Earlier this month, the UK Information Commissioner (ICO) gave evidence at the House of Commons to the committee scrutinising the Data Protection & Digital Information Bill. Today they’ve published a written response to the Bill. I’d like to share important updates on the DPDI No 2 Bill, based on the Information Commissioner’s Response.
Here are the ICO’s key points:
- Definition of Personal Data:
New drafting introduces potential privacy risks and requires robust protection measures. - Research and Statistical Purposes (RAS):
Organizations may face challenges benefiting from RAS provisions due to unclear drafting on retaining the “key” for de-aggregation of aggregate data. - Consent for Scientific Research:
Clarity and structural improvements are suggested to enhance understanding of consent clauses for scientific research purposes. - Purpose Limitation:
Inconsistencies with other parts of the legislation raise concerns regarding misinterpretation and controller responsibilities. - Vexatious or Excessive Requests:
Language inconsistencies and a shift in the threshold for refusing data subject requests require careful consideration of all circumstances. - Information to be Provided to Data Subjects:
Exceptions to transparency information may not adequately cover cases where full transparency could undermine research objectives or where providing privacy information is costly. - Automated Decision-Making:
Further clarification is needed to determine if human involvement is required for decisions “based on entirely automated processing.” - General Obligations and Duty to Keep Records:
Clarity is needed on “appropriate measures” versus “technical and organizational measures,” as well as guidance on high-risk processing activities and mandatory risk assessments. - International Transfers of Personal Data:
Chapter 5 changes aim to clarify adequacy decisions and alternative transfer mechanisms, but further clarity is required.
These updates reflect the ICO’s recommendations for enhancing clarity and effectiveness of the second data protection & digital information Bill. Organizations should consider the implications for data protection practices.
For questions or further assistance regarding these changes, please reach out.
Lynsey Hanson | Data Protection Officer