Skip to content

Data: A new direction?

Browse this blog post

Related news and insights

Publications: 21 March 2024

Seizing the AI opportunity in Europe

Blog Post: 08 March 2024

CJEU publishes AG opinion on sale of a database of personal data

Blog Post: 22 February 2024

EDPB adopts opinion on the notion of main establishment during 90th plenary

Blog Post: 14 February 2024

ICO and AEPD take steps for protection of minors

 As the UK looks to find a new and post-Brexit direction, the UK Government is setting its agenda for developments in regulation, particularly when it comes to technology, data and innovation. We have seen the recent consultation Reforming the Framework for Better Regulation, the Plan for Digital Regulation, the Innovation Strategy, and the AI Strategy and what about data protection? 

Following on from the 2020 UK National Data Strategy, and indeed as the first step in delivering on Mission 2 of that Strategy, in September the Department of Digital, Culture, Media and Sports (DCMS) published Data: A New Direction. The ICO has now digested the proposals has provided its response. Interested parties have until 19 November to add their views.

What does “A New Direction” look like?

The Government considers that in order to create a “pro-growth and trusted data regime” that “unleashes data’s power”, reforms to the UK’s data regime are desirable. As seen in other recent consultations and publications the tone aims to be business and innovation friendly, supporting a “common sense” approach to regulation and not a one-size-fits all agenda. In particular the Government wants to create a data protection regime that will:

  • Support vibrant competition and innovation to drive economic growth; 
  • Maintain high data protection standards without creating unnecessary barriers to responsible data use; 
  • Keep pace with the rapid innovation of data-intensive technologies; 
  • Help innovative businesses of all sizes to use data responsibly without undue uncertainty or risk, both in the UK and internationally; and
  • Ensure the ICO is equipped to regulate effectively in an increasingly data-driven world.

In this blog we consider proposals addressing bullets 1 to 4. For further insight into the proposals regarding ICO reform please see our separate blog by David Smith here

Achieving the balance between responsible data use and a low regulatory burden 

It is clear that certain aspects of the existing legislation are felt to create disproportionate challenges for many organisations with “unnecessary barriers” to innovation. Acknowledging the UK’s involvement in developing the EU GDPR and the need for comprehensive data protection however, Data: A New Direction indicates that proposals will build on “key elements” of the current UK data protection regime (largely identical to that in the EU). Although the Government is keen to exercise its independence from the EU, many businesses will be aware that a reduction in regulatory burden in the UK may not provide sufficient benefits if the downside is a loss of an EU adequacy status and the subsequent imposition of barriers to international data transfers. Indeed, the ICO’s response to the consultation highlights the need to look at the UK data protection framework as part of the broader set of global standards that cannot be viewed in a vacuum or without regard to the likes of Convention 108+. Whether the UK can navigate a route to a lighter-touch regulation, beneficial to many businesses, whilst retaining structures and safeguards to ensure personal data is protected in a way that meets the standards expected by individuals and other jurisdictions, remains to be seen.

As digitalisation projects pervade all sectors, and data is well and truly established as the bedrock of modern business, regulation must keep up with developing needs and the Government aims to future proof. As the ICO indicates, how high standards of data protection are delivered “cannot be static” and though calling for caution and raising further considerations in some instances, it is largely positive about many of the proposals. It is reassured to see public trust identified as a support for business and innovation. It also flags the importance of proportionality of regulation and consideration of risk when looking at compliance. However, it does expect that organisations ensure personal data is safe, individuals can exercise their rights and personal data is used for the individual’s benefit and not in ways that might cause harm. The ICO looks to the Government to ensure these foundations and standards are met. You can read more about the proposed interactions between Government and the ICO in our blog here

A more risk-based, outcomes-focused approach

So what are the key changes proposed?

