The Data Protection and Digital Information Bill
Personal data: handle with care
We’ve all heard of the problems that have been caused when data about individuals has been misused or misinterpreted, often by machines implementing algorithms that are poorly designed or unfair. You may remember these recent examples:
Women with darker skin are more than twice as likely as lighter-skinned men to be told that their photos fail UK passport rules when they submit them online. (click here for more on this)
An IBM “Oncology Expert Advisor” system was found to be providing doctors in the USA with erroneous, dangerous cancer treatment advice. (more here)
A poorly designed automated credit check caused one man to be labelled "credit unworthy" which then led to his bank account being closed, his credit card being refused credit and mobile phone contracts being refused. ( JAAG 2021 Annual Report)
Proposed changes to data law
At present, the UK Data Protection Act 2018 controls how personal information can be used. It provides a legal framework for keeping everyone's personal data safe by requiring organisations, businesses and the government to have robust processes in place for handling and storing personal information. Everyone using personal data has to follow strict ‘data protection principles’; for example, they must make sure the information is used fairly, lawfully and transparently, only for specified purposes, and that it is handled in a way that ensures protection against unlawful or unauthorised processing, access, loss, destruction or damage. There is stronger protection for more sensitive information, such as race, ethnicity, religious beliefs, genetics, biometrics, health, sex life etc.
However, the Government intends to change this and other data protection legislation through the Data Protection and Digital Information Bill, currently going through parliament.
The Bill’s aims are to encourage more data flows, increase revenue and reduce administrative burdens on businesses and small organisations. The government wishes to expand data flows across borders through trade agreements such as the UK-Singapore data agreement that was signed a few months ago. While these aims may be laudable, JAAG believes that the key to their fulfilment will be to do so without reducing protection for individuals.
Note: the passage of the Bill through the House of Commons was paused by Secretary of State Michelle Donelan to allow the Government to reassess it; this means that the Bill might be altered further by the government before being considered in committee.
JAAG’s analysis
Last November, JAAG sent off a detailed response to the UK Government’s planned changes in the law on data. We said that these far-reaching proposals would significantly weaken individuals’ rights not only to protect their personal data but also to challenge any misuse of their data or loss of confidentiality. JAAG sees this as a human rights issue.
Earlier this year, despite much opposition from groups representing civil society like JAAG, the Government decided to go ahead with most of their proposals, and published the Data Protection and Digital Information Bill.
For businesses, one aspect of the Bill that is raising concern is the issue of ‘adequacy’; this term refers to an arrangement whereby the EU assesses whether the data protection legislation in a non-EU country (such as the UK) is sufficiently strong as to allow that country’s businesses to share data with countries in the EU. Some observers say there is a risk that the Bill, by introducing weaker data protection in the UK, might make it unlikely that UK businesses would be allowed to share data with countries in the EU, and vice versa; this might adversely affect those companies’ ability to trade with the EU. Another risk is that UK organisations handling EU citizens’ data (e.g. companies exporting or marketing to EU countries) would have to comply with two sets of legislation, meaning an additional administrative burden and costs.
But what about the person in the street?
What would be the impact of this Bill if it became law?
Would it make it easier for us to control the way that data about us is used?
Could more decisions be taken about us by machines?
JAAG’s project team has analysed the Bill. Here are some key findings.
Important aspects of the current UK law include that:
people have to make a positive decision to allow their information to be stored (e.g. via cookies on a website);
people can find out how their personal information is being collected and used;
people can be confident that their data has been used only after a thorough assessment of the risks involved; and
people have the right for decisions about them to be taken by human beings, not by machines using artificial intelligence or algorithms alone.
The Bill, if it becomes law, will change each of these aspects, (and more besides).
Who is using personal information about me?
At present, people can ask any organisation about the data it holds on them, and can make a complaint if they disagree with it. The Bill would make it much easier for organisations to refuse these requests thereby unfairly limiting people’s access to their own data.
JAAG wants Clauses 7 and 9 to be removed from the Bill as they significantly limit people’s ability to find out how their personal data is being collected and used.
Why are they using my personal data?
At present, the law has safeguards to make sure that high-risk processing of personal data can only take place after certain procedures have been followed to assess any risk and to ensure that the organisation processing the data can be held responsible. The Bill would remove the obligation to describe how the data will be used or to consult with those who are impacted by it; instead, organisations would be free to choose how to demonstrate compliance with the law and would ‘self-evaluate’ their efforts.
JAAG wants the Government to remove from the Bill changes that lower these minimum requirements.
Who refused my application – a person or a machine?
At present, the law says that there has to be a human being involved in any decision about a person – decisions cannot be taken by computers alone. The Bill would allow solely automated decision-making in a range of cases. Furthermore, the Bill would limit an individual’s right to know whether automation is being used, to obtain human intervention or to contest decisions.
JAAG wants clause 11 and Section 50C to be removed, so that the requirement for human oversight of decisions is retained and people can know how decisions about their lives are being taken.
Who will support me?
In addition, the Bill would significantly weaken the role of the (currently independent) Information Commissioner’s Office (ICO) in investigating breaches of the rules and assisting citizens who feel they have been unfairly treated. The ICO would become answerable to the Secretary of State (instead of to Parliament).
JAAG wants the ICO to remain fully impartial.
Who makes the law?
Furthermore, the Secretary of State would be given wide powers arbitrarily to change the safeguards in the legislation, without referring the matters to Parliament for approval.
JAAG wants any changes to data regulations to be subject to scrutiny by Parliament.
JAAG’s view
The Data Protection and Digital Information Bill aims to encourage competition by making it easier to use, exchange and store data. This is a complex issue and there are many stakeholders, each with different needs. The challenge is to regulate a sector in which poor practice is well established; individual users cannot know whether the data platform they are using has their interests at heart, or the interests of other organisations.
JAAG is concerned that, if enacted, the Data Protection and Digital Information Bill could seriously weaken individuals’ rights to protect their personal data and to challenge its misuse or loss of confidentiality.
Subscribe to our newsletter for updates on this and other JAAG projects.
References
Public Law Project: Individuals at Risk following new Data Bill: https://publiclawproject.org.uk/resources/individuals-at-risk-following-new-data-bill/
Open Rights Group: The Data protection and Digital Information Bill https://www.openrightsgroup.org/publications/analysis-the-uk-data-protection-and-digital-information-bill/
BCS The Chartered Institute for IT: “Can the UK ‘replace’ GDPR and still keep data adequacy with the EU?” 13 October 2022.
https://www.bcs.org/articles-opinion-and-research/can-the-uk-replace-gdpr-and-still-keep-data-adequacy-with-the-eu/Interview with Dr. Kuan Hon about the data protection bill at: https://www.youtube.com/watch?v=eYfMc0SQ95Y
Two key UK legislative texts on data protection are:
(1) the Data protection Act 2018, through which the UK, as a then member of the EU, gave effect to the EU General Data Protection Regulation
(2) the Privacy and Electronic Communications Regulations, through which the UK gave effect to the EU Privacy and Electronic Communications Directive 2002/58/EC.
The new bill relates to aspects of both of these.