There have been many developments in data protection over the last few years, ranging from the implementation of the GDPR, the result of the decision in the case of Schrems II and new agreements and processes for international data transfers.
In September 2021, the UK Government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws (the Consultation). We have known for a while that the Government is keen for further changes to the UK data protection regime; it has previously stated that its aim is to create a new and fresh framework which empowers citizens through the responsible use of personal data whilst reducing the burdens on businesses that impede the responsible use of personal data.
In June 2022, the Department for Digital, Culture, Media and Sport (the DCMS) published its response to the Consultation (the Response) and set out its proposals for the UK’s Data Reform Bill. The full outcome report can be found here: Data: a new direction – government response to consultation – GOV.UK (www.gov.uk)
The consultation was wide in its scope, we explain some of the key proposals relevant to employers.
Data subject access request (DSAR) changes
DSARs remain one of the most exercised rights in a data subject’s arsenal. Data Subjects must be able to check the accuracy of the data about them, learn more about how it is being used, and who it is being shared with.
However, as many employers know, dealing with requests, particularly those by disgruntled ex-employees, can be time consuming and burdensome on resources. Companies have been vocal on the pitfalls of DSARs and many will be pleased to have seen such emphasis placed on them in the Consultation.
The Consultation considered whether the threshold for refusing to respond to a DSAR (where it is manifestly unfounded or excessive) was too high and whether data subjects should be charged a fee.
The ICO defines “manifestly unfounded or excessive” as a request where “the individual has no clear intention to access the information or is malicious in intent and is using the request to harass an organisation with no real purposes other than to cause disruption.”
Respondents noted that this threshold is often perceived as far too vague and is unlikely to cover very common requests in situations where employees are leaving on bad terms, where requests are being used to fish for opportunities, or where they are used to circumvent the strict disclosure principals in order to get early access to litigation information.
The Consultation notes that the freedom of information act has, what is perceived to be, a lower threshold for refusing a request. 14(1) of the Freedom of Information Act “does not oblige a public authority to comply with a request for information if the request is vexatious.”
In determining what might constitute “vexatious” the ICO considers “the key question you must ask yourself is whether the request is likely to cause a disproportionate or unjustified level of disruption, irritation or distress”. Similarly, it was noted that the freedom of information regime has a form of cost ceiling to prevent requests disrupting organisations.
The good news for organisations is that the Government’s view aligns with the views of those that have experienced the spiralling costs of DSARs. Consequently, the Government has decided to proceed with changing the current threshold and to bring it in line with the Freedom of Information regime. However, no cost ceiling shall be introduced.
The ability for an organisation to charge a fee for responding to a DSAR was discussed in the Consultation and Response but ultimately the Government has decided not to pursue this. The majority of respondents believe this poses a direct risk to vulnerable people in society which outweighs those who believe it could be used to discourage vexatious or repetitive requests.
Whilst the ICO describes legitimate interests as “the most flexible lawful basis for processing”, we know that this can still be a challenging task for organisations to navigate. Currently, to rely on a legitimate interest organisations must:
- Identify the legitimate interests;
- Show that the processing is necessary to achieve this interest; and,
- Undertake a balancing act as to whether the interests in processing the data outweigh the in rights of the data subject whose data is being processed.
In the consultation the Government proposed creating a limited, exhaustive list of legitimate purposes that companies can rely on without having to run the balancing test.
This received very mixed responses and, in its Response the Government commented that it hoped to pursue the proposal, albeit with a very minimal number of carefully defined purposes.
Removal of data protection officers
Organisations are required to appoint a DPO if they meet one of the following requirements:
- They are a public authority or body;
- Their core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking; or
- Their core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
Despite this, many organisations still choose to appoint a DPO even if not required, providing a direct reporting line to help monitor compliance, advise on governance and data accountability. Where a DPO is appointed, whether mandatory or not, they must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
The government sees this as an overly burdensome and, often unpopular, role and proposed to remove the role in the Consultation. The Government’s view was echoed by respondents to the Consultation and, as such, will be taken forward. Instead, organisations will be required to appoint a senior individual (which can be an internal appointment) to oversee the organisation’s Data Protection Compliance.
Removal of data protection impact assessments
Another removal touted by the Government in the Consultation targeted the need for Data Protection Impact Assessments (DPIAs). These are required in the event your organisation processes any data that is likely to result in a high risk to the data subject.
Some responding to this proposed removal indicated that a more flexible approach to DPIAs is preferred. It was noted that organisations saw this requirement as a duplication of other internal risk assessments that achieved similar outcomes.
The Government does acknowledge that DPIAs can be a hugely useful tool in identifying risks and that having a mandatory requirement provides data subjects with a degree of comfort. As a middle ground, therefore, in the Response the Government has said it will seek to remove the requirement to conduct a DPIA but organisations must ensure that “risk assessment tools are in place for the identification, assessment and mitigation of risks across the organisation”.
Removal of the recording of processing activities
Organisations are required to document a large volume of information. This includes, but is not limited to, the organisations name and contact details, purposes of processing, categories of individuals, categories of data, safeguards in place, and retention schedules.
The Government has been vocal about how it sees this requirement, and others, as a “tick-boxing” exercise. It views the requirement as one that is burdensome to create and maintain.
A large majority of respondents felt that the obligations helped them with their other requirements. Despite this, the Government are confident in their approach and will push on with removing this requirement to allow organisations more flexibility.
It is difficult to predict how this will work in practice and how, or if, this will lead to relief for the organisation whilst still maintaining the high standards that protect a data subject’s data. We would expect changes here to have an insignificant impact.
What will these responses mean in practice?
Clearly, there will be some changes generated from the UK Data Reform Bill. However, we still predict the UK’s data protection regime will remain closely aligned to the GDPR for the time being. The key consideration for the Government will be whether the changes will impact the UK’s “adequacy” status which is due for review by the EU in 2025.