By Amanda Mackenzie and Christopher Little Amanda Mackenzie

|

Publsihed 10 January 2024

Overview

The Information Commissioner Remains Supportive of the Bill

The Information Commissioner has published a response to the latest draft of the Data Protection and Digital Information Bill (DPDI Bill). It would seem he remains broadly comfortable with the shape of the bill at this stage, stating:

"Overall the bill remains one which I support as improving the effectiveness of the data protection regime in the UK, upholding rights for individuals, providing regulatory certainty and clarity for organisations, and improving the way the ICO regulates."

The Information Commissioner states that he is "pleased" that the Government has made a number of changes to the DPDI Bill in response to the feedback provided in June last year. He does however highlight that the majority of his comments have not yet been addressed, in particular his views on defining high risk processing, and that some of the new provisions introduced by Government "amount to substantive new policy" that has not been the subject of public consultation nor scrutinised at the House of Commons Committee Stage.

The Information Commissioner has not raised concerns regarding proposals relating to:

  • additional changes made in relation to safeguarding the independence of the ICO – including the removal of the requirement for the Secretary of State to approve statutory ICO codes of practice;
  • changes which permit the ICO to serve information, enforcement and penalty notices electronically;
  • clarification on the search requirements when responding to subject access requests; and
  • the extension of the personal data breach reporting period under the Privacy and Electronic Communications Regulations) from twenty four to seventy two hours.

One area which the Information Commissioner has expressed concerns over is the Government's amendment which would allow the Secretary of State to issue information notices for social security purposes. This power – which made headlines when introduced - would require recipient bodies to provide information to identify individuals where accounts in receipt of benefits match the criteria in the notice, including for instance when a balance has been exceeded, with the aim of reducing benefit fraud and overpayment. Although the Information Commissioner is comfortable that the measure is a legitimate aim, he states that he has not yet been provided with sufficient evidence that the measure is proportionate and has suggested additional changes to address this.

Further, specific technical comments were provided on issues including,

Authors