Data Protection and Digital Information (No. 2) Bill

Written evidence submitted by Damien Welfare (DPDIB04)

Data Protection and Digital Information (No 2) Bill

Public Bill Committee

1. I am a former Public Law barrister with over 15 years’ specialist experience in Information Law. This evidence is tendered in my personal capacity.

Key points

2. The main issue to which I wish to draw the Committee’s attention is the apparent narrowing of the definition of personal data in Clause 1 of the Bill.

3. I also offer briefer points on the following:

- the weakening of ‘purpose limitation’ (Clause 6);

- the loosening of controls over ‘high risk’ processing (Clauses 17-18); and,

- restrictions on the operational independence of the new Information Commission (Clauses 27-28; and 29-31).

(i) Definition of personal data

4. Clause 1 appears to narrow the definition of personal data; and as a result, the scope of the protection of individuals’ personal information, and their rights in relation to it.

5. Personal data currently has a wide definition, and, thus, a broad scope; but the definition is a relatively simple one. It also applies in all circumstances. The definition proposed in Clause 1 is more complex. It distinguishes information held internally by controllers and processors from that made available elsewhere; and, by inserting conditions for the definition to apply, requires the making of more judgements than at present by controllers and processors; including as to the likely knowledge or actions of others, and as to timing. It seems unlikely that it will maintain the same breadth of scope as currently; unless the government can demonstrate otherwise. Any narrowing of scope would necessarily restrict the range of information about individuals which is subject to the protection provided by the personal data regime.

6. The protections include the handling of information about an individual only in accordance with the ‘data protection principles’ (eg that it should be processed lawfully, fairly and in a transparent manner), with particular restrictions on the handling of ‘special category’ (ie particularly sensitive) data such as information about an individual’s health or ethnicity; high levels of security required for the storage and use of personal data; and, enforcement by the Information Commissioner, or redress in the courts, in the event of breaches of data protection rules. The individual’s rights include: subject access; the right to seek erasure of one‘s personal data if its processing is no longer necessary for the purposes for which it was collected; or, the right to object to the processing of one’s data. None of these would be available in relation to information which, while it is currently personal data, may in future be excluded from the definition.

7. The government has not explained the reasons for the changes to the definition in Clause 1. The issue was not referred to by the Minister (Julia Lopez MP) in introducing the Bill at Second Reading. The narrowing of the definition was raised in the debate by Layla Moran MP (17th April 2023, col 94), but the Minister who concluded the debate (Paul Scully MP) did not address the point. The Explanatory Notes say only that ‘the purpose of the clause is to provide greater clarity about which type of data is in scope of the legislation’ (paragraph 101). So far as I am aware, no other reasoning in support of the change, or analysis of its impact, has been published by the government.

Present definition of ‘personal data’

8. ‘Personal data’ means any information relating to an ‘identified or identifiable’ living individual (section 3(2), Data Protection Act 2018). There are thus two parts to the test of whether recorded information is personal data: whether a person can be identified; and, whether the information relates to them. Identification can be ‘direct’ or ‘indirect’; that is, from the information itself (‘directly’), or from that information in combination with other information which may be available (‘indirectly’). Identification can take place ‘in particular’ by reference to an identifier, such as a name or online identifier; or to one or more factors specific to them, such as their physical characteristics, physiological state, or economic or cultural identity. Identifying someone (or making them identifiable) is much wider, therefore, than linking information about them to their name or to an identification number.

9. Identifying an individual (or making them identifiable) means, in effect, distinguishing that individual in some way from a group or category. The group or category could be large (eg all of the people in the UK with another passport number) or small (eg six people in a room, of whom the individual is the only middle-aged person). If the person is identifiable in this sense, and the information ‘relates’ to them (meaning that it concerns them, is being processed for a purpose concerning them, or that its processing [1] will affect them), it will be their personal data. Identification need not take place in each sentence of the information; it can arise from the information as a whole, in context. The Bill will not affect these basic definitional concepts.

10. In assessing whether an individual can be indirectly identified, account should be taken of ‘all the means reasonably likely to be used’. This means taking account of factors such as the cost or time necessary to identify a person; or the technology available at that time, or in the future as it develops (GDPR, Recital 26). Indirect identification is particularly relevant to protecting data about individuals where it leaves the hands of a controller or processor, [2] or is made available more widely, and may be combined with other information about the person which may be held externally (eg in other records, or on the internet).

