Parish councils and the Information Commissioner’s Office have emerged as the big winners from yesterday’s report stage of the UK Data Protection Bill, as MPs waved through a raft of amendments during the third – and final – reading of the Bill before it enshrines GDPR into UK law.
In the original Bill – as in GDPR – all public authorities were required to appoint data protection officers, although, according to the ICO guidance, parish councils could share a DPO.
However, this sparked a major backlash, amid claims that the move would create a new cost burden totalling at least £3.5m a year.
But under the amendments, parish councils will no longer be classified as “public authorities” for data processing purposes and will therefore not be required to appoint DPOs.
Digital minister Margot James said: “We have been working to minimise the impact of this requirement, and have concluded that as parish and community councils process very little personal data, the burden they would face would be disproportionate.”
Meanwhile, the Government also successfully waved through new powers for the Information Commissioner’s Office in the wake of the Cambridge Analytica data scandal.
These include new measures to enable the ICO to require people who might have knowledge about suspected breaches of the data protection legislation to provide information. Previously, information could be sought only from a data controller or a data processor. This could be crucial where, for example, a former employee has information about the organisation’s processing activities.
Secondly, new clause 13 will allow the Commissioner to apply for a court order to force compliance when a person fails to provide information. Organisations that might previously have been tempted to pay a fine for non-compliance instead of handing over the information will find themselves at risk of being in contempt of court if they do not comply.
Thirdly, the Commissioner can now force companies to comply with information or enforcement notices within 24 hours in some very urgent cases, rather than the seven days provided for in the existing law. In certain circumstances, the ICO will also be able to issue an assessment notice that can have immediate effect and the regulator will be able to carry out no-notice inspections without a warrant in certain circumstances.
Fourthly, new clause 14 will criminalise the behaviour of any person who seeks to frustrate an information or assessment notice by deliberately destroying, falsifying, blocking or concealing evidence that has been identified as relevant to the Commissioner’s investigation.
Finally, the Commissioner will be able to apply for a warrant to access material that can be viewed via computers on the premises but that is held in the cloud.
Damian Collins, chair of the Commons select committee for Digital, Culture, Media & Sport, said: “As a country and a society, we have been on a journey over the past few months and we now understand much more readily how much data is collected about us, how that data is used and how vulnerable that data can be to bad actors. Many Facebook users would not have understood that Facebook not only keeps information about what they do on Facebook, but gathers evidence about what non-Facebook users do on the Internet and about what Facebook users do on other sites around the Internet.
“These are serious issues. The Bill goes a long way towards providing the sort of enforcement powers we need to act against the bad actors, but they will not stop and neither will we. No doubt there will be further challenges in the future that will require a response from this House.”
Parish council GDPR revolt lays bare huge ICO challenge
Parish councils cry foul at cost of GDPR compliance
ICO vows to pursue chiefs as Cambridge Analytica folds
Facebook tears up data deals with Acxiom and Experian
Cambridge Analytica chief steps down from DMA role
ICO applies for warrant as Facebook scandal escalates
Cambridge Analytica row ‘lets genie out of the bottle’