The UK’s data protection watchdog has raised concerns with the government over new clauses slipped into the Data Protection Bill at the last minute, which critics say could undermine the law.
The clauses, inserted at the Bill's final committee stage in the House of Lords last month, are likely to receive heavy scrutiny at next week’s report stage.
They set out plans to allow the secretary of state to draw up a document - a Framework for Data Processing for Government - with guidance for how their department can process personal data.
However, some of the provisions in the new clauses (175-178; PDF, p99-101) have sounded alarm bells, with opponents saying they risk undermining the powers of the Information Commissioner’s Office.
Concerns are that, as it stands, the Bill grants the secretary of state broad powers to determine the content of the framework and who it applies to, while making it hard for the ICO to either challenge that content or even enforce data protection law.
Campaign group MedConfidential argued that the clauses “legalise government using data for anything it wishes”, saying that the secretary of state has the power to define and alter the framework with ease.
"This framework is the epitome of secretive, invasive, and nasty,” Sam Smith, coordinator of MedConfidential, said. “The decision to include it undermines public confidence in data, it undermines the ICO, it undermines the rule of law.”
Data protection expert Chris Pounder raised similar concerns, describing it as “a framework to undermine the ICO’s ability to enforce the new Data Protection Bill across the public sector”.
When The Register put such concerns to the Ministry of Fun, it said the government had consulted the ICO about the preparation of the new clauses.
However, the ICO said that, although it "recognises the need to clarify the legal basis for data processing in government and clearly defined parts of the public sector", it had contacted the government to “set out [its] concerns” about these provisions.
Reading the fine print
There are a number of points of contention in the Bill text. First is the way it provides for the framework to be scrutinised.
It says that “before preparing a document or amendments under this section, the Secretary of State must consult— (a) the Commissioner, and (b) any other person the Secretary of State considers it appropriate to consult.”
The crucial part here is the use of “consult” - or, as Pounder put it on his blog:
“Note the operative word is ‘consult’ as in ‘Mrs Thatcher consulted widely about the superb brilliance of the Poll Tax prior to implementation’. In other words, the Secretary of State having consulted the ICO, is free to ignore the ICO’s concerns (which history shows has often occurred).”
That the government doesn’t have to heed the ICO’s advice is of even more concern given that Parliamentary scrutiny is a negative, rather than positive, approval process. This means that, once the document has been laid before Parliament, lawmakers have 40 days to resolve not to approve it - a rare thing* - otherwise it automatically gets the green light.
A second issue is that various parts of the Bill seem to muddy the data protection waters. For instance, one says that people processing personal data under the terms of the framework (ie, someone working in government) “must have regard to” the framework.
Pounder described the problem this could create thus:
“If you were a data protection officer in a government department, do you follow the ICO or your secretary of state - given the framework says you must have regard to the secretary of state’s view of the state of data protection in his department?”
The Bill also seems to create an extra hurdle for the ICO, saying that “in determining a question arising in connection with the carrying out of any of the Commissioner’s functions, the Commissioner must take into account a provision of” the framework document.
A spokesman for the ICO told The Reg: “We have set out our concerns on these provisions with the government, especially around the ICO having to take account of secretary of state guidance. We believe this provision is not required as we always take other statutory guidance into account when exercising our powers."
He added that it would provide further details on its concerns in its next parliamentary briefing.
For its part, the Department for Digital, Culture, Media and Sport said: “The government consulted the Information Commissioner in the preparation of clauses 175 and 178 and will continue to work the ICO when preparing its guidance and ensure that there is no conflict with the ICO's statutory codes.”
The secretary of state “would give proper regard” to any comments made by the ICO in consultation on the framework, DCMS said.
The department added: “The Bill is still going through parliament and any amendments will be debated through this process.”
The Bill enters report stage, where peers will further examine and amend the Bill, on December 11.
*It's not often the House challenges texts in this way. Pounder said of this: "A House of Commons Library report states that the last occasion that the House of Commons used a negative resolution procedure to vote down a Statutory Instrument was on 24th October 1979 – forty years ago. (Older readers may recall that this involved the notorious, evil and dastardly Paraffin (Maximum Retail Prices) (Revocation) Order 1979)."