Proposals considered to remove barriers to innovation


Removal of the legitimate interest balancing test. Many organisations rely on the legitimate interest legal basis to process personal data. However, there are hurdles to jump and assessments to make as to the necessity of that processing and the balance of those interests against the rights of data subjects. This can be an uncertain and complex process despite the ICO guidance. The Government therefore looks to Singapore for inspiration and proposes a list of legitimate interests for which organisations can use personal data without recourse to the balancing test (albeit the need to consider necessity would remain and the approach to processing children’s data wouldn’t change). For example: 

  • improving/reviewing an organisation’s system or network security;
  • improving the safety of a product or service;
  • pseudonymisation or anonymisation of data;
  • using audience measurement cookies or similar to improve webpages for service users; and 
  • using personal data for internal R&D or business innovation purposes to improve customer services.

Reducing the assessment burden for these BAU data uses would be beneficial for some. However, the ICO is understandably wary that the categories of activity are too broad and data subjects will lose out through lack of a more nuanced and case-specific processing analysis. It also flags this area as an example of how UK GDPR provisions interact (eg objection to processing-refusal of request also looks to a balancing test). As alluded to above, the Government will need to look at its plans in a holistic way if they are to be successful.

Clarifying requirements when processing for research purposes. The Government is concerned that a lack of regulatory clarity may create uncertainty for business and stifle the effective use of data. For the benefit of processing for research purposes (archiving purposes in the public interest, scientific or historical research and statistical purpose), the Government therefore proposes to consolidate provisions regarding these research purposes and define what is meant by “scientific research”. It also aims to smooth compliance processes by considering options to:

  • create a separate legal basis for processing in the context of research purposes (subject to safeguards); and
  • clarify how university research projects can rely on “tasks in the public interest” legal basis. 

When the detail becomes clear, these changes may offer more assistance and clarity for organisations but given many scientific research projects occur internationally (including in the EU) it is not clear how often additional bases would be relied upon. A consistent data protection approach in multi-centre research will commonly be preferred and so if a legal basis can be relied upon to process data in the UK alone but would not be viable in the EU, researchers may look for alternative options. 

Organisations will be interested to see the Government’s proposal to enable broad consents to process in the context of scientific research where it is not possible to identify the full scope of research at the outset. Whether the nexus with other legislation (data protection, clinical trials, confidentiality or otherwise), would allow organisations to make full use of this proposal is currently unclear. Replicating existing recitals, it goes on to suggest that further use of personal data for research purposes is always compatible with the original purpose although this is clearly complex area that will require considerable further thought. The ICO for example raises concerns that consent for original processing should not be considered extended to cover new processing, even in relation to research purposes because it would be beyond what people
expected when they originally consented – new consent would be necessary.

Associated changes to transparency requirements would inevitably reduce the administrative burden. Subject to safeguards, proposals anticipate that provision of information on further processing for research purposes would not be necessary where it involves disproportionate effort even when that personal data was originally obtained directly from the data subject. The Government does volunteer that this may incentivise poorer record keeping. Questions may therefore be raised as to whether this specific proposal has the potential to impact the broader protections and rights of data subjects but in general the ICO does not raise concerns, as long as the tweak is limited to scientific research scenarios and safeguards are appropriate. 

Clarifying regulation regarding further processing. When considering further processing more generally, the Government queries whether organisations are clear as to what constitutes processing compatible or incompatible with the original purpose of processing, whether they understand the legal bases on which they can rely or whether they are confident as to when recipients of personal data can process for purposes incompatible with the original (or indeed for research purposes). Proposals include clarifying that “incompatible” further processing of personal data may be permitted when safeguarding an important public interest and specifying the circumstances when further processing can be undertaken by a new controller. The Government makes reference to ensuing fairness and transparency for the data subject, presumably aiming to balance the protections for individuals whilst reassuring organisations of scenarios where data can be shared and utilised. The ICO is keen to ensure this is the case and is particularly concerned about the approach that may be developed in relation to processing on the basis of consent. It calls for more explanation of proposals made.

Clarifying when data is considered anonymous. Rather than relying on recitals in the UK GDPR or the ICO’s guidance alone, the Government looks to reassure organisations and encourage the use of data by including an anonymisation “test” on the face of legislation, made either by reference to existing UK GDPR recitals (ICO preference) or by reference to the Explanatory Report linked to Convention 108+. It also wishes to clarify that the question of whether data is anonymous is relative to the means available to the data controller to re-identify it. These changes do not in themselves substantively alter the current position and it is unclear whether the amendments would make any significant difference to controllers day-to-day.

