Data Sharing amendments

CHAPTER 1 PUBLIC SERVICES

30 Disclosure of information to improve public service delivery

Clause 30, page 30, line 25, leave out “had regard to” and insert “complied with”

Explanatory notes: This amendment provides stronger compliance with the code

33 Further provisions about disclosures under section 29, 30 or 31

Clause 33, page 32, line 15, at the end insert.__

“(1B) In addition, in determining whether to make regulations under section 29, 30 or 31 the appropriate national authority must ensure that,

(a) the sharing of information authorised by the regulations is minimised to what is strictly necessary on grounds falling within sections (2) and (3),

(b) the conduct authorised by the regulations to achieve the “specified objective” is proportionate to what is sought to be achieved by that conduct,

(c) a Privacy Impact Assessment compliant with the relevant Code of Practice of the Information Commissioner’s Office has taken place and been made publicly available,

(9D) the proposed measures have been subject to public consultation for a minimum of 12 weeks, and responses have been given conscientious consideration.

(1C) As soon as is reasonably practicable after the end of three years beginning with the day on which the regulations come into force, the relevant Minister must review its operation for the purposes of deciding whether these should be amended or repealed. (1D) Before carrying out the review the relevant Minister must publish the criteria by reference to which that determination will be made.

(1E) In carrying out the review the relevant Minister must consult— (a) the Information Commissioner, and (e) open the review to public consultation for a minimum of 12 weeks, and demonstrate that responses have been given conscientious consideration.”

Explanatory notes: these amendments would reduce the risk of legal challenges on human rights grounds.

31 Disclosure of information to gas and electricity suppliers

Clause 31, page 31, line 36, leave out “had regard to” and insert “complied with”

Explanatory notes: This amendment provides stronger compliance with the code

34 Confidentiality of personal information

Clause 34, page 33, line 25, leave out “or permitted”

Explanatory note: Restricts further reuses to what is mandated.

Clause 34, page 33, line 31, leave out “made” and insert “necessary”

Clause 34, page 33, line 33, leave out “made” and insert “necessary”

Clause 34, page 33, line 34, leave out “made” and insert “necessary”

Clause 34, page 33, line 37, leave out “made” and insert “necessary”

Explanatory notes: this stricter requirement reduces the risk of non-compliance with data protection

36 Code of Practice

Clause 36, page 35, line 4, leave out “have regard to” and insert “comply with”

Clause 36, page 34, line 8, at the end insert,__

“(4B) In addition, the Code of Practice must be subjected to public consultation for a minimum of 12 weeks, and the relevant Minister must demonstrate that responses have been given conscientious consideration.”

CHAPTER 2 CIVIL REGISTRATION

39 Disclosure of information by civil registration officials

Clause 39, page 38, line 23, leave out from “‘the authority” to the end and insert,__

"the authority or civil registration official to whom it is disclosed (the “recipient”) requires the information to enable the recipient to exercise one or more of the recipient’s functions and,

(b) the data subjects whose information is being disclosed have given valid consent under data protection legislation”

Explanatory notes: This amendment would remove bulk sharing while allowing certificates to be shared to support electronic government services.

CHAPTER 3 DEBT OWED TO THE PUBLIC SECTOR

41 Disclosure of information to reduce debt owned to the public sector

Clause 41, page 41, line 35, leave out “have regard” and insert “comply with”

42 Further provisions about power in section 40

Clause 42, page 43, line 13, at the end insert.__

“(1B) In addition, in determining whether to make regulations under section 40 the appropriate national authority must ensure that,

(a) the sharing of information authorised by the regulations is minimised to what is strictly necessary on grounds falling within sections (2) and (3),

(b) the conduct authorised by the regulations to achieve the “specified objective” is proportionate to what is sought to be achieved by that conduct,

(c) a Privacy Impact Assessment compliant with the relevant Code of Practice of the Information Commissioner’s Office has taken place and been made publicly available,

(9D) the proposed measures have been subject to public consultation for a minimum of 12 weeks, and responses have been given conscientious consideration.

Explanatory notes: these amendments would reduce the risk of legal challenges on human rights grounds.

43 Confidentiality of personal information

Clause 43, page 43, line 20, leave out “or permitted”

Explanatory note: Restrict further reuses to what is mandated.

