We have a General Election on 8th June, and as always there was a rush to sort out legislation before the dissolution of Parliament. In the ‘wash up’ of bills legislation was passed in the Digital Economy Act which affects data protection.
The Digital Economy Act 2017 deals with a large variety of matters, some of which are:
- Providing for a ‘Universal Service Obligation’ for fast broadband services;
- Introducing a revised ‘Electronic Communications Code’ to make it easier to provide telecommunications infrastructure;
- Setting up an age-verification system for viewing on-line pornography;
- Amending on-line intellectual property offences and increasing the maximum penalty to ten years’ imprisonment;
- Including e-books in the public lending right;
- Extending the powers of OFCOM including the regulation of the BBC; and
- Powers to criminalise the use of ‘bots’ to obtain event tickets.
Data Protection changes
The three areas affecting data protection are:
- Public Sector Data Sharing;
- A Direct Marketing Code; and
- Powers for the Information Commissioner to charge fees.
Public Sector Data Sharing
The new Act contains seven chapters on 'Digital Government.' The first chapter sets the tone of the whole part by permitting extensive sharing of personal data between public authorities including water, gas and electricity companies, for service delivery functions yet to be specified by regulation.
Subsequent chapters deal with the disclosure of data by civil registration officials, the exchange of personal data for the prevention of fraud against and the recovery of debts owed to the public sector. Personal data can be disclosed by public authorities if identities are not disclosed and it is not reasonably likely that they can be deduced from the disclosed data.
Similar powers to disclose data in the public interest are given to HMRC and other revenue authorities.
These chapters contain confidentiality provisions, but with extensive exemptions. The overriding purpose of this legislation is to depart from the old policy that an individual dealt with each government department and function separately and confidentially.
In March this year, the Information Commissioner commented on these provisions in this way:
"The Commissioner recognises the potential benefits of justified and proportionate data sharing but it is important that any provisions that increase data sharing inspire confidence in those individuals who will be affected."
She called for the use of privacy impact assessments and the alignment of the codes of practice provided for in the new Act with her statutory code on data sharing.
Individuals might well be able to benefit from one-stop shop dealing with public authorities and those authorities will have easier means of tracing fraudsters and debtors. Nonetheless, these new sweeping provisions raise concerns about privacy and confidentiality. Individuals might yet be surprised at the way their information is moved around and there must be a risk of excessive disclosure and abuse of the powers. The legislation also reveals that data protection can be more apparent than real, in that government can readily secure legislation that the use and disclosure of personal data for its purposes are in the public interest.
Direct Marketing Code
In 2013, the Information Commissioner published updated guidance on direct marketing particularly when carried out by electronic means. The provision in this new Act would require the Commissioner to consult on and publish a statutory Code of Practice. The Code will contain ‘good practice’ and not just be limited to compliance with the law. The procedure for adopting the Code is the same as applies to the Data Sharing Code and requires the Code to be laid before Parliament. The Code will have 'Highway Code' status in that breach of the Code is not itself an offence, but the Code is admissible in evidence in any proceedings and, where relevant, must be taken into account by the Commissioner, a court or a tribunal. The Commissioner has welcomed the new provision as 'a useful tool'in ensuring compliance and expects the new code to sit "at the top of a hierarchy of industry codes, such as those produced by the Direct Marketing Association and the new Fundraising Regulator."
Fee raising Powers
During the passage of the Bill for the new Act, provisions were added which address one of the problems raised by the new General Data Protection Regulation (GDPR). The GDPR abolishes a number of procedural requirements including notification or registration. Charging a fee on registration has been the means by which the Information Commissioner’s data protection activities have been funded. This Act prospectively repeals the notification requirements in the Data Protection Act 1998 and provides that:
"The Secretary of State may by regulations require data controllers to pay charges of an amount specified in the regulations to the Information Commissioner."
The fee does not have to be for any service provided by the Commissioner. So our doubts have been answered. The Commissioner will continue to receive fees in order to fund her data protection functions. In her March comments, Elizabeth Denham remarked that:
"The Commissioner welcomes government amendments on regulations about charges payable to the Information Commissioner…"
She must be mightily relieved.