The Data Protection & Digital Information Bill (No 2) brings many potential benefits but also presents some risks and some missed opportunities for the UK’s data infrastructure. As it passes through Parliament, the ODI calls for some additions and amendments to ensure it is not only fit-for-purpose, but shapes the data ecosystem in the most positive and impactful way possible.Last week saw the second reading of the Data Protection & Digital Information (DPDI) Bill - proposing changes to the UK's data protection regime (including the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations). This is the second version of the Bill, and the Government says the Bill is "a new system of data protection" that is a “Brexit benefit”. The Government says the Bill will reduce bureaucracy, complexity, and compliance costs for businesses and increase their competitiveness. The Government has been keen to highlight that the Bill also offers the benefit of a significantly increased maximum penalty for nuisance callers - £17.5m up from £500,000 - a requirement for network providers to report any suspicious call activity to the Information Commissioner’s Office (ICO), and a reduction in cookie alert popups. MPs speaking in the debate also drew attention to the potential value of the Bill and increased data sharing, referencing Covid-19 and Open Banking as just two examples of where open data and interoperability can boost public services and the UK economy. While the Government has highlighted the intended benefits of the Bill, it’s important to recognise five key shortcomings and consider how we might strengthen the legislation while the Bill is in Committee stage and can still be amended.
Adequacy with the EU
Leaving the EU means the Government can diverge from existing EU law, and remove some of the complexities and costs associated with it. However, there is a risk that too great a divergence would put the UK’s ‘data adequacy’ at risk. This is a unilateral status that the EU grants to recognise other nations with a comparable level of data protection. Estimates by the UK Government show that losing adequacy could result in “£190m and £460m in one-off Standard Contractual Clauses (SCC) costs” and lead to “an annual cost of between £210m and £420m in lost export revenue”. Several MPs highlighted their concerns about potentially losing adequacy with the EU during the Bill's second reading debate, referencing the significant costs to businesses and the economy if we did, along with businesses' difficulty in adhering to two different data protection systems. MPs also flagged the challenges, particularly to SMEs with small staff numbers of having to adapt to a new set of Data Protection requirements, that will involve training and upskilling staff to remain compliant.
While the Government reiterated its intention to maintain adequacy in the debate if it was lost, it would present significant costs to the UK’s data sector and economy, and we would urge the Government to do all it can to mitigate this risk - especially given the UK’s closer work with the US on data and privacy.
Automated Decision Making (ADM) and algorithms
Algorithms and employee surveillance are being used to monitor employees and to make judgements and decisions about their recruitment and employment - often with little to no regulation or human oversight. This has led to the Trades Union Congress (TUC) drawing attention to the challenge of “management by algorithm” and “robo-firings”. In addition, work by the Public Law Project has shown how algorithms are being used by the Government on a range of sensitive policy and public service areas, including for example, in policing, determining an individual’s benefits status, and about immigration matters. As we have pointed out previously, algorithms and ADMs depend on the quality of the data entered - if the data is biased, the ADM will be biased too. We have seen several examples where ADMs have led to biased outcomes, sometimes with long-lasting ramifications. We know that machine learning and ADMs cannot only incorporate biases but amplify and enhance them. Under current law, ADMs must have an element of human oversight where it relates to a significant decision. However, clause 11 of the Bill would relax the requirements for human oversight and put a burden on the negatively impacted consumer or employee to bring a complaint. It would also mean that employees and individuals could be held to a standard that they cannot negotiate or influence - a concerning asymmetry of power that could be rebalanced through legislation. The Government’s own work recognises the importance of transparency around the use of algorithms. The Central Digital and Data Office (CDDO) and the Centre for Data Ethics and Innovation (CDEI) are helping public sector organisations to provide clear information about the algorithms they utilise. So the Bill seems somewhat incongruous. It could go further in mandating transparency and responsible algorithm use by employers, public sector bodies, and tech platforms in particular. While mandatory reporting was in the Government’s consultation, and the majority of respondents agreed with the proposal, it has disappointingly been left out of the Bill.
We would urge the Government to reconsider the relaxing of the rules around ADMs to protect people from biased ADMs, that can currently be challenged or rectified by human oversight but could be left unchecked if the Bill passes in its current form. We would also urge the Government to reconsider mandating reporting of algorithmic transparency.
