Now that the UK has left the EU, the government wants to create a new data regime, which will build on the retained EU version of the General Data Protection Regulation (EU) 2016/679 (UK GDPR) along with the Data Protection Act 2018. As the first step towards reforming the regime, the ‘Data: a new direction’ public consultation was launched by the Department for Digital, Culture, Media and Sport on 10 September 2021 and closed 19 November 2021.
Last time, B P Collins’ corporate and commercial team looked at Chapter 4 of the consultation – Delivering better public services. This week it summarises the final chapter, Chapter 5 – Reform of the Information Commissioner’s Office.
ICO transparency and accountability
To improve ICO transparency, it has been proposed that the ICO should publish key strategies and processes that guide its work. The ICO welcomes this proposal and believes that it should be transparent about its regulatory priorities and approach.
In terms of improving the ICO’s accountability, it has been proposed that the ICO should give anticipated timelines at the outset of investigations. Both the Law Society and ICO comment that if the ICO has to provide timelines, it must be adequately resourced to meet these deadlines.
ICO governance and leadership
There is a proposal to review the ICO’s governance model and leadership and ensure that it follows best practice. In response, the ICO wants to ensure that any changes do not affect its independence as a regulator. For example, the ICO does not believe that the Secretary of State should be able to approve or reject codes of practice or new guidance. Similarly, they contend that the Chief Executive of the ICO should be appointed by the ICO Chair and Board and not via the Public Appointments process.
The government wants to provide the ICO with a clearer strategic vision by providing it with an overarching objective (to uphold data rights and encouraging trustworthy and responsible data use) and strategic priorities such as economic growth, competition, public safety, and regulatory cooperation.
The Law Society does not see how the overarching differs from its current objectives as the UK’s independent body set up to uphold information rights. On the other hand, the ICO is broadly supportive of these proposals and believes that these would enhance its purpose and accountability.
Reform of the ICO’s complaints handling process
The government highlighted that the ICO spends significant resources on handling complaints (there were 36,607 new complaints recorded in 2020/2021). Therefore, the government has proposed to implement a more proportionate regulatory approach to complaints.
One idea that is supported by the ICO is to introduce a requirement for a complainant to attempt to resolve complaint directly with data controller first before reporting to ICO. The ICO has also suggested that it could be given the power to make recommendations about how best to resolve complaints. Another potential reform to the complaints handling process would be the produce criteria where the ICO could decide not to investigate a complaint. The ICO acknowledges that this would allow the ICO to have discretion when dealing with complaints. However, it states that any such reform should not adversely affect individual’s rights.
Increase ICO powers
The government has also proposed measures that would increase and strengthen the ICO’s current supervision and enforcement powers, which are supported by the ICO. These measures include:
- increasing the fines that the ICO can impose under the Privacy and Electronic Communications Regulations 2003 for those that carry out unsolicited marketing calls;
- a new power to commission a third-party report to inform complex investigations;
- the power to compel individuals to interview (this is a power that other regulators such as the Financial Conduct Authority and the Competition and Markets Authority already have); and
- the extension to the deadline for the ICO to issue a final penalty notice from 6 to 12 months and ‘stop the clock’ powers if information is not received on time, which would provide more time for those under investigation to respond and the ICO more time to investigate.
Whilst the government is currently analysing the responses to the Data: a new direction consultation, some of these proposals are already being implemented (such as the new international data transfer agreement which has already been published . It remains to be seen which other proposals will form part of a draft bill and how soon this will progress to the next stage of the legislative process.
However, with the government’s goal of developing a new data regime following Brexit, it is likely that there will be significant changes that affect the way personal data is processed and it is important to stay up to date with this fast-changing area.
If you’d like to sign up to more complimentary articles to your inbox, please contact email@example.com.