Innovative data sharing. To encourage data sharing, a common thread across many Government papers, proposals are made regarding use of data intermediaries (acting as third parties to coordinate and manage data sharing for organisations and/or aiding data subjects in controlling their data). It is acknowledged that the industry is nascent and that more is needed to establish a market, ensure confidence and bottom out some of the fundamental questions around legal responsibilities and legal bases to process. As noted by the ICO, trust is key to enabling innovation, so improving understanding (eg of intermediary accountability) and assurance in the sector would seem helpful if it is to provide genuine business opportunity.

Proposals considered to reduce the regulatory burden

Adaptations to the accountability regime. To avoid a “box-ticking” approach, the Government wishes to create an “efficient” accountability framework that provides “greater flexibility on compliance”. Whilst noting that accountability as a principle is “fundamental” the approach proposed is significant. Drawing on regimes in Australia, Canada and Singapore, the Government proposes that a privacy management programme (PMP, ie an organisation-developed collection of personal information polices and processes for protection proportionate to the volume and sensitivity of personal data handled and the way it is processed), would replace the current more “prescriptive” regime. 

The proposal seeks to expand on the Article 24 GDPR obligation to put in place appropriate, proportionate policies. However, as PMPs are expected to be based on responsibility and oversight, risk assessment, transparency, training, monitoring, evaluation and improvement and include familiar concepts such as:

  • designation of responsible and suitable (though not necessarily independent) individuals overseeing data protection compliance;
  • personal data inventories;
  • procedures for communicating with data subjects;
  • measures to handle information requests and complaints;
  • procedures for handling breaches; and 
  • risk assessment tools,

It is not clear whether many organisations will rush to alter their current approach if it can be used to fulfil the new regime. Given the time and resources already expended by organisations on GDPR compliance, it is at least useful to note that the Government will not require organisations to “change many of their current processes if they already operate in an effectively”.

In adapting the accountability regime, the Government proposes to remove specific GDPR requirements, notably: 

  • to appoint a DPO with specific skillsets and independence (though a person could be appointed in that role in addition to a PMP “responsible individual” if an organisation considered the internal scrutiny helpful). The ICO hopes that skills developed through the DPO regime to date would not be lost to the detriment of businesses. It is also keen to point out that the requirement to appoint a dedicated role to ensure important compliance functions are carried out “is a widely used approach across many different sectors”, apparently questioning why data protection should be any different;
  • to carry out a DPIA to assess processing likely to result in high risk to individuals, allowing organisations to adapt different approaches to identify and minimise risks (albeit existing DPIA would remain valid). The ICO would prefer an improved more agile system rather than loss of a key tool for risk management and transparency;
  • to consult with the ICO where high risk processing cannot be mitigated. Without risk of sanction for failure to consult, and given infrequency of current use, the Government hopes to encourage more open and collaborative discussion with the ICO, incentivising organisations by identifying prior consultation as mitigating evidence in the event of a future investigation. This additional freedom may allow more risk-averse organisations to obtain some helpful reassurance or direction before engaging in complex processing activity. The ICO is however concerned that removal of the mandatory requirement will remove an opportunity for it to positively engage with organisations to guide their processing;
  • to maintain a record of processing, looking instead to organisations to determine the nature of an appropriate personal data inventory, despite acknowledging the potential risks to effective enforcement and data subject protection; and
  • to report to ICO data breaches unless unlikely to result in a risk to the rights and freedoms of natural persons. The Government points the low reporting threshold as resulting in over-reporting which doesn’t reflect the true nature of risk. It prefers instead a requirement to report unless the risk to individuals is not material, despite accepting that breaches that do result in a risk to individuals’ rights and freedoms may no longer be reported. The ICO is keen to ensure different types of harm are factored in here (individual or societal).