Clause 1 proposals

11. Under clause 1, information is to be treated as relating to an identifiable person in two situations (‘cases’) only:

Case 1: where the living individual would be identifiable by the controller or processor (directly or indirectly) by ‘reasonable means’ at the ‘time of the processing’. (‘Reasonable means’, as defined in the clause, exclude future technological developments)

Case 2: where the controller or processor ‘knows, or ought reasonably to know’, that:

·(a) another person "will, or is likely to, obtain the information as a result of the processing"; and

(b) the living individual ‘will be, or is likely to be, identifiable’ by the person who obtains the information, by reasonable means ‘at the time of the processing’.

12. Two definitions are thus substituted for one, increasing complexity; but with the intention that both (and particularly the second) should apply in more restricted circumstances than the single current definition.

Commentary on first ‘case’

13. The first case concerns whether an individual could be identified by the controller or processor who holds the information in issue. It appears that a person would be ‘identifiable’ only if the controller or processor could identify them at the time of the processing of the information, using means that they are reasonably likely to use. The identification could be direct or indirect. Before processing, it appears that an organisation will need to be aware of the content and capabilities of its own records and technology, and the availability and cost etc. of other records, so that it can judge:

(i) whether it could identify the person from the piece of information concerned, or from a combination of that information with other information which is in its records, or available to it;

(ii) (where the potential identification would be indirect) whether it could do so using no more than ‘reasonable means’; and

(iii) (in either instance) whether it could identify the individual at the time of the particular processing concerned

14. While the definition is broadly similar in form to the present general definition (in section 3(2), DPA 2018 and Article 4(1), GDPR), there are three differences. The definition in the first case:

(i) is limited to the controller and processor, rather than applying to any person;

(ii) excludes consideration of the possible impact on identification of future technology (or of technology which is known, and may become available by ‘reasonable means’, but is not currently); and

(iii) limits any identification to that which can be made (by the controller or processor) at the time of the processing.

15. In relation to (ii), the narrowing of ‘reasonable means’, to exclude future technological developments, could be expected to discourage caution in placing information about individuals in (or nearer to) the public domain; where it is known that other information could, if it became available more readily, be combined with the information in issue to identify the individuals concerned. It would appear too that any knowledge of non-technological developments, such as an anticipated disclosure by another controller of identifying information, should not be taken into account.

16. In relation to (iii), it is not clear whether the timing has to be instantaneous, so that for an indirect identification, the other information would need to be available and accessible immediately; reducing the range of such information which could be relevant. If this were the case, even a few minutes needed to locate and consult a record (whether electronic or paper) would invalidate the definition, unless perhaps the record was immediately to hand. The effect of a technical malfunction, if temporary but of longer than an insignificant length, would be similarly unclear. Either example would mean that an individual could be identifiable in one set of circumstances, but not in otherwise similar circumstances; even if they arose by chance. The imposition of a time limit, whatever its length, could be expected to be a source of uncertainty for controllers and processors.

17. The operation of the definition would appear to rely on judgements by controllers or processors, which will determine whether or not an individual is identifiable in the great majority of cases. In relation to the first case, these judgements would seem likely to vary, according to factors such as differing levels of: IT equipment and capability; access to technical resources; knowledge of the information held by the organisation (eg across departments or functions); or, awareness of (or skill in gaining access to) any relevant information outside the organisation which is available to it by reasonable means.

18. It would be unsatisfactory if such differences could determine whether information was treated as being capable of constituting personal data. There would be unfairness to individuals if the same or similar information about them were to be protected to a differing standard in the hands of different controllers; or if their rights in relation to the information were to vary for similar reasons.

19. There may be a danger, moreover, of creating a disincentive from adhering to high standards in the maintenance of personnel, customer or user records; since the less detailed or inter-connected those records may be, the less likely it would be that individuals would be identifiable from them; and thus that information about those individuals could need to be treated as personal data. The Bill reduces the need to keep data processing records. At present, controllers and processors with more than 250 employees have to keep written records of all data processing activities (GDPR, Article 30): smaller organisations need do so only if the processing is likely to risk the privacy of individuals, or includes special category data or ‘criminal offence’ data, and is not occasional. As a result of clause 15, controllers and processors will be required in future to keep records of data processing (under a new Article 30A) only if it is likely to be of ‘high risk’ to the rights and freedoms of individuals.

