Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing

Similar documents
Introduction. Summary

10/02/2017 Version pptx. 1

The use of consumers energy consumption data emanating from smart meters is governed by the Data Access Privacy Framework (DAPF).

Regulating Surveillance

Openness by design our draft access to information strategy

General Data Protection Regulation (GDPR)

Conducting privacy impact assessments code of practice

The Information Commissioner s response to the Competition and Market Authority s Energy market investigation: notice of possible remedies paper.

The ICT Service:

GDPR. Applying the General Data Protection Regulation to your business

GDPR factsheet Key provisions and steps for compliance

1

Data Protection Practitioners Conference 2018 #DPPC2018. Lawful basis myths

Version 1.0 (final)

Information Commissioner s Office. Consultation: GDPR DPIA guidance

THE PAINSLEY CATHOLIC ACADEMY. GDPR Data Protection Impact Assessment Policy

THE GENERAL DATA PROTECTION REGULATION: GUIDANCE ON THE ROLE OF THE DATA PROTECTION OFFICER

Information Commissioner s Office. Regulatory Action Policy

ARTICLE 29 DATA PROTECTION WORKING PARTY

Conducting privacy impact assessments code of practice

Data Protection Impact Assessment Policy

Department for Culture, Media and Sport Call for Views: GDPR Derogations

GDPR in Early Years and Childcare settings. What s the connection? Data Protection

ICO call for views on updating the data sharing code of practice

EDPS Opinion on safeguards and derogations under Article 89 GDPR in the context of a proposal for a Regulation on integrated farm statistics

Enhancing Identity Verification and Border Processes Legislation Bill 26/10/2016

Briefing Note on the Human Tissue Bill

GENERAL DATA PROTECTION REGULATION

The EU General Data Protection Regulation (GDPR) A briefing for the digital advertising industry

ACTING IN THE SPIRIT OF SERVICE Information gathering and public trust

Liberty s briefing on the Digital Economy Bill for Second Reading in the House of Lords

Summary of General Data Regulation & Actions. Nationwide Coverage.

Freedom of Information/Environmental Information Regulations Policy and Procedure

Summary of General Data Regulation & Actions. Nationwide Coverage.

Tracking, watching, predicting lawfully: responsible profiling under the GDPR

Re: Implementation of the General Data Protection Regulation (GDPR)

Committee on Civil Liberties, Justice and Home Affairs WORKING DOCUMENT. Committee on Civil Liberties, Justice and Home Affairs

EDPS Opinion on the proposed common framework for European statistics relating to persons and households

Getting Ready for the GDPR

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

NOT PROTECTIVELY MARKED

Colleges and public authority status under data protection legislation

Resource and Infrastructure Strategic Plan

General Data Protection Regulation. Jim Sneddon GDPR-P, CISSP

GDPR. Legalities, Policies and Process Part 3 of our series on GDPR and its impact on the recruitment industry

TEXTS ADOPTED PART II. United in diversity. at the sitting of. Wednesday 5 May 2010 EUROPEAN PARLIAMENT

EUROPEAN UNION COMMITTEE EIGHTEENTH REPORT OF SESSION PRÜM: EFFECTIVE WEAPON AGAINST TERRORISM AND CRIME?

GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT

UK Law Enforcement and GDPR

Wellbeing and Education Safeguarding. Privacy Statement

General Data Protection Regulation (GDPR) Frequently Asked Questions

Key Recommendations for Reform of the Freedom of Information and Protection of Privacy Act January 15, 2003

What does the GDPR mean for recruitment?

Privacy Impact Assessments (PIA)s Workshop

Departmental Disclosure Statement

ECDPO 1: Preparing for the EU General Data Protection Regulation

Leicestershire Police CCTV on Police Premises Policy

ECDPO 1: Preparing for the EU General Data Protection Regulation

DATA PROTECTION POLICY

Guidance on conducting consultations in the HRA Internal HRA guidance only

Preparing for the General Data Protection Regulation (GDPR)

10366/15 VH/np DGD 2C LIMITE EN

EU General Data Protection Regulation in the digital age: Are you ready?

