February 13, 2017

The briefing updates the Commissioner’s written evidence to the House of Commons Public Bill Committee from October 2016. It focuses on: digital government (Part 5); the statutory direct marketing code (Part 6); and age verification for access to online pornography (Part 3).

On digital government, the Commissioner’s main concern is that there should be sufficient safeguards to ensure effective protection for individuals and to help build greater trust and transparency in data sharing for the public. She previously advised that additional safeguards were needed on the face of the Bill and recommended that the Government consider an addition to the Bill that would make it clear that the codes of practice established under Part 5 of the Bill should be consistent with the ICO’s statutory Data Sharing Code of Practice in relation to the sharing of personal data. She is pleased the Government has accepted her recommendation.

The Commissioner has welcomed the references to the importance of privacy impact assessments and privacy notices in the four draft codes of practice, but remains strongly in favour of having reference to them in the Bill itself. The Commissioner welcomes the Government’s positive commitment to work with the ICO to address this issue.

The Commissioner also recommended that the Government undertake further work to develop consistency between the codes that accompany Part 5 of the Bill and align them more closely with her statutory data sharing code of practice. She is encouraged that government officials have continued to work closely with her office on the development of these codes and, the Briefing says, looks forward to a public consultation in due course so that practitioners have an opportunity to comment.

The Commissioner supports a broader review of data sharing beyond those planned for fraud and debt, saying that it is especially important in the context of sharing of bulk datasets related to the General Register Office provisions. She also believes it is important for Parliament to review all aspects of data sharing, not just the clauses relating to fraud and debt, after an appropriate time. The Commissioner intends to use the powers in the DPA to review and to report back to Parliament two to three years into this data-sharing regime, with particular regard to bulk data sharing.

She also remains committed to making the case for an additional offence for re-identifying anonymised personal information. She would be keen for it to be covered in the Government’s work on sanctions and penalties for implementation of the General Data Protection Regulation, if not in the Digital Economy Bill.

On age verification for access to online pornography, the Commissioner is concerned that there is a significant privacy risk if the implemented age verification systems do not have the right safeguards. She has already made it clear that a privacy by design approach is necessary in implementing any age verification system.

On the statutory direct marketing code, the Commissioner welcomes the provision for a direct marketing code of practice which, while not legally binding, would be admissible in evidence and would have to be taken into account by the Commissioner, tribunals and courts in relevant cases.

The continuing volume of reported concerns over nuisance calls and texts indicate that marketing preferences are one area where the public have lost trust and control over the use of their details. The Commissioner would like the current direct marketing guidance replaced by a statutory code of practice to give it greater weight. While a direct marketing code will not solve the nuisance of unwanted marketing on its own, it would be a useful tool in the Commissioner’s continued work to ensure that organisations understand and comply with the marketing rules. To access the Commissioner’s briefing in full, click here.