Commentary on second ‘case’

20. The focus in the second ‘case’ in the definition is on what the controller knows (or ought to know) about:

-the likelihood that a recipient will, or is likely to, obtain the data as a result of the proposed processing;

- the likelihood that the individual will be, or is likely to be, identifiable (directly or indirectly) by the recipient;

- the reasonable means available to the recipient;

- the time of the identification (ie at the time of the processing).

21. The meaning of ‘obtaining’ should be explained. It is not clear, for example, whether the original controller or processor must take account of the likelihood only of persons obtaining the information directly from them as a result of their processing (eg because the controller shares the data immediately with a recipient); or, whether they should also consider any likelihood of further parties obtaining the information from the recipient (eg because the recipient shares the information with their partners).

22. Following this, in relation to timing, the question would arise again as to whether the requirement for any identification (direct or indirect) to be ‘at the time of the processing’ is limited to one which is instantaneous; or whether there would a (perhaps short) period during which, for example, an onward transmission could take place. The creation of any qualifying period, however, would limit the range of potential identification which would need to be taken into account.

23. It appears that the ‘second case’ is likely to involve a greater number of judgements than in the ‘first case’. Controllers and processors will be obliged to make judgements as to the likely actions, capabilities or knowledge of other people; together with the timing and causality of those actions. The judgements appear to be:

- what they know about whether another person will, or is likely to, ‘obtain’ the information as a result of the processing they propose to undertake

- what they ought reasonably to know about that likelihood (an objective legal test)

- the meaning of ‘obtain[ing]’ the information as a ‘result of the processing’ (see above)

- what ‘reasonable means’ would be likely to be used by that other person (or another person in general); ie what means such a person would be reasonably likely to use, from what is available to them, taking into account the time, effort, cost and technology needed to identify an individual by those means; and

- whether any resulting identification would be likely to take place ‘at the time of the processing’; or at another, perhaps slightly later, time (see above)

Narrowing the definition

24. These judgements seem likely to be more complex than the present definition. They raise the bar of ‘identifiability’ from whether, in effect, a person can be identified by the controller/processor, or another person, by any means reasonably likely to be used, to one of two higher bars:

- in the first case, in respect of the controller or processor, although the bar is broadly similar to the previous one, it is applicable only to identification by controllers or processors (rather than by the world as a whole), and the level is raised in two respects: that technological developments should no longer be taken into account; and, that the identification should be at the time of the processing (whether or not instantaneous), rather than at any other time;

- in the second case, a new test is created in relation to possible identification by a person other than the controller or processor; where previously the same test applied to everyone. This is based on meeting a number of conditions, and will necessarily be narrower than the previous test, in respect of persons other than controllers or processors. The conditions relate to: what the controller/processor knows (or ought to know) about the likelihood of the other person being able to identify the individual; whether the other person has ‘obtained’ the information as a result of the processing; whether they will have done so using ‘reasonable means’ (excluding any forthcoming developments); and whether they will do so at the time of the processing (however that time is defined).

25. In no other circumstances will information be capable of making an individual ‘identifiable’, such that the information about them is capable of being their personal data. Thus any failure to meet any of the conditions above, under either case, would preclude the individual from being identifiable by the information concerned; such that their information would fall outside the need for data compliance. The likelihood that an individual would become identifiable because of a known forthcoming technological development would be excluded from consideration, and thus from the definition of information identifying a person, and from personal data. By the time they became identifiable, in the terms of the new definition, the information about them could have been handled other than as personal data (eg disclosed without consideration of any harm to them). These factors seem bound to narrow the range of information which should be treated as personal data.

Other points

26. The practicality of the definition may also be debatable. There would be an inherent risk of confusion if similar information could, quite properly, be treated differently by different controllers or processors, depending on their circumstances.

27. The government has made clear that it wishes to ease the burden, as it sees it, of data protection, particularly on small and medium-sized enterprises; yet the Bill appears unlikely to make data protection compliance easier. On the contrary, it appears more likely to lead to increased uncertainty over the application of the core definition underpinning the system.

