Data Protection and Digital Information (No.2) Bill – Key Changes
This will be the first in a series of short updates on the Government’s proposed Data Protection and Digital Information (No.2) Bill (the Bill). This series will consider: what key changes to the UK’s data protection laws are envisioned in the Bill; what those changes might mean for data controllers; and some practical steps to ensure data processes are compliant when the Bill is enacted.
The Data Protection and Digital Information (No.2) Bill is the Government’s second attempt at these reforms. It is a replacement for a bill of the same name that was introduced to Parliament last year and then withdrawn, hence this Bill being ‘No. 2’. The Bill is mostly the same as the previous bill, but there are a handful of important differences, which we will highlight in this series.
The Bill comes off the back of the Government’s consultation titled ‘Data: a New Direction’. The consultation proposed a wide range of changes, and this new Bill would bring some of those into law. The title of the consultation might have suggested a sharp turn away from the existing regime. In fact, the Bill focuses on renovating parts of the existing structure, rather than pulling it down and starting again.
The Data Protection and Digital Information No. 2 Bill as currently drafted covers a lot of ground. In this series, we will be focusing on the changes that are likely to have the most immediate impact on data controllers. The first of those is a change to the definition of ‘personal data’.
A new definition of personal data:
The UK GDPR currently defines ‘personal data’ as:
‘Data which relates to an identified or identifiable natural person (‘data subject’)’.
The recitals of the UK GDPR explain that ‘to determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly’.
This means that when deciding whether data qualifies as personal data, a data controller currently has to consider not only the chance that the controller could identify someone from the data, but also the chance that ‘another person’ could. Who is ‘another person’ for those purposes? The UK GDPR does not currently explain, which means it is not always straightforward deciding how wide to cast the net. The ICO’s guidance, for example, suggests that:
‘You should assume that you are not looking just at the means reasonably likely to be used by an ordinary person, but also by a determined person with a particular reason to want to identify individuals. For example, investigative journalists, estranged partners, stalkers, or industrial spies.’
The Data Protection and Digital Information (No.2) Bill tries to clarify the position, by further defining when an individual is ‘identifiable’. A data controller would only need to treat an individual as ‘identifiable’ if one of the following conditions applied to the data:
- Where the living individual is identifiable… by the controller or processor by reasonable means at the time of processing; or
- Where the controller or processor knows, or ought reasonably to know, that:
- another person will, or is likely to, obtain the information as a result of the processing (including where the controller or processor fails to implement appropriate technical and organisational measures to mitigate the risk); and
- the living individual will be, or is likely to be, identifiable… by that person by reasonable means at the time of processing.
This change would limit the range of third parties that the controller has to consider when deciding whether an individual could be identified.
The scope of ‘personal data’ is further limited by the fact that the controller only has to consider whether the individual could be identified by ‘reasonable means at the time of processing’. The concept of ‘reasonable means’ is already found in the UK GDPR and the relevant ICO guidance, but the Bill codifies the concept. What is considered to be ‘reasonable means’ considers the time, effort, and cost involved in working out who the individual is. If it would be extremely costly and overly onerous for an organisation to identify an individual, then, under the Bill, that data would no longer be considered personal data.
The Data Protection and Digital Information (No.2) Bill would also make clear that controllers do not need to speculate about what means might become available in future to identify the individual. Controllers would only need to consider the methods available at the time they process the data.
In most cases it is already obvious whether data qualifies as ‘personal data’, and the Bill will not change that. However, the Bill would make it easier to answer this question in edge cases where the answer is less obvious. It should also make it easier to anonymise data, because the situations in which data is ‘identifiable’ will be narrower.
If the Bill becomes law, then it will be an opportunity for controllers to consider whether any of the data they are processing would no longer qualify as ‘personal data’. If data no-longer qualifies as personal data then it would be exempt from the data protection laws altogether.
In the next article we will focus on changes to the rules on using data for a new purpose, including use for research purposes. To learn how our data protection team could assist you, please visit the Information Law and Data Protection homepage.