Many organisations will welcome additional freedom and flexibility offered by these changes, particularly smaller businesses that are carrying out vanilla, low-risk processing. They may also hope that they are less likely to be fined in the UK if their activities are measured against a new (potentially lower) standard. However, care should be taken when it comes to the detail. Some organisations may see little real difference in the administrative burden posed by these accountability requirements, covering similar topics under a different name. Others may consider that the additional discretion afforded by this route could, in fact, create more challenges, particularly for large, multi-stakeholder organisations looking to navigate a secure, compliant data processing policy. A more organisation-driven regime based on subjective decisions could reduce certainty in approach and may cause a reduction in consistency across businesses – organisations of differing risk appetites may adopt very different routines. In turn, transactional negotiations involving personal data may require greater nuance. Organisations operating across Europe may find that a need to treat the UK differently increases costs and regulatory burden rather than reducing it. Similarly, it could be argued that an increasing variety of PMPs used to fulfil the core accountability principle, with different interpretations of what constitutes a proportionate approach, will make it hard for data subjects to understand how their data is handled and how organisations may or may not be compliant with the law.

The Government will look to the ICO to support organisations in developing their accountability practices, with a significant requirement for regulatory guidance. Whilst potentially relieving organisations of some specific compliance burden, it is not hard to envisage an increased burden on the ICO when it comes to assessing accountability of organisations (as expressly anticipated to form part of the Regulatory Action Plan), each with a different approach and set of materials provided to meet the headline requirements. Certainly, the ICO considers that more detail is required, not least regarding how the PMP system would work to drive the most robust approach to accountability from the organisations taking most risk with regards to personal data. The ICO sees accountability as central to a data protection regime and notes that it “is crucial that any approach to accountability is enforceable.”

In relation to enforcement, the Government is considering the introduction of a voluntary undertakings process. Here, the suggestion is that organisations that have demonstrated a proactive approach to accountability should be permitted to submit a remediation plan to the ICO in the event of infringement, and subject to meeting certain criteria may be able to implement it without further ICO action. It is unclear how that demonstration of approach to accountability will play out in practice or the extent of any discretion available to the ICO in accepting the remediation plan. 

Interestingly, if the concept of a PMP does not get taken forward, whilst some of the Government proposals to remove GDPR requirements would likely also fall away, the Government expressly moots that it is possible that certain proposals would be retained. For example, breach reporting changes could proceed, record keeping requirements adapted to avoid duplication with obligations in respect off privacy notice information, and DPO requirements could be adjusted (for instance, the obligation for public authorities to appoint a DPO could be removed).

Tackling burdensome subject access request 

Organisations are known to spend large amounts of time and resources in responding to data subject rights requests, particularly subject access requests. The Government also asserts that organisations find it difficult to rely on “manifestly unfounded” exemption designed to allow businesses to decline to respond to access requests that are clearly malicious or are used to disrupt. This will be an area to watch with interest for most businesses.

The Government’s solution is to mirror the approach taken to FOIA requests, enabling organisations to refuse to respond when a request is vexatious - ie where it is likely to cause a disproportionate or unjustifiable level of distress disruption or irritation (in place of the “manifestly unfounded” threshold). The second proposal, one that will be welcome for many organisations, is to introduce a fee regime (charges are currently only permissible if the request is either manifestly unfounded or manifestly excessive) with the Government querying whether a nominal fee should be re-introduced. A cost cap (where organisations would only be bound to respond up to a certain cost limit) is also under consideration but it would not permit organisations to refuse to respond entirely. 

In each case, the key will be to balance genuine concerns of business and the ease with which legitimate data subject access requests can be made by those with the least of means. The ICO is keen that reforms do not undermine the right of access particularly when the personal data may have a significant impact on individuals. It points to data protection by design and default obligations to suggest that organisations should be automating responses, implementing management systems and other tools to deal with requests. As noted in relation to research purpose transparency requirements (above) poor record keeping and information management shouldn’t inadvertently be incentivised by amendments. More detail is also required by the ICO as to how support, guidance and appeal processes would work in practice.

AI and bias called out for special treatment

While the EU is working through the connotations of the Draft EU AI Regulation and the UK’s AI Strategy looks to highlight a wide range of AI related initiatives, Data: A New Direction also addresses the UK’s take on the use of algorithmic systems as it relates to data protection. Again, the proposals look to a risk-based approach, with bias concerns mitigated to avoid unfairness.