The Information Commissioner’s Office (ICO) and Secretary of State
In its current guise, the DPDI Bill potentially reduces the independence of the ICO and increases the powers available to the Secretary of State on data protection by empowering them to issue instructions and set out strategic priorities for the ICO. The Government explained that “We are committed to the ICO’s ongoing independence, and that is why we have worked closely with the ICO. The Information Commissioner himself is in favour of the changes we are making.” The Government claims that these changes will enable this - and future - Governments to adapt more quickly to technological changes and developments than under current legislation. While the current Information Commissioner has been supportive of the proposed changes, several MPs and civil society groups have suggested that this risks the office of the ICO becoming politicised and could challenge its abilities to maintain its work as the political landscape changes. At the ODI, we want regulation to enable the data ecosystem to function - effectively, and safely. Legislation is vital to creating an open, transparent, ecosystem that allows the Government and regulators to protect individuals whilst not stifling innovation and economic growth. We also believe that independence of the ICO is vital to ensure it remains able to hold the government to account for its own use of data - this is likely to become more challenging if the ICO is answerable to the Government itself. Therefore we believe that the best route to enabling quicker adaptation to technological changes whilst maintaining and protecting the independence of the ICO, would be to have the OCI being accountable to Parliament rather than to the Government.
Reduced data processing safeguards
The Bill reduces certain requirements, such as the need for organisations to have a Data Protection Officer (DPO). Data Protection Impact Assessments (DPIAs) will no longer be needed, and records for data processing will no longer need to be kept unless the data is deemed “high risk” such as medical records. While the Government is focused on the potential time and cost saving for businesses, we believe that the privacy of personal data is of the utmost importance. Work by the Institute for Government found that those working on pandemic data sharing valued DPIAs as they provided transparency and secured organisational buy-in. Instead of removing the need for DPIAs entirely, focusing on facilitating better data sharing and processing along with education, cultural change, guidance, and incentivisation would all be more helpful than legislative change. The Government has highlighted that current rules place a burden on medical researchers who need to reobtain consent to utilise personal data outside the narrow original request. The Government has spoken of its ambition to make it easier for scientists to conduct research for medical purposes and to empower the UK to be a world leader as a “scientific research powerhouse”. While we support the ambitions of the Bill in creating an environment where medical research can progress rapidly, we would urge the Government to consider the importance of building and fostering public trust in data being shared and used if it wants to truly unlock the potential of medical data for research and treatment. The Government should also address the potential risks to individuals about whom data is being processed and the impact this may have on the public’s levels of trust in the institutions that are accessing, using and sharing this data. Our work during the Bill’s consultation period demonstrated that transparency was “necessary but not sufficient” and that any work towards increasing transparency should be accompanied by accountability through clearly defined standards, and mechanisms for redress - both areas where the Bill could be strengthened.
Subject Access Requests
We have previously written about Subject Access Requests(SARs) and the importance of allowing people to submit requests to those who hold data about them to see this data. The Bill offers companies more flexibility in refusing to comply with these requests on the grounds of being “excessive or vexatious.”
We believe it is vitally important for individuals to be able to find out what data is being held about them.
While we recognise the cost and burden on SMEs of responding to SARs, an analysis of the government’s impact assessment by Connected by Data suggests that the saving to SMEs from SAR reform will be around £59 per year - certainly not enough to justify this change, given the limitation on people’s rights that it contains.
Two easy ways to strengthen the bill
In addition to the potential issues that the DPDI Bill might present, we encourage the Government to make the most of the opportunity to further improve the data ecosystem by supporting the role of data intermediaries. We have previously written about the valuable role that data intermediaries play in facilitating greater access to and sharing of data and of how the data ecosystem could be further improved by enabling individuals and communities to exercise more control over the collection, maintenance and sharing of data about them or that they have a vested interest in. Julia Lopez MP, Minister for Data spoke during the debate about how the Bill will “put in place the foundation for data intermediaries”. If the Government were to use the Bill as an opportunity to set standards for data intermediaries and adapt Data Portability (the ability to move data) to allow continuous access to data - rather than requiring a series of one-off requests - individuals would be able to access data about them more easily. This would build trust in the intermediaries they use - building trust across the data ecosystem. The Bill in its current form empowers the Secretary of State and the Treasury to introduce Smart Data schemes in consumer markets - as has been successfully done with Open Banking. Smart data schemes enable the sharing of an individual’s data with third-party provider’s on behalf of the individual, and at their request. These providers can then provide services for the individual such as account switching or financial management. In the UK, Open Banking introduced secure data sharing for users, vastly improving the financial services that could be offered to individuals. The Government established a Smart Data Council - and we are one of the members of this advisory council that has been set up to help find ways to extend the benefits of Smart Data to new sectors such as energy and utilities. We believe that if implemented correctly, the potential of smart data is exciting and highly valuable. Whilst the Government will likely utilise these powers in other consumer markets such as utilities and telecomms, it is currently not clear how these powers will be applied, how use cases will be determined, and how the current lack of data skills and interoperability (the inability to transfer data between systems) will be tackled. We encourage the Government to consider some of the potential challenges around data sharing in these sectors so as not to hold back the positive potential of Smart Data schemes.
Get in touch
These are just some of our thoughts on the Data Protection and Digital Information (No. 2) Bill, and for the future of data policy in the UK. We plan to continue the conversation in this area and would love to bring in more views. If you want to get involved in the discussion, let us know on Twitter @ODIHQ or email [email protected].
Policy consultant Gavin Freeguard also contributed to this blog.