests. This list will initially be limited to ‘carefully defined processing activities’.
  • This is likely to include processing activities to prevent crime, reporting safeguarding concerns or those which are necessary for important public interests reasons.
  • The Government proposes a new power to be able to update this list subject to parliamentary scrutiny.

Adequacy

A key concern is will UK data reform risk adequacy.  The European Commission has granted the UK adequacy, which allows for the free flow of personal data from the EEA to the UK, without the need for additional safeguards.  However, in granting adequacy the EC said it would keep it under review and if any significant changes were made it could revoke the decision.

The Government does not believe its plans risk this decision. The consultation response says; “the UK is firmly committed to maintaining high data protection standards – now and in the future”.

Response from the ICO

UK Commissioner, John Edwards says he shares and supports the ambition of these reforms.  In particular he says “I am pleased to see the government has taken our concerns about independence on board”.  You can read the ICO’s statement here.   The independence of the ICO was cited by Mr Edwards as an area which could jeopardise adequacy (in recent evidence he gave to the Science and Technology Committee).

What next?

We now await the detail of the Data Reform Bill, which will be subject to parliamentary scrutiny.  So still some way to go before the intended changes come into play.

What does the IKEA CCTV story tell us?

April 2022

Only set up video surveillance if underpinned by data protection by design and default

What happened?

Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.

An IKEA spokesman said:

 “Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”

The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.

They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.

“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.

“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as aresult of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”

Apology and new ICO guidance

The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no. 

This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.

This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.

Video surveillance definition

The ICO guidance includes all the following in a commercial setting:

  • Traditional CCTV
  • ANPR (automatic number plate recognition)
  • Body Worn Video (BWV)
  • Facial Recognition Technology (FRT)
  • Drones
  • Commercially available technologies such as smart doorbells and dashcams (not domestic settings)

Guidance for domestic use is slightly different.

Before setting up your video surveillance activity 

As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).

As part of this exercise, one needs to identify:

  • the purpose of the lawful use of surveillance
  • the appropriate lawful basis for processing
  • the necessary and proportionate justification for any processing
  • identification of any data-sharing agreements
  • the retention periods for any personal data

 As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.

Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:

  • Processing special category data
  • Monitoring publicly accessible places on a large scale
  • Monitoring individuals at a workplace

A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.

In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.

Introducing video surveillance

Once the risk assessment and RoPA are completed, other areas of consideration include:

  • Surveillance material should be securely stored – need to prevent unauthorised access
  • Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
  • How easily data can be exported to fulfil DSARs
  • Ensuring adequate signage is in place to define the scope of what’s captured and used.

Additional considerations for Body Worn Video  

  • It’s more intrusive than CCTV so the privacy concerns are greater
  • Whether the data is stored centrally or on individual devices
  • What user access controls are required
  • Establishing device usage logs
  • Whether you want to have the continuous or intermittent recording
  • Whether audio and video should be treated as two separate feeds

In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

UK data reform: Data Protection Officers

September 2021

One of the more surprising and thought-provoking proposals in the UK Government’s plans for data regime reform is removing the mandatory requirements surrounding appointing a DPO.

The idea is to replace the DPO with a requirement to designate a suitable individual (or individuals), who would be responsible for a privacy management programme and for overseeing data protection compliance.

Is this a good or risky move?

The Government consultation accepts there may be potential risks in removing mandatory DPO requirements, if this was seen to significantly weaken internal scrutiny. It points out organisations which undertake high risk processing may still choose to appoint someone who performs a similar role.

Who currently falls under the mandatory requirement?

At present, organisations need to appoint a DPO if they are a public authority or body or if their core activities require large scale, regular and systematic monitoring of individuals or consist of large-scale processing of special categories of data, or data relating to criminal convictions and offences. These requirements apply to both controllers and processors.

Most small businesses not involved in high-risk processing have always been out of scope. However some medium sized organisations have been unsure whether they should appoint a DPO or not. The advice given in the past was ‘if in doubt appoint a DPO’.

What key tasks must a DPO currently perform?

The DPO role currently has a formal set of accountabilities and duties, laid down within the GDPR. Let’s look at how these could be affected under the new proposal.