Clause 43, page 43, line 22, leave out “made” and insert “necessary”

Clause 43, page 43, line 25, leave out “made” and insert “necessary”

Clause 43, page 43, line 27, leave out “made” and insert “necessary”

Clause 43, page 43, line 28, leave out “made” and insert “necessary”

Clause 43, page 43, line 31, leave out “made” and insert “necessary”

Clause 43, page 43, line 33, leave out “made” and insert “necessary”

Explanatory notes: this stricter requirement reduces the risk of non compliance with data protection

45 Code of Practice

Clause 45, page 44, line 38, leave out “have regard to” and insert “comply with”

Clause 4, page 44, line 42, at the end insert,__

“(4B) In addition, the Code of Practice must be subjected to public consultation for a minimum of 12 weeks, and the relevant Minister must demonstrate that responses been given conscientious consideration.”

CHAPTER 4 FRAUD AGAINST THE PUBLIC SECTOR

49 Disclosure of information to combat fraud against the public sector

Clause 49, page 49, line 26, leave out “had regard” and insert “complied with”

50 Further provisions about power in section 49

Clause 50, page 50, line 12, at the end insert.__

“(1B) In addition, in determining whether to make regulations under section 48 the appropriate national authority must ensure that,

(a) the sharing of information authorised by the regulations is minimised to what is strictly necessary on grounds falling within sections (2) and (3),

(b) the conduct authorised by the regulations to achieve the “specified objective” is proportionate to what is sought to be achieved by that conduct,

(c) a Privacy Impact Assessment compliant with the relevant Code of Practice of the Information Commissioner’s Office has taken place and been made publicly available,

(9D) the proposed measures have been subject to public consultation for a minimum of 12 weeks, and responses have been given conscientious consideration.

Explanatory notes: these amendments would reduce the risk of legal challenges on human rights grounds.

51 Confidentiality of personal information

Clause 51, page 51, line 18, leave out “or permitted”

Explanatory note: Restrict further reuses to what is mandated.

Clause 51, page 51, line 20, leave out “made” and insert “necessary”

Clause 51, page 51, line 23, leave out “made” and insert “necessary”

Clause 51, page 51, line 25, leave out “made” and insert “necessary”

Clause 51, page 51, line 26, leave out “made” and insert “necessary”

Clause 51, page 51, line 29, leave out “made” and insert “necessary”

Explanatory notes: this stricter requirement reduces the risk of non compliance with data protection

53 Code of Practice

Clause 53, page 52, line 41, leave out “have regard” and insert “comply with”

Clause 53, page 53, line 2, at the end insert.__

“(4B) In addition, the Code of Practice must be subjected to public consultation for a minimum of 12 weeks, and the relevant Minister must demonstrate that responses been given conscientious consideration.”

CHAPTER 5 SHARING FOR RESEARCH PURPOSES

57 Disclosure of information for research purposes

Clause 57, page 57, line 34, leave out “has regard” and insert “comply with”

Explanatory notes: This amendment provides stronger compliance with the code

59 Bar on further disclosure of personal information

Clause 59, page 58, line 37, leave out “or permitted”

Explanatory note: Restrict further reuses to what is mandated.

Clause 59, page 58, line 40, leave out “made” and insert “necessary”

Clause 59, page 59, line 1, leave out “made” and insert “necessary”

Clause 59, page 55, line 3 leave out “made” and insert “necessary”

Clause 59, page 55, line 4 leave out “made” and insert “necessary”

Explanatory notes: this stricter requirement reduces the risk of non compliance with data protection

61 Code of Practice

Clause 61, page 60, line 24, leave out “have regard to” and insert “comply with”

Clause 61, page 60, line 26, leave out “have regard to” and insert “comply with”

Clause 61, page 60, line 29, leave out “have regard to” and insert “comply with”

62 Accreditation for the purposes of this Chapter

Clause 62, page 61, line 36, leave out “have regard to” and insert “comply with”

New clause: Provisions that apply to the processing of personal data

Clause 69, page 73, line 21, at the end insert ___

"70 Provisions that apply to the processing of personal data

(1) This section relates Part V of this Act and to the processing of personal data defined by section 1 of the Data Protection Act.

Explanatory note: This amendment limits the application of the new Clause to Part V of the Bill and to the processing of personal data.

(2) Where the Information Commissioner is of the view that the processing of personal data contravenes Article 8 of the European Convention of Human Rights, he can serve an Enforcement Notice (Section 40 of the Data Protection Act) specifying that fact.

Explanatory note: This amendment allows the Information Commissioner to serve an enforcement notice if she considers that the data sharing is disproportionate or if the interference caused by the data sharing is unnecessary; note that the Notice can be appealed using the DPA appeal’s process.

(3) Provisions of Part V of this Act do not allow personal data to be processed as follows:

(a) Data matching of personal data in order to identify any data subject who can be excluded from any benefit

(b) Profiling using personal data in order to target any data subject who can be excluded from any benefit

(c) Facilitating a disclosure of a “bulk personal dataset” (whether directly or indirectly) to an “intelligence service” (as described in the Investigatory Powers Act 2016)

Explanatory note: prohibits data sharing and data matching to deny benefits; it also prevents these “flexible” data sharing powers to permit personal dataset acquisition by an Intelligence Service.

