Update on the Data Protection and Digital Information Bill
The Data Protection and Digital Information Bill (the Bill) completed all five stages in the House of Commons on 29 November 2023 and is currently waiting for a date to be announced for a ‘line-by-line’ examination at the Committee stage in the House of Lords.
In light of its progress, Rhiannon Hastings, data protection paralegal in our commercial team, discusses the expected changes to the data protection legislation.
Who is responsible for the Bill?
The Department for Digital, Culture, Media and Sport (DCMS) has been the government department responsible for delivering key legislative and regulatory reforms to drive competition and promote innovation.
However, in February 2023, the government announced the creation of a new department, the Department for Science, Innovation and Technology (DSIT), who will take over the DCMS’ responsibility for data policy – which will include the management of the Bill.
What are the Bill’s latest amendments?
Various amendments have been made during the House of Commons' report stage which include, amongst others:
- Changes to retention of biometric data for national security purposes;
- A data preservation process to require social media companies to retain data that may be required for investigations; and
- New powers to require data from third parties such as banks and financial organisations.
Amendment 1: retention of biometric data
The first amendment will enable the Police to retain biometric data, such as fingerprints, for as long as an INTERPOL notice is in force to strengthen national security.
The amendment will also enable the Police to retain biometrics pertaining to individuals with a foreign conviction indefinitely, whereas currently this is restricted to UK convictions only.
Amendment 2: requiring social media platforms to retain data
The second amendment enables social media companies (platforms) to retain any relevant personal data which could then be used in subsequent investigations or inquests.
The motive for this amendment is to provide support to families who have lost a family member due to suicide by enabling platforms to rely on the ‘data preservation process’ in order to retain data it feels will assist with any subsequent investigations.
Currently, data protection legislation doesn’t require platforms to retain data for longer than is needed, meaning that data which could prove vital to the investigations could be deleted as part of a platform’s own retention and deletion procedure.
Amendment 3: requiring data disclosure from third-party providers
The third amendment will enable the government to reduce benefit fraud by requiring third-party providers, such as banks and financial organisations, to disclose data to facilitate the government’s checks on claimant bank accounts.
To ensure the government don’t receive more than is necessary, it will only receive the necessary data to establish when a claimant sits above the benefit eligibility threshold.
Currently, the Department for Work and Pensions (DWP) can only undertake fraud checks on a claimant on an individual basis and where a suspicion of fraud exists which restricts its objective to reduce benefit fraud.
To see the full list of amendments considered by the House of Commons, please take a look at the UK Parliament’s website.
For more information on this and other data protection matters, please contact Rhiannon using: [email protected]
James Snook, Director of DSIT, announced at the ICO’s annual conference on 3 October 2023 that he anticipates the Bill to become law mid-2024.
Under the new Bill, there is no requirement to have a DPO. The Bill will effectively substitute the role of a DPO for a Senior Responsible Individual (SRI), and whilst the tasks that the SRI must perform are very similar to those already being carried out by the DPO, it is not just a name change to the role.
Organisations must designate an SRI if they are a controller/processor that is:
- A public body; or
- Carries out processing of personal data which, taking into account the nature, scope, context and purpose of the processing, is likely to result in a high risk to the rights and freedoms of individuals.
The SRI must be an actual member of senior management, which means that, in most cases, current DPOs will not be able to transition to the role of SRI without being promoted, or being transferred, to an alternative role in the organisation’s senior management team.
Under the Data Protection Act 2018, DPOs could not be a member of senior management as they were required to be an independent advisor to the senior management team of the organisation.
The Bill inserts new articles and sections to:
- Amend the threshold for charging a fee or refusing to comply with a SAR from “manifestly unfounded” to “vexatious”;
- Replace the one-month period for responding to SAR with concepts of “applicable time periods” and “relevant time”; and
- Add an additional exemption from providing information to data subjects in relation to law enforcement processing where the data is subject to legal professional privilege.