Although it acknowledges the importance of “fairness” in processing personal data, particularly when novel technology like AI has the potential to create bias and discrimination, the Government queries the scope and certainty of the term. Clarifying what is meant by fairness in this context may assist in decision making but does risk lack of flexibility to assess the impact on data subjects as technology develops. The ICO has significant concerns that the concept of fairness should not be removed from the legislation and that the ICO should be able to engage with other regulators to ensure a “level playing field for business committed to fairness”.

Bias is a related issue and is of societal as well business and individual concern. The Government proposes that use of personal data for detection, monitoring and correcting bias should be a specified activity falling within scope of the legitimate interest legal basis for which the balancing test is not required (as detailed above). This has got to provide useful reassurance for organisations trying to do the right thing, although the ICO would like to see more in the way of analysis before backing the approach whole-heartedly. The Government also points to processing of special category data in the context of bias detection, contemplating the introduction of a new derogation to permit such processing (the ICO’s preference) or directly controllers to the existing equality derogation (inappropriate in the ICO’s eyes).

The Government also looks for views on whether use of personal data for training and testing AI should be more straightforward and permissive, whether (subject to safeguards) easing data protection compliance in the test phase would encourage take up of the technology. The ICO points to its own regulatory sandbox and guidance here and calls for more detail before commenting further.

Beyond pure AI, the Government criticises the uncertainty and inconsistency of application Article 22 UK GDPR and the restrictions it imposes on personal data processing for certain automated decision making. It is particularly concerned that increased use of automated decision making (when human oversight is no longer appropriate) by organisations in practice will not align with the obligations under Article 22.  It is therefore requesting input on whether the Article 22 is adequately scoped and future proof. More radically, it looks to respondents for views on whether automated decision making without human oversight should in fact be permitted (ie Article 22 removed) subject to compliance with the rest of data protection law. Whilst the ICO appreciates the focus on providing more guidance, it disagrees with the idea of removing Article 22 in its entirety, pointing out that the obligations only attach to scenarios where the decision making has legal or similarly significant effects on data subjects-ie those situations where individuals may legitimately want human oversight. Removing this right says the ICO “could lead to a perception that decisions are made purely by unaccountable algorithms” which “could undermine public support for the use and deployment of AI, even where it delivers substantial economic and social benefits.”

Separately the Government looks to understand profiling and its impact on specific groups of people, about which, much can be inferred. Given the increasing reliance by organisations on profiling to tailor their offering, this is an area of debate that organisations will be keen to track, particularly as the Government discusses the relevance of many existing safeguards in this context.

However the UK regime looks to address AI, most developers of AI systems will not want to limit their products to a single market (eg the UK). As such, irrespective of whether the UK takes a more permissive approach to AI and data use, developers will likely need to comply with the requirements of the EU’s AI Act, as and when it is finalised. For example, as currently drafted, the AI Act would require a provider of an AI system (ie a developer) to comply with the EU GDPR.

Free flow of data

Coming on the heels of the DCMS International Data transfers: building trust, delivering growth and firing up innovation guidance, we see the free flow of data themes mirrored in Data: A New Direction. Where the Government’s August guidance highlights the intention to champion international flows of data using flexible, innovative approaches and removing “unjustified barriers to international data transfers”, Data: A New Direction describes the proposals as aimed at securing the UK’s status as a global hub for free and responsible flow of personal data, both for trade and security.

This is an area where there are clear links between the UK’s approach to international data transfers and concerns within the EU regarding onward transfers of personal data from adequate jurisdictions. Can the UK progress its proposals whilst retaining its EU adequacy status? The Government specifically states that “Outside of the EU, the UK has an opportunity to consider both the impact of the [Schrems II] judgment on its transfers regime and how best to support international data transfers in the future”  but it also recognises “the importance of maintaining interoperability between the UK’s regime and other regimes, built on a shared international understanding of the underlying principles of data protection in order to create a coherent environment for business seeking to operate internationally”. Organisations will certainly hope for a happy medium. 

