UK.gov denies data processing framework is 'sinister' – but admits ICO has concerns
Minister says commish is 'free to disregard' framework if it is 'irrelevant'
The government has moved to allay fears over amendments to the Data Protection Bill that critics say could undermine both the law and the powers of the UK’s privacy watchdog.
The changes, for a Framework for Data Processing for Government, were quietly inserted at the Bill’s final committee stage in November – but soon faced a backlash from privacy groups, opposition parties and the Information Commissioner’s Office itself.
Critics were concerned that the new clauses granted the secretary of state broad powers to determine the content of the framework, while making it hard for the ICO to either challenge that content or even enforce data protection law.
In the most recent House of Lords debate on the Bill, Lord Ashton of Hyde – government minister for the Department for Digital, Culture, Media and Sport – moved to justify the framework.
“I hope that by the end I will be able to convince noble Lords that this is not quite as sinister as has been made out,” Ashton said in his opening remarks in the discussion.
However, he did then acknowledge the ICO’s concerns – the body said back in December that the new clauses “go beyond" their stated ambition and "create different risks".
“I am not pretending that she [commissioner Elizabeth Denham] is completely happy with this… [but] it is one of the few areas in the whole Bill where that is the case” Ashton said.
He acknowledged that the commissioner was "worried about complications regarding independence and the extent of her authority in this", but denied that the wording undermined her authority.
“She is free to disregard the Government’s framework wherever she considers it irrelevant or to disagree with its contents,” he said.
Pressed by peers on what exactly this meant, he added:
“I think it means that, if the Information Commissioner were considering the case of a data breach committed by the Government, she would normally take the framework into account, as she would take into account the guidance that other sectors produce.
“If, however, there were circumstances in which she did not consider that it was relevant for her investigation into whether the law had been broken, given that she is the enforcer of the law, she would be free to disregard it.”
He emphasised that the clause's use of the phrase “must take into account” meant that she should consider it, but was “not bound by the provision”.
Elsewhere in the debate, Ashton announced that the ICO would have pay flexibility – meaning it is not bound by strict civil service pay rules – up to 2020-21.
The aim is to ensure the ICO can afford to hire and retain data protection experts in a competitive field, especially as it will have more on its plate with the incoming General Data Protection Regulation.
The peers also accepted an amendment that aims to protect security researchers from a new offence for re-identifying anonymised data.
However, Lord Stevenson of Balmacara did flag up concerns raised by security researchers following the text of the amendment being released.
These relate specifically to the requirement that researchers report de-identification of data “without undue delay, and … where feasible, not later than 72 hours after becoming aware of it”.
So: if you discover that combining <some NHS dataset> with <some Education dataset> appears to yield <identification of named children with cancer across London>, then you MUST get your shit together and report your findings upstream within 72 hours, or explain to a judge, why.— Alec Muffett (@AlecMuffett) January 10, 2018
Stevenson said during the debate: “That is a very tight timetable. Again, I wonder if there might be a bit more elasticity around that. It does say “where feasible”, but it puts rather tight cordon around that."
He added: “We are asking a researcher to go to court, perhaps, and defend themselves, including arguing that they have satisfied [these clauses], which is a fairly high burden.
“All in all, we just wonder whether how this has been framed does the trick satisfactorily.”
Ashton said that he could not give an answer to these comments "off the top of my head", but would "commit to taking those points back and having a look at them".
The Bill has its third reading on Wednesday. ®