As previously reported by Wiggin, the Data Protection and Digital Information Bill (“DPDI”) is currently making its way through the legislative process. It has completed its passage through the House of Commons, where amendments were adopted, and has had its first and second readings in the House of Lords. Committee Stage in the House of Lords commenced on 20 March 2024.

The UK Information Commissioner has published a third set of views on the provisions of the original draft Bill and the proposed changes introduced by the Government during the Bill’s passage through the legislative process in the House of Commons (his views on the Bill published in December were previously reported by Wiggin). The most recent paper covers a number of issues including the Government’s November 2023 amendment, which in turn would amend the Online Safety Act 2023, under which Ofcom could issue a data preservation notice to providers of online services to ensure they retain data that may later be requested by a coroner when carrying out an inquest into a child’s death by suspected suicide. According to the paper, the Government is now proposing to broaden the scope of the power so that it applies to all child deaths being investigated by a coroner. Although, such retained information could include personal data of other users of the service, the Commissioner is reassured that the power includes a limit on the time for which the information must be retained, and a duty on Ofcom to cancel the notice if the investigating authority states that the information no longer need be retained. Further, use of such data will be subject to the usual data protection purpose limitation rules.

On high-risk processing, the Commissioner is concerned that the Government has left significant gaps in the legislation:

• By not specifying which types of processing are high risk and subject to the requirement to carry out a data protection impact assessment (“DPIA”) (Article 35(3) UK GDPR); and
• By removing the ICO’s ability to designate certain additional processing as high risk and subject to the DPIA requirement. The Commissioner suggests that the Government should include a provision giving the ICO the ability to further designate processing activities which fall into the high risk category and are at least subject to the updated accountability requirements in respect of DPIAs, similar to the position under the current law (Article 35(4) UK GDPR), but with enhanced parliamentary scrutiny to ensure accountability. This power enables the law to move with changes in technology and processing activities subject to appropriate safeguards.

In another development, the House of Lords Delegated Powers and Regulatory Reform Committee published a report on 14 February 2024 reviewing the Bill’s wide range of delegated powers. The report sets out where the Committee considers such powers to be inappropriate or should be subject to greater Parliamentary scrutiny. For example, the Bill proposes a new legal basis for processing where the processing is necessary for “recognised legitimate interests” to be listed in the Bill, including processing necessary for national security, public security and defence, emergencies, detecting, investigating or preventing crime, safeguarding vulnerable individuals and democratic engagement. To rely on this basis, the data controller does not need to weigh its interests against the data subject’s interests, rights and freedoms as would be required in the case where the controller relies on other legitimate interests as the legal basis for its processing (as under the current law). The Bill allows the Government to amend the list of “recognised legitimate interests” by Regulation subject to the affirmative procedure (i.e. active approval by both Houses of Parliament). However, the grounds for lawful processing of personal data go to the heart of the data protection legislation and, therefore, in the Committee’s view, should not be capable of being changed by subordinate legislation and recommend the delegated power is removed from the Bill.

It remains to see seen whether Parliament will accept the recommendations from the Information Commissioner or the House of Lords Committee.

For more information, click here and here.