Lisbon, 17 May Agustín Puente Escobar State Counsel Head of the Legal Cabinet. Agencia Española de Protección de Datos

ICO call for views on a direct marketing code of practice

Baptist Union of Scotland DATA PROTECTION POLICY

GDPR Webinar 9: Automated Processing & Profiling

Update on Communications Consumer Panel and ACOD activities

Committee on Civil Liberties, Justice and Home Affairs. of the Committee on Civil Liberties, Justice and Home Affairs

Reality Solutions Data and Privacy Policy

Section a What this Policy is for Policy Statement. 2. Why this policy is important... 3

Information Sharing Policy

GDPR digest ARE YOU GDPR READY? {More than a MORTGAGE CLUB}

Introduction to the General Data Protection Regulation (GDPR)

Call for evidence: Regulatory Sandbox

JOB DESCRIPTION & PERSON SPECIFICATION. Director of Regulatory Assurance. REPORTS TO: Deputy Commissioner - Operations PURPOSE OF POST

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

THE NEW EQUALITY AND HUMAN RIGHTS COMMISSION

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

GDPR in schools and academies. Dai Durbridge, Partner Browne Jacobson LLP

Privacy Impact Assessment: Standard Operating Procedure

Documented and publicly available procedures are in place to ensure compliance with the Freedom of Information Act 2000

Data Protection Law: An Update

EU General Data Protection Regulation (GDPR)

EDINBURGH NAPIER UNIVERSITY A GUIDE TO PRIVACY IMPACT ASSESSMENTS

EU General Data Protection Regulation: Are you ready?

Sources of English Law (1): Act of Parliament

Information governance strategy

EDRi analysis on the most dangerous flexibilities allowed by the General Data Protection Regulation (*)

GDPR Factsheet - Key Provisions and steps for Compliance

ARTICLE 29 Data Protection Working Party

Re: FEE Comments on the EC Green Paper Modernising the Professional Qualifications Directive

Standard Advisory London Limited Third Party Privacy Statement

Department for Culture Media & Sport, Call for views on the General Data Protection Regulation derogations CBI submission, May 2017

GDPR General Data Protection Regulation

Trade Bill House of Lords Second Reading Tuesday 11 September 2018

Consultation on Whether to Introduce a Director Identification Number

Consultation response form

Training Manual. DATA PROTECTION ACT 2018 (DPA18) Incorporating General Data Protection Regulations (GDPR) Data Protection Officer is Mike Bandurak

Strathclyde Partnership for Transport

Transcription:

Lords Bill Committee on Digital Economy Bill Information Commissioner s briefing Introduction 1. The Information Commissioner has responsibility in the UK for promoting and enforcing the Data Protection Act 1998 (DPA) and the Freedom of Information Act 2000 (FOIA), the Environmental Information Regulations 2004 (EIR) and the Privacy and Electronic Communications Regulations 2003, as amended (PECR). She is independent of government and upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals. The Commissioner does this by providing guidance to individuals and organisations, solving problems where she can, and taking appropriate action where the law is broken. 2. This briefing updates the Commissioner s written evidence to the House of Commons Public Bill Committee 1. It will focus on those aspects of the Bill that fall within her direct regulatory remit or have an impact on the privacy of individuals. These are: digital government (Part 5); the statutory direct marketing code (Part 6); and age verification for access to online pornography (Part 3). Part 5: Digital government 3. The Commissioner has made clear her aim to improve public trust in the use of personal data and to encourage the public, private and third sectors to make transparency for citizens a priority for all organisations that collect and use personal data. Transparency and a progressive information rights regime work together to build trust and the Commissioner welcomes the efforts to put defined areas of data sharing on a clear footing. The Commissioner recognises the potential benefits of justified and proportionate data sharing and that citizens want improved, seamless online services from the public sector. Improving the delivery of public services may require more effective sharing of data between public authorities where appropriate but it is important that 1 Public Bill Committee on Digital Economy Bill Information Commissioner s submission https://ico.org.uk/media/about-the-ico/consultation-responses/2016/1625324/ic-evidencepublic-bill-committee-on-digital-economy-bill.pdf 02/02/2017 Version 1.0 (final)

any provisions that increase data sharing inspire confidence in those individuals who will be affected. 4. The Commissioner s main concern is that there should be sufficient safeguards in Part 5 of the Digital Economy Bill to ensure effective protection for individuals and to help build greater trust and transparency in data sharing for the public. In her evidence to the Public Bill Committee she advised that additional safeguards were needed on the face of the Bill. She recommended that the government consider an addition to the Bill that would make it clear that the codes of practice established under Part 5 of the Bill should be consistent with the ICO's statutory Data Sharing Code of Practice in relation to the sharing of personal data. She was pleased the government accepted her recommendation and there are now references to her statutory data sharing code in the data sharing chapters. This will help practitioners gain a clearer understanding of the legislative framework and lead to greater harmonisation and consistency between the legal provisions. It will also help put the consideration of the protection of privacy at the centre of any data sharing initiative. 5. The Commissioner also recommended a number of further possible measures including references on the face of the Bill to her privacy impact assessments (PIAs) and privacy notices codes of practice. She explained why it is important that there are two strong layers of transparency for data sharing to ensure both effective delivery of key information to the public and to enable more active groups to scrutinise and hold public bodies to account for the data sharing. The Commissioner welcomed the references to the importance of privacy impact assessments and privacy notices in the four draft codes of practice but was strongly in favour of having reference to them in the Bill itself. The Commissioner welcomes the Government's positive commitment to work with the ICO to address this issue. Constructive discussions are at an advanced stage to develop Government amendments to require public authorities to have regard to the ICO's codes of practice on privacy impact assessments and privacy notices when sharing data under the powers of Part 5 of the Bill. 6. The Commissioner recommended that the government undertake further work to develop consistency between the codes that accompany Part 5 of the Bill and align them more closely with her statutory data sharing code of practice. She is encouraged that government officials have continued to work closely with her office on the development of these codes. It is important the codes contain practical advice aimed at practitioners, taking them through the series 2