(4) Any data sharing arrangement (as required by chapter 14 of the Data Sharing Code of Practice produced by the Information Commissioner) that applies to the disclosure of personal data from a data controller to any “third party” (as defined in section 70(1) of the Data Protection Act 1998) must contain the proposed or estimated benefits associated with the data sharing before any disclosure of personal data occurs, and the data sharing arrangement must describe how these benefits are to be measured or assessed.

Explanatory note: This amendment requires the measuring of data sharing outcome to assess whether it is worth data sharing; implication is that if the data sharing is not meeting its objectives, the Information Commissioner can require cessation of data sharing.

(5) The Information Commissioner, with respect to an assessment of whether any data sharing arrangement subject to subsection (4) is beneficial, can require the production of:

(a) Key Performance indicators which demonstrate that the benefits associated with any data sharing are being realised by the data sharing;

(b) the costs associated with the data sharing arrangements;

(c) the number of data subjects involved, and

(d) any other information that the Commissioner considers reasonable in order to make an informed and independent assessment of the benefits of data sharing.

Explanatory note: requires the measuring of data sharing outcome to assess whether it is worth data sharing; implication is that if the data sharing is not meeting its objectives, the Information Commissioner can require cessation of data sharing.

(6) If the benefits associated with data sharing are not being realised, the Information Commissioner can require the sharing to cease by serving an Enforcement Notice (section 40 of the Data Protection Act).

Explanatory note: allows the ICO to serve enforcement notice if data sharing does not work.

(7) With respect to any data sharing arrangement subject to subsection (4), the provision in section 40(8) of the Data Protection Act shall be read as if the words “If by reason of special circumstances” were replaced by “If for any reason”."

Explanatory note: allows the ICO to serve enforcement notice as a matter of urgency “for any reason” (i.e. not in exceptional reasons).

Additional amendments to make the Codes of Practice legally enforceable

Clause 36, page 35, line 4, leave out “have regard to” and insert “comply with”

Explanatory note: This amendment provides stronger compliance with the code.

Clause 36, page 34, line 41, leave out from “The” to end of subsection and insert---

“As soon as reasonably practicable after issuing or reissuing the code of practice the relevant Minister must arrange for a copy of it to be laid before Parliament and subjected to an affirmative procedure in both Houses.”

Explanatory note: This amendment gives the Code of Practice legal force as a Statutory Instrument.

Clause 39, page 38, line 28, leave out “have regard to” and insert

“comply with”

Explanatory note: This amendment provides stronger compliance with the code.

Clause 45, page 44, line 38, leave out “have regard to” and insert

“comply with”

Explanatory note: This amendment provides stronger compliance with the code.

Clause 45, page 44, line 41, leave out from “The relevant” to end of subsection and insert ---

“As soon as reasonably practicable after issuing or reissuing the code of practice the relevant Minister must arrange for a copy of it to be laid before Parliament and subjected to an affirmative procedure in both Houses.”

Explanatory note: This amendment gives the Code of Practice legal force as a Statutory Instrument.

Clause 53, page 52, line 41, leave out “have regard to” and insert

“comply with”

Explanatory note: This amendment provides stronger compliance with the code.

Clause 53, page 53, line 1, leave out from “The relevant” to end of subsection and insert ---

“As soon as reasonably practicable after issuing or reissuing the code of practice the relevant Minister must arrange for a copy of it to be laid before Parliament and subjected to an affirmative procedure in both Houses.”

Explanatory note: This amendment gives the Code of Practice legal force as a Statutory Instrument.

Clause 30, page 30, line 42, at end insert ---

“(11) In making regulations under subsection (2) a relevant authority must ensure that a Data Sharing Agreement is in place that

(a) demonstrates that the proposed data sharing is critical to achieving the desired objective and similarly whether the delivery of better services could be improved by disclosing public sector information to them;

(b) demonstrates that Consideration has been given to use of the minimum amount of personal data possible;

(c) explains how the data will be processed and what analytics or matching will be carried out;

(d) contains a Privacy Impact Assessment following ICO guidance;

(e) establishes appropriate governance arrangements are established;

(f) demonstrates that the Code of Practice on data sharing issued by the ICO is followed;

(g) keeps personal information only for as long as necessary and sets a closing date for the agreement accordingly;

(h) contains a security plan;

(i) contains details of sanctions for breaches of the agreement.

(12) A copy of the data sharing agreement must be made publicly available.”

Explanatory note: This amendment brings data protection safeguards onto the face of the Bill.