In particular, the Government foresees:

  • taking a creative, collaborative, flexible and pragmatic approach to granting more adequacy decisions as described it its August International Data transfers guidance. This would involve taking a risk-based and outcomes-focused view, considering the likelihood and severity of actual risks to data subject’s data protection rights, rather than presence of academic or immaterial risks in practice. Redress for data subjects should be effective and provide legally binding remedies, whether through judicial or administrative routes. The Government also raises the option of making adequacy regulations for groups of countries, regions or multilateral frameworks and proposes an ongoing monitoring approach rather than looking to review adequacy regulations every four years;
  • improving the proportionality, flexibility and interoperability (with regimes in other jurisdictions) of alternative transfer mechanisms (such as standard contractual clauses, binding corporate rules, codes of conduct and certification mechanisms under Article 46 UK GDPR) and empowering the Secretary of State to formally recognise new mechanisms as may be developed overseas. Helpfully for business, the desire to improve proportionality includes proposals to provide more detailed, practical support for organisations when determining whether those mechanisms provide necessary protections, whether there are enforceable data subject rights and effective redress and what safeguards are reasonable and appropriate in the context of risk;
  • exempting reverse transfers (transfer back to an overseas originator) from international transfer requirements, though the ICO considers that data flow complexities mean an apparently simple exemption may be difficult for data controllers to rely on;
  • consideration of organisation-led alternative transfer mechanisms, similar to a process in New Zealand. This may provide greater flexibility but has the potential to result in variable levels of protection and for regulatory uncertainty between counterparties and for data subjects. The ICO suggest more information on oversight processes would be beneficial;
  • revising the certification scheme to recognise different accountability approaches overseas, enabling greater interoperability and broadening range of certification bodies; and
  • permitting repetitive use of certain Article 49 derogations (circumstances in which international transfers may occur despite lack of adequacy decision or alternative transfer mechanism) albeit only when necessary and where neither adequacy nor alternative mechanisms are appropriate. The ICO anticipates that where transfers are repeated and predictable, an alternative transfer mechanism under Article 46 should be utilised. It can however envisage limited scenarios where this change would be beneficial but suggests further safeguards may help to protect individuals if repeat use of derogations is, rarely, the only option.

In general, the ICO appreciates the Government’s intentions but reiterates the need for maintenance of high standards of data protection, a desire for further detail on proposals and the importance for businesses of all sizes to retain the UK’s adequacy status in the eyes of the EU to bring certainty to their operations. It also reminds us that accountability requirements mean that data controllers must satisfy themselves of their compliance when transferring data, despite any increase in guidance and support.

The ICO has also published a broad consultation on plans to update guidance to international transfers, international data transfer agreements and transfer risk assessments. 


In recent years the EU has tried to update the e-privacy regime to better align with current technology use and the GDPR. It has yet to finalise reforms. One of the areas where frustrations abound is in relation to restrictions on the use of cookies and how business must engage with individuals on the issue. In line with wider calls to address consent fatigue and plethora of pop-ups looking for permission to drop cookies and similar technologies, the Government wishes to improve user experience and business benefits. The ICO generally welcomes this initiative. 

In relation to the Privacy and Electronics Communications Regulations 2003 (PECR), the Government is considering broadening scope of permitted cookies use without consent for analytics purposes (albeit subject to safeguards and with an obligation to continue to provide information to users) and possibly for other limited purposes such as an organisation’s legitimate interests where impact on the individual’s privacy is minimal (eg to detect technical faults or enhance website functionality, and potentially subject to safeguards such as pseudonymisation, prohibition on profiling, transparency notice). As the ICO notes, these changes are not necessarily significant from a protection point of view, though would need consideration in light of other changes to protections offered under the UK GDPR (eg legitimate interests).

More radically and raising a red flag for the ICO, the Government goes on to query whether there is benefit to removing prior consent for all types of cookies, relying on compliance with UK GDPR for protection alone. This is a much more significant shift that may only benefit those organisations not otherwise looking to meet requirements of overseas legislation and which the ICO fears may lead to gaps in protection for individuals.

The Government also questions the ease with which individuals can set their privacy preferences and whether, taking account of market power of some of the digital players, there is scope to use browser, application or device settings more effectively. The ICO considers that this is an area where international cooperation would be beneficial. It also calls for the Government to go further in considering the pros and cons of legislating against cookies walls and ensuring the ICO has sufficient enforcement powers to ensure compliance.

