's plans for data processing framework create new risks, says watchdog

Peers table amendment to switch responsibility for drafting guidance from state to ICO

A set of clauses the government slipped into the Data Protection Bill "go beyond" their stated ambition and "create different risks", the information commissioner has said.

As drafted, the clauses grant government the power to draw up a framework to administer how departments process personal data with only a need to "consult" the commissioner; it doesn't explicitly say it has to heed any advice offered.

The Register reported earlier this week that the current state of the text had caused concerns, as experts said it could make it hard for the ICO to challenge the content of the framework or even enforce data protection law.

At the time, the ICO said it had set out its concerns to government, and it has now issued a stronger and more detailed (PDF) criticism of the text.

This reiterates that the commissioner "understands the need for government departments and public bodies to be clear about their legal basis for undertaking their functions".

However, it added: "The provisions as drafted appear to go beyond this limited ambition and create different risks that must also be considered."

Its most significant concerns are on a clause that puts a requirement on the ICO to take the framework into account when considering any question relevant to its functions.

The ICO pointed out that considering relevant statutory and sectoral guidance is already a major part of its job, adding that if the commissioner failed to do so, "she would be open to judicial review".

The provision, it said, "runs a real risk of creating the impression that the Commissioner will not enjoy the full independence of action and freedom from external influence when deciding how to exercise her full range of functions".

Additionally, the ICO warned that the current wording of a clause that allows the government to extend the framework to cover a specified person "with functions of a public nature" could apply to private actors who perform some public functions.

This power, it said, "seems unnecessarily wide", emphasising that the provisions "should just address those public bodies where there is a need for greater clarity on their legal basis for processing".

Meanwhile, three peers have tabled amendments (PDF) to the offending clauses to be considered in the Bill's report stage, which flips the power to write the framework from the Secretary of State to the commissioner and removes the statutory requirement for the ICO to take the framework into account.

Elsewhere in the ICO's briefing on the Bill, it raised concerns about possible "regulatory confusion" with other statutory codes of practice, the potential for a broad reading of "the purposes of defence" in a clause related to national security, and a wide exemption for immigration processing.

That exemption would remove a person's rights as a data subject if doing so would prejudice "effective immigration control" – which the ICO said needed to be "more focussed... with reference to specific statutory immigration functions".

It also echoed concerns that the provision could damage asylum-seekers' attempts to appeal Home Office decisions on their right to remain.

"If the exemption is applied, individuals will not be able to access their personal data to identify any factual inaccuracies and it will mean that the system lacks transparency and is fundamentally unfair," it said.

The Bill is due to enter report stage on Monday. ®

Biting the hand that feeds IT © 1998–2020