The transfer of responsibility for data protection policy to the Department for Culture, Media and Sport (DCMS) from the Ministry of Justice (MoJ) is a really bad idea. It fragments responsibility for data protection policy across three Departments of State and risks reducing the protection afforded to data subjects. Important data protection recommendations from Leveson will be shelved. This blog explains why.
One reason for the shift of responsibility to the DCMS (unexplained at the moment) could be because it creates a joined up approach on digital economy policy. For instance, data protection now joins the Cyber Security & Resilience Team which has also recently moved from the Department of Business & Skills to the DCMS.
The UK’s “digital economy policy” focuses on how the internet, computing and mobile communications have a transformative effect on businesses. It is clear that data protection plays a part in ensuring the actors in the digital economy meet their privacy obligations; however data protection ranges far wider than its application to “business, computing and mobile communications”.
It is interesting to note that the Government’s 16 page “digital economy strategy” (published Feb 2015) does not mention the words “data protection” at all.
The first sentence of the strategy is that the Government has provided “£120 million of support for business innovation in the digital economy over the next 4 years”. Given that ICO’s annual budget is of the order of £20 million per year (or £80 million over the next 4 years or 66% of the £120 million earmarked to the current digital policy), then you can see that data protection, on cost grounds, should be now the largest component of the digital economy policy.
In other words, any claim that the move is strategically important for a “digital economy” reason is pure balderdash; the move has other reasons.
Fragmentation of responsibility
Data protection is about protecting personal data from the data subjects’ perspective in manual as well as all electronic forms where such personal data are processed across both thepublic and private sectors (i.e. data protection is not limitedto business and the Internet).
Data protection is linked to Article 8 of the Human Rights Act. Fragmentation arises because responsibility for Human Rights policy, in particular towards Article 8, remains at the Ministry of Justice (MoJ). The move of data protection to DCMS shatters the link.
Likewise data protection policy towards the proposed Data Protection Directive in the field of law enforcement is now at the DCMS. The DCMS, hitherto relatively unfamiliar with data sharing for law enforcement purposes, will lead on data sharing policy by all law enforcement agencies when they need to interfere with private and family life. Has DCMS the experience to balance the needs of privacy and law enforcement? I doubt it.
Other forms of fragmentation occur. For instance, Government policy towards the security of personal data in the public sector rests with the Cabinet Office (e.g. HMG Security Framework). Government policy towards security in the private sector is now at DCMS.
Responsibility for records management and FOI is also at the Cabinet Office. This means that policy towards general data retention and data quality in the public sector (i.e. Third to Fifth Principles) and the Data Protection/FOI Interface (Section 40(2) of FOIA involves all data protection principles) is also fragmented. Responsibility for any policy towards improving personal data quality in the private sector or the digital economy, will rest at DCMS.
Eurosceptic at the data protection helm
John Whittingdale MP, the Secretary of State at the DCMS, is a serial and recidivist Eurosceptic; he is hardly going to expend many ergs engaging with a euro-inspired Regulation if his instincts are that the UK should leave the European Union.
Last year, I was at a public meeting held at Channel 4 on the implications of Google Spain judgment for the Press where Mr. Whittingdale described the decision of the European Court of Justice as another example of perverse, euro-nonsense, which had drastically reduced the freedom of the press.
As an aside, I note that Mr. Whittingdale’s unequivocal support for “press freedom”, pronounced by his denigration of Google Spain, evidently does not extend to the BBC. Last July, Mr. Whittingdale wrote, as Secretary of State, warning the BBC to remain impartial during the EU referendum amid fears that the BBC’s “pro-European bias” could influence the result. (Anti-European bias in the press apparently is not a concern).
Given his statements at the above meeting, it is also very likely that some Leveson Recommendations with respect to general data protection policy are likely to remain shelved (unless forced on the UK by the Regulation). They are as follows:
- Commencement of the custodial elements of section 55 of the Data Protection Act 1998 in line with the Computer Misuse Act.
- Creation of an offence associated with a deliberate breach of a Data Protection Principle on the part of the Controller.
- Reconstitution of the Information Commissioner’s Office as an Information Commission, led by a Board of Commissioners with suitable expertise drawn from the worlds of regulation, public administration, law, business and the media sector.
- Ensuring the right to compensation is not restricted to cases of pecuniary loss, but should include compensation for pure distress.
- Narrowing of the Special Purpose exemption (section 32) so that “the processing of data is necessary for publication” rather than “a view to publication”.
- Removal of the Special Purposes enforcement mechanism (i.e. the press should become subject to the normal enforcement mechanisms as other data controllers).
Back in 1997 when the Home Office was responsible for data protection policy, the subject was parked in an odds and ends unit whose officially title was the “Home Office Liquor, Gambling and Data Protection Unit”.
A joke circulating at the time was that the incomprehensible definitions in the Data Protection Bill (e.g. “Relevant Filing System”; “Exempt from the Non-disclosure Provisions”) had been drafted after one of the Unit’s alcohol fuelled bonding sessions, held in the offices of a firm of bookmakers.
Sadly, in my view, the changes announced last week are no joke. There is a significant risk of an under-resourced data protection policy that will become more subservient to the economic priorities of this Government rather than creating a fair balance between data controller and data subject.
This post originally appeared on the Hawktalk blog and is reproduced with permission and thanks