Direct marketing and nuisance calls

One of the areas that the ICO consistently identifies as generating the greatest level of enforcement action is in relation to unsolicited direct marketing and fraudulent calls and emails. The Government recognises this and proposes a number of enhancements to ICO powers such as:

  • the ability to act on calls sent rather than just those received;
  • obliging communications providers to report on suspicious traffic; and 
  • increasing fines levels to mirror those under the UK GDPR (up from £500,000 to £17.5 million or 4% of global turnover) and enabling ICO use of assessment notice to access premises, documents and equipment.

These proposals, notably regarding fine levels, are likely to focus business attention on marketing activities, particularly as the ICO supports the suggestions and indeed calls for discussions as to how its enforcement powers under PECR can be further bolstered.

The ICO is also broadly positive about plans enabling non-commercial organisations (such as charities and political parties) to use soft opt-in approaches to marketing, just as a commercial business would, albeit with further consideration of the impact on vulnerable people necessary.

Public sector data use

The Covid pandemic is called out as a driver for new processing of health data but it has also raised issues the Government wishes to address. It is also keen to implement lessons learned from the “joined-up” use of data in relation to other priority areas, such as improving outcomes in education, the levelling-up agenda or the Net Zero target in relation to greenhouse gas emissions. Whilst clearly relevant to the public sector, private sector interaction with public authorities may also be impacted. Amongst other things:

  • it proposes that private companies and organisations processing on behalf of a public body should, subject to safeguards, be able to rely on the legal basis of processing in order to deliver public tasks set out in law (Article 6(1)(e)). This is relevant to processing in contexts other than health related scenarios, such as law enforcement too. Certainly, additional lawful bases to process data is likely to be welcomed by business but as the ICO highlights, private companies are not subject to many of the additional safeguards applicable to public sector organisations (eg confidentiality, judicial review, misconduct charges, FOIA) and so individuals may fear the loss of rights unless detail is provided about how the interactions would work in practice. The ICO is also interested to understand more about the proposed allocation of responsibility and accountability when it comes to determining that all relevant aspects of the public task lawful basis are satisfied-ie whether that responsibility sits with the public authority, rather than the private sector organisation;
  • in emergency scenarios (public health or otherwise), the Government is proposing that the Article 9 condition permitting processing of health data for reasons of substantial public interest be relaxed such that oversight of a healthcare professional or confidentiality duty is no longer required. Whilst this may smooth the path to processing for the benefit of society, there are certainly data protection risks to loosening safeguards, particularly when the detail of what constitutes an emergency and the nature of associated safeguards is unclear if they don’t include the likes of confidentialty. The ICO also points to options for the Government to legislate in response to a particular emergency as the needs become clear, without need for a pre emptive reduction in protection, albeit we have seen relatively little in the way of mandated testing and vaccination in relation to the Covid-19 pandemic in the UK for example;  
  • compulsory transparency reporting on the use of algorithms in decision-making is proposed for public authorities, designed to improve trust in Government use of data; and
  • the nature of what constitutes “substantial public interest” in the context of an Article 9 condition to process special category data is up for clarification, through use of a definition (preferred by the ICO as the most flexible approach) or specification of further situations which are deemed to be in the substantial public interest.

So where does this leave us?

As organisations wrestle with significant changes in the data protection world – multiple jurisdictions implementing new legislation (such as the Personal Information Protection Law in China) and new international transfer requirements and mechanisms in the EU and UK to name just a few – there will be a desire for clarity and certainty around the UK’s direction as soon as possible. Undoubtedly businesses will be keen to understand how areas of friction in their compliance processes can be reduced and where changes will fit with existing, well established arrangements. The Government considers that its proposals offer improvements on the current regime whilst maintaining the UK’s “worldwide reputation for high data protection standards and security public trust”. The DCMS consultation closes on 19 November and it will be interesting to see whether organisations across sector boundaries agree. In any event, with multiple adaptations and pros and cons for business and privacy rights, there will likely be plenty of debate on the road to any revised legislation. Individually there are many proposals that will aid business, but it will be important to get the balance right such that, when taken together, the UK continues to offer sufficient data protection alongside its encouragement of innovation.


Related expertise