Conclusion

28. I respectfully suggest that it may be appropriate for Ministers to set out their understanding of the meaning and impact of the new definition, as a preliminary issue, since it will in turn condition the scope of the application of the much of the remainder of the Bill.

 

(ii) Weakening of ‘purpose limitation’

28. The second of the six ‘data protection principles’ in GDPR, Article 5 is that personal data shall be ‘collected for specified, explicit and legitimate purposes and not [be] further processed in a manner that is incompatible with those purposes’. This important restriction protects individuals’ data from being re-used where a new purpose would not be compatible with the purpose for which they originally gave it, or for which it was collected. It does not, therefore, prevent all re-use. Clause 6 limits this protection to apply only to the controller who collected the data; so excluding it where there is a new controller. If the first controller legitimately transferred it to another controller, for example, the restriction would not apply to the recipient.

(iii) ‘High risk’ processing – loosening of controls

29. GDPR, Article 35 currently requires a Data Protection Impact Assessment (DPIA) for ‘high risk’ processing, such as t he large-scale use of sensitive (‘special category’) data , or the use of the personal data of children for marketing purposes, or to offer online services direct to them. A DPIA includes an assessment of the necessity and proportionality of the processing, in relation to its purposes, and safeguards to address the risks. If the controller cannot reduce the risks, they must consult the Information Commissioner, who will issue advice (which can be enforceable). Clause 17 removes many of these protections, including the current lists of types processing considered automatically to be of high risk (although there will be a list of those types considered likely). An ‘Assessment of high risk processing’ will summarise the purpose of the processing, whether it is necessary for those purposes (NB not whether it is proportionate), and the risks; and describe how the controller proposes to mitigate them. Consultation with the new Commission, if the risks still remain high, is made optional.

(iv) issues concerning new Information Commission

30. Under Clause 28, the Secretary of State will have power to designate a ‘statement of strategic priorities’ of the government relating to data protection. The Commission must have regard to this statement when carrying out their functions (save in relation to cases or investigations concerning an individual person) and must explain in writing how this will be done. The present status of the Commission as an independent regulator is thus reduced, to the extent that it has to follow varying priorities determined by the government of the day. The statement must be reviewed every 3 years; or may be if a general election intervenes, or if there has been a ‘significant change’ of policy. The government’s statement is to be laid before Parliament under the negative resolution procedure.

31. Statutory codes of practice drawn up by the Information Commissioner (after consultation with the Secretary of State and others) are currently put direct to Parliament for approval (under the negative resolution procedure) (DPA 2018, s 125(1) and (3)). The provisions of such statutory codes are not in themselves mandatory (s 127(1), DPA 2018); but they can be used in evidence in legal proceedings. In effect, they interpret and set standards for data protection in the areas they cover.

32. Clause 31 inserts prior approval by the Secretary of State, before a statutory code is laid before Parliament. If the Secretary of State does not approve the code, they must publish a statement to Parliament of their reasons. The Commission must revise the code in the light of the statement and re-submit it to the Secretary of State; whereupon the process can be repeated. The codes concerned cover: data-sharing; direct marketing; age-appropriate design; journalism; or, any other code giving guidance as to good practice which (as now) the Secretary of State may by regulations require the Commission to prepare. (The Code on age-appropriate design, for example, sets out fifteen ‘headline standards’ for companies behind online services to children, to safeguard their data privacy). Once approved by the Secretary of State, a code will be laid before Parliament, with either House having 40 days in which to resolve not to approve it.

33. The Commission is also required to create panels to consider and make recommendations on draft Codes; with the Commission obliged to publish an explanation if it does not accept a recommendation (Clause 30; inserting new section 124B). The Explanatory Notes to the Bill suggest that panel members may include: ‘government officials; trade associations; representatives from relevant regulators’; and ‘industry bodies’, as well as ‘public authorities’ and ‘data subjects’.

34. The Commission is to be obliged to produce impact assessments of its draft codes (Clause 30; inserting new section 124C).

35. These changes, taken together with the abolition of a single Information Commissioner and their replacement with a Commission, raise concerns over the future operational independence of the regulator (which regulates all data processing in the UK, including that by government). While the changes do not affect the Commission’s enforcement role in relation to individual complaints, they can be expected to influence its operating priorities; and to constrain its wider role in advising on, and interpreting the application of, the data compliance regime.

Damien Welfare

3rd May 2023