Latest Public Sector News

For whose eyes only?

The EU has published proposals to overhaul the data protection framework, which could impact compliance and risk management for UK public sector organisations and businesses. Adam Hewitt reports on the Information Commissioner’s Office analysis of the proposals, and gets an industry view from Christian Toon, head of information security at Iron Mountain.

The EU is keen to implement pan- Europe regulation of data, replacing the existing ‘patchwork’ of 27 separate systems and 1995 directive, while also modernising the rules in line with the way people live and work and interact in the digital age. Following the publication of a new strategy in 2010, the European Commission has published both a proposed new Regulation, and a new Directive.

The draft General Data Protection Regulation would apply in all member states and replace current laws, including new privacy rights – such as a ‘right of portability’ and a ‘right to be forgotten’, while also requiring clear and simple information to be provided to concerned individuals, and getting explicit consent from them for the processing of their data, known as an ‘opt-in’ rule.

New rules will also apply on processing data relating to children, and notifying EU authorities on data breaches within 24 hours. For companies, severe new sanctions will apply in serious cases, with authorities able to impose penalties of up to 2% of worldwide turnover.

In its initial analysis of the proposal, the Information Commissioner’s Office (ICO) – the UK regulator on data protection – notes that the proposals are a “positive contribution” on updating the law in line with reality, and it accepts that a Regulation or new Directive is needed, because just updating current national laws across the EU could produce even more disharmony.

Its analysis says: “Doing nothing would mean that personal data will not be satisfactorily protected within the EU and that businesses will continue to be expected to comply with a patchwork of out-of-date national laws that do not reflect current business reality.”

But the ICO is also clear that it does have concerns with the proposals, starting with the excessive two-year implementation period, which it says could easily be shortened.

The ICO makes the important point that it has “doubts as to whether complete harmonisation [across the EU] is possible, or even desirable, given that key concepts in the law such as fairness depend on these factors which necessarily vary from one member state to another”.

It suggests that the new proposal is perhaps over-prescriptive, saying that more prescription will not necessarily mean better data protection overall, as this works best when data controllers can “see a clear link between the measures they are required to take and the protection of privacy” – otherwise it can come to be seen as pointless and burdensome red tape.

The ICO recommends that it be “put beyond doubt” that public authorities can lawfully process personal data when it’s necessary to comply with access to information laws, which themselves must have regard for privacy protection. The analysis also doubts the practicality of forcing non-EU data controllers to comply with the regulations, despite the potential advantages if this can be enforced in some way. It says: “…in reality, non-EU data controllers’ compliance with the Regulation would be voluntary. The Regulation should be realistic about this and should not lead EU consumers to believe that the law offers them a degree of protection that, in reality, it cannot deliver.”

It is pleased at the progress made on identifying information generated online as personal data, and at the consolidation of the existing, confusing, ‘ordinary’ vs ‘explicit’ consent under one single heading of ‘consent’.

It wants a better approach to the question of whether information falls within a ‘relevant filing system’, saying: “A better approach might be to focus on the accessibility of information relating to a particular individual rather than solely on the structure of system.”

The ICO has significant concerns about the way children are treated in the proposals, noting, for example, that they still need to be able to call confidential support lines.

It also wants the ‘principles’ on personal data processing harmonised between the Regulation and Directive. It is critical of both the existing and proposed approach that prohibits data processing unless a particular condition exists, saying that while this may work in European codified legal systems, it works much less well in the UK, where things are generally acceptable unless specifically made illegal.

There are dangers, it says, that public authorities may be prevented from processing data in a way that’s “desirable, unobjectionable and helpful” to citizens, just because the law does not specifically permit it. But it says as this is a “fundamental part” of the EU approach, it is unlikely to change.

It disagrees with the binary categorisation of personal data into sensitive and nonsensitive, and some of the specific decisions made on this from a UK perspective, where trade union membership would generally be seen as non-sensitive, but financial status as sensitive, for example.

The ICO is strongly supportive of the moves to strengthen rights over data, such as the requirement for clarity, accessibility and plain language.

The right to be forgotten and for erasure of data, article 17, is “one of the more interesting parts” of the proposed Regulation, the ICO says, with many potential benefits, but also inherent threats to freedom of expression and an accurate historical record.

It gives the example of public figures trying to have embarrassing information removed from a newspaper archive. It says it wants people to have a realistic understanding of the limitations of this ‘right’, which it says should be worded less ambitiously.

The new right to object shifts the burden to the data controller from the citizen, as there will no longer be a need to prove unwarranted damage or distress is being caused.

It questions the potentially “unfair and disproportionate” idea that data controllers could face enforcement action just for failing to have the proper paperwork in place proving they have the right data protection policies, administrative measures and personnel in place, if they have not actually done anything detrimental to people’s privacy. It says this should instead be seen as good practice, but that the lack of such policies will be taken into account in the event of enforcement action over breaches.

The ICO is scathing about some of the bureaucratic hurdles thrown up by the proposals, noting over and over again that the regulations should be about protecting privacy and personal data – not creating paperwork for its own sake.

It says at one point: “Again there is too much emphasis on mandating the bureaucracy of data protection when the objective of the Regulation is the protection of personal data in practice rather than the creation of paperwork.”

The ICO also has some concerns over the procedure when breaches occur, both in terms of time limits and who is notified first, but in general is “strongly in favour” of a legal requirement for notification.

It condemns prior authorisation clauses when transferring data overseas as “disproportionately burdensome and bureaucratic”, and questions the need for mandatory data protection officers, suggesting instead appointing a senior executive as ‘chief privacy officer’.

It suggests that national supervisory authorities have too many duties placed on them by the proposals, with “considerable resource implications which need to be thought through by member states.”

It wants it “put beyond doubt” that the unlawful obtaining of personal data through methods like ‘blagging’ will be able to remain a criminal offence in the UK, rather than coming under civil law alone.

The exact timeline for the implementation of the proposals now depends on the EU’s law-making process and decision by the European Parliament.

Tell us what you think – have your say below, or email us directly at [email protected]