The current UK law on data protection has been around for some five years now. Put in place following the implementation of the EU's General Data Protection Regulation (GDPR), the Government is seeking to reform the legal framework through the Data Protection and Digital Information Bill (DPDI).
The bill is the culmination of a process which began with a public consultation back in 2021; it was first introduced in July 2022 but never got off the ground. With clinics holding much private information on both residents and staff, the move to change the law will affect their operation.
A new position
Kevin Modiri, a partner and solicitor at a law firm called Nelsons, says that the original bill was postponed after former prime minister, Liz Truss, took office. However, he details that last October (2022) the Government reported that it would revive the bill. Modiri comments that the bill ‘is not a replacement of the GDPR but a refinement to allow greater certainty for individuals along with a clarification of certain aspects of the existing framework’.
Jeanette Burgess, Head of Regulatory and Compliance at Leeds-based Walker Morris, sees the Government seeking to capitalise on post-Brexit freedoms to make changes to the current data protection regime. She says that ‘according to the new bill's explanatory notes, some elements of the GDPR and DPA create barriers, uncertainty and unnecessary burdens for businesses and consumers’.
She adds: ‘In its announcement of the new bill, the government described it as a ‘common-sense-led’ UK version of the EU's GDPR. The intention is to update and simplify the UK's data protection framework, reducing burdens on organisations while maintaining high data protection standards’.
Modiri doesn't disagree, saying that the bill seeks to bring in ‘a less burdensome and more flexible regime which will become easier and less expensive to implement’. He is of the view that the bill will prove a boon to small and medium sized firms, will help the UK economy to the tune of £4.7 billion and will ‘boost data protection standards so that businesses can continue trading freely with global partners, which includes the EU’.
» The bill hasn't been passed as yet although at the time of writing it has nearly completed its passage through the House of Commons. The changes don't radically change the data protection landscape, but they do seek to liberalise the law; organisations and business need to keep a watchful eye on what is coming their way «
Proposed changes
So, with the background set out, what is it that the bill is proposing?
First off, Modiri states that ‘the new DPDI bill has been described as largely the same as its predecessor, but contains a number of provisions which are to be expected to simplify UK data laws’.
However, one change he picks out as key to the reform is an update to the meaning of personal data which now specifies as ‘what is meant by the identification of an individual ‘directly or indirectly’ and information relating to an identifiable living individual’.
Then there are changes to the ‘legitimate interests’ definitions in the GDPR used as the legal basis for data processing. Here Modiri points out that ‘there is a proposal to include some examples of processing that may be considered as necessary for the purposes of a legitimate interest such as for direct marketing, intra-group transmissions of data and processing to ensure security of network and information systems’.
Beyond that is a proposed new legal basis for processing which is for a ‘recognised legitimate interest’. The key difference between this and the current legitimate interest basis is that businesses relying on one of the recognised legitimate interests will only need to ensure that their processing falls within one of the listed activities.
Something else to consider, is, as Modiri puts it, ‘a clearer and more stable framework for international transfers with a risk-based approach to data transfers and changing the adequacy rules’. He says that ‘this will allow businesses to have a simpler and clearer set of rules for international transfers’.
All told though, Burgess feels that the bill doesn't profoundly change data protection law. She says that it intends that ‘organisations will still need to make sure that they only process personal data where they have a lawful basis to do so and that data protection principles are complied with’.
In fact, she believes that the changes presented by the bill could end up helping organisations to decrease their costs in some situations. Specifically, she says that ‘under the proposed new regime, the obligation to maintain records of data processing will only apply to organisations that carry out high risk processing activities’.
In other areas, the bill will replace a Data Protection Officer with a Senior Responsible Individual (SRI). On this, Burgess says that ‘organisations will only need to appoint an SRI where they are a public authority or otherwise are engaged in high-risk processing. As the name implies, the SRI must be a senior person in the organisation but can carry out this role in addition to other functions’. Interestingly, Modiri notes that ‘there will be no requirement for that individual to have any particular data protection expertise. Rather, that individual can seek advice and outsource functions to organisations as they see fit’.
And in a move to speed up certain business processes, the bill proposes a ‘digital verification services trust framework’ with providers of digital verification services being accredited and listed on a Digital Verification Services (DVS) register. Burgess says that ‘verification services’ refers to ‘services provided at an individual's request that involves ascertaining or verifying a fact about the individual from information provided by another source’.
The DVS will allow an individual to create a digital identity to prove something about themselves, such as age or address, to others.
There are also changes to rules around the use of Artificial Intelligence (AI). Burgess explains that under the current law, solely automated decisions (including profiling) that produce ‘legal or similarly significant’ effects on data subjects may only be carried out where it is necessary for entering into or performing a contract between a controller and a data subject, it's required or authorised by law or the data subject has given their explicit consent.
The bill updates the law so that AI decisions become more widely used. That being said, Burgess warns that ‘a ‘significant decision’ based entirely or partly on special category data which covers, for example, race, religion, sexual orientation and so on, may not be taken based solely on automated processing unless certain conditions are met.’
Another positive change is the relaxation of the law with regard to web cookies, which should lead to fewer pop-up boxes appearing on websites.
But quite possibly one the biggest issues for firms is Data Subject Access Requests—DSARs—made by individuals seeking information held about them.
The bill doesn't alter the right to make a DSAR, but it does offer some pushback for a data controller. Modiri says that ‘there will be a proposed amendment to the exemption that businesses can use to charge a reasonable fee or refuse to respond to a request that is vexatious or excessive.’
This change should mean less paperwork and lower costs. However, Burgess cautions that ‘it will be the data controller's responsibility to prove that a request is vexatious or excessive. As the bill is currently drafted, it is anticipated that there will be debate on a case-by-case basis as to whether the threshold has been met’.
But the bill may increase costs
The main thrust of the bill is to simplify burden on organisations and business and in the main it should achieve this. However, those with relationships in the EU will need to comply with the EU's GDPR. This is why Burgess says that ‘it may be cheaper for them to continue to follow the current regime in the interests of consistency—to the extent that is possible under the new bill. If they choose to adopt separate compliance programmes for their EU and UK operations, that is likely to increase, rather than reduce, costs’.
Modiri believes the same and says that ‘those doing business solely in the UK, who do not have expansion plans to EU, may find it easier to comply only with UK laws once the bill is finalised; any multinationals may choose to do the same in relation to their UK-only data processing activities which may reduce costs’.
New sticks for enforcement
Obviously, for any legal change to bite it needs to be able to persuade potential wrong-doers of the consequences of their actions. As it stands, data protection and electronic marketing breaches under the Privacy and Electronic Communications Regulation (PECR) are treated differently.
But as Modiri points out, the bill seeks to ‘align the fines for nuisance calls and texts under PECR with those under the UK GDPR’. That should change behaviours. As it currently stands, breaching PECR can lead to criminal prosecution, non-criminal enforcement, audit and imposition of monetary penalties of up to £500,000. However, the bill increases the level of fines for nuisance calls and texts to up to 4% of global turnover, or £17.5 million, whichever is greater.
It follows that penalties without proper enforcement are a pointless exercise. However, Burgess is concerned about the effectiveness of increased penalties as a deterrent because that is contingent on the actual level of enforcement. That said, it's reasonable to assume that the Information Commissioner Office (ICO) will take steps to enforce, albeit proportionately.
In conclusion
The bill hasn't been passed as yet, although at the time of writing it has nearly completed its passage through the House of Commons. The changes don't radically change the data protection landscape, but they do seek to liberalise the law. Organisations and business need to keep a watchful eye on what is coming their way.
Panel: healthcare in trouble
The healthcare sector isn't immune to scrutiny by the ICO.
Back in 2011, an NHS trust was ordered to pay £12,500 in compensation to a claimant for breaches of the then Data Protection Act (DPA) after a nurse—his partner—unlawfully accessed his medical records. The judge at Plymouth County Court said the unlawful access and subsequent handling of the complaint had exacerbated the claimants pre-existing medical condition and entitled him to compensation under the DPA.
More recently, in May 2023, the Guardian reported on an Observer investigation into NHS trusts sharing intimate details about patients' medical conditions, appointments and treatments with Facebook without consent.
A covert tracking tool, Meta Pixel, in the websites of 20 NHS trusts had been collecting browsing information and sharing it with Facebook ‘in a major breach of privacy’.
The data included details of pages viewed, buttons clicked and keywords searched. It could be matched to the user's IP address and tied to their Facebook account to reveal personal medical details.
A total of 17 of the 20 NHS trusts that were using Meta Pixel confirmed they had removed the tracking tool from their websites. Eight issued apologies to patients. The Information Commissioner's Office is investigating.