ICO Response to the DPDI (No 2) Bill – December ‘23

The Information Commissioner’s Office (ICO) issued a further response to the Data Protection and Digital Information (No 2) Bill now that it has been through the House of Commons Committee Stage. Here is the Information Commissioner’s full response:

It is important to note that the ICO response primarily focuses on broader data protection issues rather than specific school operations. However, aspects like the handling of biometric data, amendments around consent, data provided for court proceedings and codes of conduct could have implications for how schools manage data, particularly in areas like student records and research activities.

With that in mind, here is a summary of the key points from this response:

The Information Commissioner’s Office (ICO) supports the bill for enhancing regulatory certainty, promoting growth, and protecting individual rights. However, the ICO raises concerns about unaddressed issues, particularly regarding high-risk processing definitions. It appreciates government amendments like enhancing ICO’s independence and aligns with the UK GDPR on data breach reporting timelines.

Concerns are noted about new clauses introduced without extensive consultation, especially the power to require information for social security purposes, questioning its proportionality and clarity in safeguarding individual rights.

The ICO suggests amendments to ensure data protection principles are met and to limit the scope of information gathering. These amendments include:

1. Limiting the scope of information gathering to only necessary data for identifying relevant accounts and individuals.
2. Clarifying which organizations are subject to information notices.
3. Restricting data use gathered under these notices to specific purposes related to social security and benefits compliance.

These amendments aim to balance fraud prevention with individual rights and data protection, providing necessary safeguards against arbitrary interference.
.

The Annexes

The response includes two annexes as part of the response. Annex One provides technical comments on amendments to the DPDI Bill from the House of Commons Report stage. Key points include:

• Gov NC6: Relates to processing in reliance on international law. The Commissioner questions the necessity of adding specific international agreements to the schedule of relevant international law.
• Gov NC9: Discusses court procedures in connection with subject access requests, proposing changes for clarity and to avoid confusion.
• Gov NC36 & NC38: Concerns the retention of biometric data, with suggestions for ensuring necessary and proportionate data retention. This could impact on schools that process biometric data for activities such as cashless catering. We will keep an eye on this and pass on any key updates as required.
• Gov 208: Addresses processing for archiving in the public interest, raising concerns about diluting the concept of consent.

Regarding Gov NC9, the Commissioner’s comments focus on court procedures related to subject access requests. The proposed clause intends to replicate an aspect of the Data Protection Act 1998, adding assurance that information shouldn’t be disclosed to the data subject until a court determination. Concerns are raised about the phrase “as is available to the controller,” which might lead to arguments over the availability of information, potentially complicating court proceedings. The Commissioner suggests removing this phrase and clarifying that controllers must provide necessary information for the court’s decision. This may impact on schools where data is requested for family court proceedings, for example. We will also be keeping an eye on this.

In Annex Two, the Commissioner addresses two main areas:
.

• Information to be Provided to Data Subjects: This comment concerns Clause 10 of the DPDI No 2 Bill. It notes the exemption for data controllers from providing privacy information to data subjects for research purposes if it requires disproportionate effort. The Commissioner suggests that controllers should still make this information publicly available, highlighting the importance of transparency in research contexts.
• Codes of Conduct: Discusses amendments related to the Code of Conduct under UK GDPR and for Law Enforcement Processing. The government has changed the requirement for submitting draft codes of conduct for approval to encouraging submission to the ICO. The Commissioner calls for clarity in the Explanatory Notes of the legislation to ensure that Codes of Conduct are approved by the ICO and have appropriate monitoring mechanisms.