  1. Duty to inform and advise the organisation and its employees about their obligations under UK GDPR and other data protection laws. This includes laws in other jurisdictions which are relevant to the organisation’s operations. It’s questionable if a ‘designated individual’ without the obligations to stay close to these laws and guidance would remain so well informed about significant developments which may affect processing and if they would feel empowered to speak up when changes are needed.
  2. Duty to monitor the organisation’s compliance with the UK GDPR and other data protection laws. This includes ensuring suitable data protection polices are in place, training staff (or overseeing this), managing data protection activities, conducting internal reviews & audits and raising awareness of data protection issues & concerns so they can be tackled effectively. It appears the Government doesn’t want to formalise these responsibilities.. Some feel this could that lead to a reduction in awareness and understanding of data protection across businesses and potentially a slipping back in data protection standards across the wider business.
  3. Duty to advise on data protection impact assessments (DPIAs). The proposals also include scrapping the mandatory requirement to conduct DPIAs. Risk assessments for data will continue to important, but they would not need to be formalised like a DPIA is now. Instead, organisations will enjoy greater flexibility around their approach to assessments.
  4. Reporting directly to the highest level of management. So who will the designated individual report too? Could they become siloed within a specialist function (such as IT or Marketing) leading to a change of focus? Current law and guidance highlighted potential conflicts of interests between operating within a specialist function and the impartiality required to perform DPO tasks (Article 39). Is there a risk the level of oversight of data protection matters by the Board could be diminished?
  5. Autonomy. Under the GDPR, a DPO must not receive any instructions regarding the exercise of his/her duties: therefore they currently need a high degree of autonomy. The GDPR also states a DPO cannot be dismissed or penalised for performing his or her duties. It looks likely autonomy will reduce under these proposals.
  6. Duty to be the first point of contact for individuals whose data is processed, and for liaison with the ICO. It seems logical the designated individual would continue to fulfil these roles, but would it be mandatory?

What do people think?

We’ve gathered the views of some key people on whether the DPO role should be scrapped or not:

“The role of the DPO is an essential part of ensuring compliance and the UK GDPR is clear that a DPO is only a mandatory requirement in certain circumstances, particularly where the processing of personal data involves large scale processing of sensitive data. To remove this requirement weakens accountability. It creates even more uncertainty than there is now. To suggest that the need for a DPO is a burden on SMEs is red herring as most SMEs do not have to have a DPO.”
Robert Bond – Senior Counsel, Bristows Law Firm

“The proposals are not a massive change on the substance and practice of the DPO role. Changes might come to the employment protections the DPO currently enjoys, but in managing the privacy programme, many of the activities that the DPO completes in Art. 39 (Tasks of the DPO) will be broadly the same. Where things might differ is the requirements in Art. 37 (Designation of the DPO) and 38 (Position of the DPO), particularly when it comes to resources, instructions and independence. I am not convinced these were all implemented to the letter of the law already, but they might not be explicit requirements.

I think the biggest impact will be DPO as a service. But for the in-house DPO, they will take on the management of the privacy programme and the world will keep turning.”
Stephen McCartney – Data Protection Officer, Simply Business

“We welcome the consultation to ensure legislation surrounding data protection continues to be appropriate. An area being considered is no longer requiring a mandatory Data Protection Officer to be in role. For us having a dedicated individual at a suitable level helps with overall ownership and accountability. Although we are not at the size to have a dedicated DPO in place, having someone who as part of their role can lead the development and oversight is important and I worry there could be a lack of consistency applied across firms with how they apply the ‘suitable individual’ and would they be at the required seniority in the business or have the ability to influence required changes to systems and controls.”
David Mollison – Chief Risk Officer, Monmouthshire Building Society

“I’m highly sceptical about the government’s proposals. Simplification is a laudable ambition, but removing the mandatory requirement to appoint a DPO risks removing the clear accountability that the role is intended to provide – and which is an essential foundation for data protection. The government says some organisations, particularly smaller ones, “may struggle to appoint an individual with the requisite skills who is sufficiently independent.” It’s unclear how the proposal to designate “a suitable individual” helps solve this problem and avoids weakening internal scrutiny, which the government itself highlights as a risk.”
Martin Turner, Managing Director, Full Frame Technology

It’s going to fascinating to see how matters progress. It all makes me think of another quote – ‘May you live in interesting times!’.