of steps they need to take to decide on whether to share data and how to do so effectively. This approach should help build confidence in practitioners' ability to share data when justified and to improve standards so that it is done securely and proportionately. She looks forward to a public consultation in due course so that practitioners have an opportunity to comment. 7. The Commissioner supports a broader review of data sharing beyond those planned for fraud and debt, which could provide further assurance to the public, including whether it was achieving necessity and proportionality in practice. This is especially important in the context of sharing of bulk datasets related to the General Register Office provisions. She also believes it is important for Parliament to review all aspects of data sharing, not just the clauses relating to fraud and debt, after an appropriate time. This will allow for objective consideration of whether the data sharing is transparent, necessary and proportionate in practice. When she appeared before the Public Bill Committee she said it was her intention, using the powers in the Data Protection Act 1998, to review and to report back to Parliament two to three years into this data sharing regime, with particular regard to bulk data sharing. 8. She also remains committed to making the case for an additional offence for re-identifying anonymised personal information, as recently added to Australian law. She would be keen for it to be covered in Government s work on sanctions and penalties for General Data Protection Regulation (GDPR) 2 implementation, if not in the Digital Economy Bill. Part 3: Age verification for access to online pornography 9. The provisions on age verification for access to online pornography have been widely debated during the passage of the Bill through the Commons and the Lords. The Commissioner is concerned that there is a significant privacy risk if the implemented age verification systems do not have the right safeguards. She was clear in her evidence to the Public Bill Committee and her more detailed response to the DCMS consultation 3, about the importance of a privacy by design approach in implementing any age verification system. She 2 The GDPR replaces at EU level the 1995 directive on data protection [Directive 95/46/EC]. Its provisions enter into force on 25 May 2018. 3 ICO response to DCMS consultation on child safety online: age verification for pornography April 2016 https://ico.org.uk/media/about-the-ico/consultation-responses/2016/1623936/ico- response-to-dcms-consultation-on-child-safety-online-age-verification-for-pornography- 20160412.pdf 3

considers there is a significant privacy risk if the implemented systems do not have the right safeguards. 10. The Commissioner considers that it is not privacy intrusive for an individual to be able to prove who they are in a secure and reliable way or to prove that they have a particular attribute (for example that they are of a particular age). Any solution used needs to find a balance between verifying the age of individuals and minimising the collection and retention of personal data. It also needs to address in a proportionate way the issue of confirming that it is an adult using a device, or sitting at terminal equipment. It is important that any implemented system must be compliant with the requirements of the Data Protection Act and the Privacy and Electronic Communications Regulations. The Commissioner therefore proposes that any verification system should adopt a privacy by design approach. Part 6: Statutory direct marketing code 11. The Commissioner welcomes the provision for a direct marketing code of practice which, while not legally binding, would be admissible in evidence and would have to be taken into account by the Commissioner, tribunals and courts in relevant cases. 12. The Commissioner continues to receive a significant volume of reports from the public about nuisance marketing calls and texts. In each of the last four years more than 160,000 such concerns were reported to the ICO, and the projected figures for this year are similar. 13. The public need to be able to trust organisations who handle their data and they need to retain control over their data both of these things are essential to build confidence and encourage participation in the digital economy. The continuing volume of reported concerns over nuisance calls and texts indicate that marketing preferences are one area where the public have lost such trust and control over the use of their details. 14. The Commissioner s current direct marketing guidance was published in 2013 to clarify the law and promote good practice in this area, but it has no formal status. Replacing the guidance with a statutory code of practice would give the guidance greater weight, enable us to provide more certainty on key issues such as time limits and consent to marketing from specific third parties, and make it easier to take enforcement action against organisations who don t follow its provisions. 4

15. Placing the guidance on a statutory footing will also help to ensure that it sits at the top of a hierarchy of various industry codes, such as those produced by the Direct Marketing Association and the new Fundraising Regulator. 16. It is important to recognise that a direct marketing code will not solve the nuisance of unwanted marketing on its own. However, it would be a useful tool in the Commissioner s continued work to ensure that organisations understand and comply with the marketing rules. Elizabeth Denham Information Commissioner 2 February 2017 5

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback