News & Articles

Data Protection Act Changes 2009

5th Jan 2009
Lee Werrell

The Ministry of Justice (MoJ) has released its response to two significant reviews of the data protection framework that are likely to lead to important changes in the UK data privacy laws: increased data sharing and new powers for the Information Commissioner.

The report can be accessed here:  http://www.justice.gov.uk/docs/data-sharing-review-report.pdf 

Annexes: http://www.justice.gov.uk/docs/data-sharing-review-annexes.pdf

Ministry Of Justice data sharing review paper:
http://www.justice.gov.uk/docs/data-sharing-review-consultation-paper.pdf

Personal information and the security, privacy and way it is dealt with and used by organisations is important to all of us. We confidently want to to shop over the phone or online and have goods delivered to our home or place of work. Increasingly in this high tech age, where we know and understand that information is passed at lightening speed across organisations relevant (and sometimes not) to our needs, we want individualised, fast and accessible public services whether it is our hospital appointments or a desire for crime to be dealt with quickly and effectively. Although we appreciate the need for date transmission speed, the same time, we want to know that all our information is safe and protected from those who would misuse and abuse it.

The main queries addressed in the report are:

• Exactly how is our information being used and why?
• Can we be absolutely confident it is being used according to the DPA?
• Who accesses/shares and keeps our information and to what end? And;
• What overall impact is sharing of our personal information having on our private lives and our ability or freedom to allow us to fairly take advantage of things like credit, local services and investments?

The Data Sharing Review was undertaken by Richard Thomas, the Information Commissioner, and Dr Mark Walport, the Director of the Wellcome Trust after the announcement by the Prime Minister in his Liberty speech on 25 October 2007.

The review's final report concludes that: 

• there is a lack of transparency and accountability in the way organisations deal with personal information
• there is confusion surrounding the Data Protection Act, particularly the way it interacts with other strands of law
• greater use could be made of the ability to share personal data safely, particularly in the field of research and statistical analysis 
• the Information Commissioner needs more effective powers, and the resources to allow him to use them properly

The recommendations are quite in depth, but from a Compliance perspective (excluding financial promotion issues) the most important and relevant are;

Developing culture
Recommendation 1: As a matter of good practice, all organisations handling or sharing significant amounts of personal information should clarify in their corporate governance arrangements where ownership and accountability lie for the handling of personal information.

Data Sharing Review
Recommendation 2: As a matter of best practice, companies should review at least annually their systems of internal controls over using and sharing personal information; and they should report to shareholders that they have done so.

Recommendation 3: Organisations should take the following good-practice steps to increase transparency:
(a) Fair Processing Notices should be much more prominent in organisations´ literature, both printed and online, and be written in plain English. The term ´Fair Processing Notice´ is itself obscure and unhelpful, and we recommend that it is changed to ´Privacy Policy´.
(f) Organisations should do all they can (including making better use of technology) to enable people to inspect, correct and update their own information whether online or otherwise.

Recommendation 4: All organisations routinely using and sharing personal information should review and enhance the training that they give to their staff on how they should handle such information.

Recommendation 5: Organisations should wherever possible use authenticating credentials as a means of providing services and in doing so avoid collecting unnecessary personal information.

and Research and statistical analysis
Recommendation 15: ´Safe havens´ should be developed as an environment for population-based research and statistical analysis in which the risk of identifying individuals is minimised; and furthermore we recommend that a system of approving or accrediting researchers who meet the relevant criteria to work within those safe havens is established. We think that implementation of this recommendation will require legislation, following the precedent of the Statistics and Registration Service Act 2007. This will ensure that researchers working in ´safe havens´ are bound by a strict code, preventing disclosure of any personally identifying information, and providing criminal sanctions in case of breach of confidentiality.

Recommendation 16: Government departments and others wishing to develop, share and hold datasets for research and statistical purposes should work with academic and other partners to set up safe havens.

At the end of November 2008, the MoJ set out recommendations for changes to the Data Protection Act 1998 (the Act) in two papers. Firstly, confirmation that the MoJ will implement the key recommendations of the Data Sharing Review Report. The MoJ has indicated that only some recommendations will require amendment to the Act, although all recommendations should provide best practice lessons for the public and private sectors.

Secondly, in publishing its own consultation on the Information Commissioner's powers and funding, the MoJ considered key proposals that arose out of the Report's recommendations (the Consultation). The aim was to make recommendations aimed at increasing public confidence in the sharing and handling of personal data in all sectors and to aid the Information Commissioner's Office (ICO) in carrying out its functions more effectively. These are particularly;

To extend the ICO's existing power to carry out Good Practice Assessments (GPA) so that it will not need to obtain consent to the GPA in the case of public authorities. This allows the ICO to assess the processing of personal data by public authorities at a standard for the following of good practice and to report on its results. The same right has not been extended in relation to private sector bodies. Consideration will be given to how withdrawn support or non-cooperation from any organisation will be factored into any enforcement action. Incentivised participation will carry a reward of exemption from the ICO's new power to impose a civil penalty for any breaches of the Act discovered during the GPA. This exemption will not include the ICO's powers to issue "information" and "enforcement" notices.

A potential "fast-track" procedure to remove or modify any legal barriers to data sharing is to be created. Any introduction of such data sharing scheme or schemes will obviously be subject to review and scrutiny by both Parliament and the ICO.

Strengthening the ICO's powers of inspection enabling it to specify the time and place by which organisations must provide information requested under an "information notice". In addition, any person on premises may be required to provide any information that is appropriate to an investigation where the ICO is executing a warrant, is a new power at the ICO's discretion.

Any significant data breaches will be reportable to the ICO in future as a matter of good practice. The ICO will be mandated to provide adequate guidance on when notification of breaches should be made and "failure to notify" will be taken into account by the ICO when considering enforcement actions.

The ICO is to be given a statutory duty to prepare, publish and review a code on the sharing of personal data with the purpose of providing practical guidance to the public and promoting good data sharing practice. The code will be given authoritative status and breaches of it will be taken into account by courts, the Information Tribunal and the ICO in the context of any legal or enforcement proceedings.

A tiered structure based on the size of organisations by number of employees is to replace the current flat fee of£35 for notification to the ICO.

No exact timeframe has been given for the recommendations to be effected. The reports indicate that the proposals requiring additional or secondary legislative change will be "brought as and when appropriate", although the MoJ has indicated that the increase the ICO's powers will be introduced as soon as parliamentary time allows.

Summary

Overall the ICO's role, associated powers and modus operandi is shifting to follow a model similar to that of the Financial Services Authority. This can only be good news to compliance professionals as this creates more work and a chance to excel in an area that most people will struggle to appreciate. With our expertise in financial promotions, as well as experience in data protection principles will put us in a good position to advise out clients on the controls that need to be in place to ensure that security, safety, honesty and integrity are maintained throughout the client data access and manipulation world of the future.

The report can be accessed here:  http://www.justice.gov.uk/docs/data-sharing-review-report.pdf 

Annexes: http://www.justice.gov.uk/docs/data-sharing-review-annexes.pdf

Ministry Of Justice data sharing review paper:
http://www.justice.gov.uk/docs/data-sharing-review-consultation-paper.pdf

Bibliography

Lee Werrell FInstSMM MSI is the Owner and Principal Consultant of CEI Compliance Limited, a Compliance Consultancy. CEI provide a broad range of expertise having worked with governance, risk and compliance functions for a number of years.