Data Protection and Digital Information Bill, Second Reading, House of Commons, 5 September 2022

We are disappointed the Bill removes the existing requirement to designate a data protection officer. Although the proposal is now to replace this with a Senior Responsible Individual, this is a person at Senior Management Team level who would not have the time or experience to undertake much of what the data protection officer did.


Key messages

  • The Data Protection and Digital Information Bill seeks to create a data rights regime, modernise the Information Commissioner’s Office by providing it with enhanced capabilities and powers, and increase industry participation in Smart Data Schemes which will give citizens and small businesses more control of their data.
  • The main elements of the Bill are to ensure the protection of UK citizens’ personal data, enable data to be “shared more efficiently between public bodies”, and to design “a more flexible, outcomes-focused approach to data protection”.
  • Local government already has a very strong record of data transparency, including through the LGA’s award-winning LG Inform data platform, which allows users to access, compare and analyse publicly available data provided by local authorities.
  • Councils agree that people’s personal data must be protected. Data plays a vital role in the work of councils and the sector is committed to protecting people’s privacy. It is important that any legislative reforms enable councils to innovate, while also maintaining high data protection compliance standards that protect the public and also strengthen its trust in the use of data.
  • The sharing of data throughout the COVID-19 pandemic allowed public bodies including councils to improve services and health outcomes, and we strongly support the plans to enable data to be shared more effectively between public bodies. We would like to see government departments sharing the locally generated data they hold more widely to support councils in shaping the places they lead as part of the devolution agenda.
  • In response to the Government’s consultation “Data; A new direction” the LGA highlighted the Biometric and Surveillance Camera Commissioner’s response, which called for further clarity on how non-data related issues will be expected to fit with a reformed data protection authority.
  • We are disappointed the Bill removes the existing requirement to designate a data protection officer. Although the proposal is now to replace this with a Senior Responsible Individual, this is a person at Senior Management Team level who would not have the time or experience to undertake much of what the data protection officer did. We believe the statutory role of Data Protection Officer (DPO) is vital to ensuring that data protection obligations are met. This includes protecting the rights of data subjects, ensuring the lawful and fair processing of data and delivering best value. Removing the DPO role would degrade the important function performed by DPOs, weaken the positive culture it has created and will allow organisations to slip into non-compliant positions.  It also risks reducing people’s trust in how public services treat their data, thus making data sharing more difficult in the long-term, and so undermining one of the key ambitions of the Bill.
  • We are equally concerned that the Bill removes the requirement of organisations to undertake data protection impact assessments. Data Protection Impact Assessments (DPIAs) are an integral part of risk management. They are not a ‘tick box’ exercise, but a process that enables and supports good governance; the parameters, and therefore the risks, of a given project are different each time.  We have heard from DPOs in councils that the DPIA stage of a proposed project is often the point at which flaws are identified. The process enables an organisation, often in a fast-changing landscape, to review potential risks within a system or process long before the publication of new guidance. The DPOs we spoke to told us that DPIAs support rather than block innovation because they highlight risks, offer suggestions for mitigations and can save time and money. For large councils in particular, where a large quantity of data is processed across many business areas, the DPIA process brings together actors from across a council to the benefit of the project and residents.

Contact

Laura Johnson, Public Affairs and Campaigns Adviser 

Email: laura.johnson@local.gov.uk