You are here: Parliament home page > Parliamentary business > Publications and Records > Hansard > Commons Debates > Public Bill Committee Debates > Public Bill Committee

Data Protection and Digital Information (No. 2) Bill

Written evidence submitted by the Kent & Medway Health and Care Strategic Information Governance Network (DPDIB32)

Kent & Medway Strategic Information Governance Network response to Data Protection and Digital Information (No.2) Bill: call for written evidence

Dear Sir / Madam

Please find herewith a response to this call for written evidence based on the outputs of a facilitated workshop this morning of the Kent & Medway Health and Care Strategic Information Governance Network, which I Chair. This networking group includes Data Protection and Information Governance professionals from NHS and Local Authority organisations across Kent & Medway.

I have, by design, ensure our response is brief to highlight our greatest concerns, of which I have concentrated on the top four identified, here:

1. Data Protection Impact Assessments

Our understanding is that Data Protection Impact Assessments will be replaced with a leaner and less prescriptive ‘Assessments of High-Risk Processing’.

Our view is that:

· The ‘less prescriptive’ terminology is of concern as it is often the granular detail that is required. This raises the question as to whether more granular detail will be captured with the move to a higher-level process.

· Organisations may possibly become less concerned with the importance of assessing risks and the importance of individuals’ Data Protection rights and freedoms.

· The need to complete a Data Protection Impact Assessment will become highly subjective unless there is a definitive explanation of what constitutes high-risk processing. This may result in a lack of consistency between organisations, where one may consider something a risk, but another does not.

· The change will negatively impact the hard work undertaken by Data Protection and Information Governance Teams to build trust and engage resistant colleagues, many of whom are now producing effective Data Protection Impact Assessments (and related documents).

2. Business and customer data

Our understanding is that the Secretary of State and the Treasury will be given the power to issue regulations requiring "data holders" to make available "customer data" and "business data" to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data.

Our view is that:

· This is seemingly a broad statement if the Human Rights Act 1998, with its right to a private life is considered. It therefore questions the background to the proposal.

· Regarding health and care, it is difficult to understand how business and customer data would be understood and how this would apply.

· There is a risk with the potential of primary legislation allowing the production of secondary legislation as the latter is not ratified by parliament.

3. Data Protection Officer

Our understanding is that the requirement to appoint a Data Protection Officer by some public bodies and organisations undertaking high risk processing will be removed. It will be replaced with a need to appoint a ‘Senior Responsible Individual’ for Data Protection.

Our view is that:

· This is similarly open to interpretation regarding the definition of high-risk processing.

· It becomes unclear as to the relationship between the Senior Responsible Individual and those organisations that have a Senior Information Risk Owner. Are they the same person? And if so, this is a concern as they are (currently at least) a different skillset.

· There is a potential dilution of the importance that has been placed on the Data Protection Officer role. We believe it is unlikely that there will be much change in Local Authorities and the NHS, but that it could result in smaller organisations that they commission treating Information Risk much less seriously or robustly.

· It is important that the role, whatever it is called, must continue to have a demonstrable level of understanding of the Data Protection legislation.

· The lack of clear guidance on when the role is required could result in their being squeezed out if budgets are tight.

4. Records of Processing Activities

Our understanding is that Controllers and processors will be exempted from the duty to maintain a Record of Processing Activities unless they are conducting high risk processing.

Our view is that:

· Records of Processing Activities are one of the most fundamental foundations of Data Protection, allowing you to understand what information is held and what is done with it. 

· Similarly, to above, different organisations may have different ideas of what should be considered high risk processing.

· Removal of the Records of Processing Activities potentially dilutes protections, is a step back from current controls, which means that the public may lose confidence in how strongly data is protected.

If you would like any further information from us, please do not hesitate to contact me.

Kind regards,

Andrew

Andrew Harvey | CISMP EU-GDPR-P LLM FIRMS  

Chair, Kent & Medway Strategic Information Governance Network

Chair, National Health and Care Strategic Information Governance Network

16 May 2023

 

Prepared 18th May 2023