Thursday, 7 October 2010

How privacy laws should be updated - UK regulator's views

UK data protection regulator the Information Commissioner recently issued a detailed paper responding to the Ministry of Justice's call for evidence on how well current UK data protection laws are working.

I'd spotted and blogged the ICO's webpage summarising their views on the key data protection law issues a month ago, and wondered then why the response was so short.

Clearly that webpage was just a very brief advance summary. The full response entitled "The Information Commissioner’s response to the Ministry of Justice’s call for evidence on the current data protection legislative framework" was released yesterday, 6 October 2010, and contains views not just on the UK Data Protection Act but also the underlying EU Data Protection Directive more generally.

From the ICO's press release of the same date -

"The ICO supports the [MoJ's] review and believes that there needs to be a common sense and modern day approach to data protection.

The ICO has pointed out that although the current data protection principles are sound, the law needs to provide more clarity for individuals and for businesses. In particular the privacy watchdog wants more clarity on the scope of the law including what constitutes personal data.

The law must be clearer on when consent is required to use personal information and adopt a more pragmatic approach to the regulation of international data flows. The allocation of responsibilities amongst those handling personal data also needs to reflect the changing nature of modern day business relationships.

The ICO believes there needs to be better coordination between freedom of information law and an appreciation that individual’s rights need to be updated to bring them in line with the capabilities of modern technology."

David Smith, Deputy Commissioner and Director of Data Protection at the ICO, welcomed the MoJ’s call for evidence and said -

"We need to ensure that people have real protection for their personal information, not just protection on paper and that we are not distracted by arguments over interpretations of the Data Protection Act.”

I've not read the full response in detail yet but it appears to be sensible, realistic and pragmatic (which is typical of the ICO).

It advocates a simpler, clearer approach with flexible, contextual, nuanced assessment of the risks to privacy involved in the circumstances - rather than the current "all or nothing" binary approach (either it's personal data or it's not; either it's sensitive personal data, or it's not; either a specific strict exemption or condition applies, or it doesn't) which has made privacy protection dependent on bureaucracy and fine legalistic distinctions that even lawyers specialising in the area have trouble making out or understanding - notably, what is or isn't "personal data", and when data can be anonymised enough to cease to be "personal data".

And, although it wasn't in their summary, the ICO have in their full response mentioned "privacy by design" -

"The principle of privacy by design is implicit in the existing data protection principles - for example, the requirement that personal data shall not be excessive. However, an explicit privacy by design requirement would give a clear message to those designing, procuring and operating information systems that the processing of personal data must be done in the most privacy friendly way practicable."

I would add, or rather reiterate - now if only the government would give the ICO proper monitoring and enforcement powers, and the funding, resources and training to exercise them too. (At least the ICO are planning to fine two organisations for data protection failures, soon.)

Recall that the EU are taking the UK to the EU Court of Justice for failing to implement even the existing EU data protection and electronic privacy laws properly. Hopefully that will spur the government to take action soon following the MoJ review.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.