On 10 September DCMS (the Department for Digital, Culture, Media and Sport) published a consultation document entitled Data: new direction. This article focuses on the implications for public sector organisations.
Chapter 4 is headed Delivering better public services, and this is where the majority of the proposals with public sector implications are located. The key proposals include:
- Extending public service delivery powers under section 35 of the Digital Economy Act 2017 to business undertakings.
- Clarifying that private bodies who process personal data on behalf of a public body may rely on that body's lawful ground for the processing and do not need to identify a separate lawful body.
- Clarifying that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health/other emergencies.
- Introducing compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using personal data.
- Making it clearer when processing is necessary for reasons of substantial public interest, which is a lawful basis for processing special category data. DCMS is consulting on whether to add a definition to the legislation, add new situations to the list set out in the Data Protection Act 2018 (DPA), or amend the existing situations.
- Streamlining and clarifying the rules on the collection, use and retention of biometric data by the police.
- Clarifying the rules on joint controllership in the DPA to facilitate improved cross-sector working, in particular the joint operational activity between law enforcement and national security partners.
One further proposal relevant to public sector organisations is the proposed removal of the requirement for all public authorities to appoint a data protection officer (DPO). DCMS is consulting on two alternative options:
- Allowing public authorities to follow the same approach as private sector organisations for determining whether it is necessary to appoint a DPO, i.e. a DPO would only be required if the authority's core activities consist of large-scale monitoring of data subjects or large-scale use of sensitive data or criminal convictions data.
- Retain the requirement, but limit its scope to authorities meeting certain criteria, e.g. size of body, volume of data and aspects of the processing, such as whether it is for the purpose of making decisions affecting the data subjects.
The consultation is open until 19 November. We will monitor developments closely and report on the outcome of the consultation and the implications for public sector organisations.#
If you require any further information, please contact one of our Data Protection & Cyber Security experts.