United Kingdom: Issued Information Commissioner's opinion on Data Protection and Digital Information (No. 2) Bill including data protection regulation

On 15 March 2024, the Information Commissioner's Office (ICO) published its opinion on the Data Protection and Digital Information Bill (DPDI Bill). The Bill seeks to amend the UK Data Protection Regulation provisions relating to the obligations of entities collecting personal data and data subject rights. Specifically, the Bill aims to modify the data protection principles and the legal basis for collecting and processing personal data. The Commissioner welcomed the government's intention to standardise period calculations in data protection law to ensure consistency and enhance legal certainty for international data transfers for law enforcement purposes while maintaining high data protection standards and clarity. However, the Commissioner expressed concerns about the definition of high-risk processing and the power to require information for social security purposes. The Bill should explicitly identify high-risk processing activities and empower the ICO to designate future high-risk activities. This will ensure clarity for organisations and maintain enforcement capabilities. The discussion highlights the necessity for more precise legislation to address gaps in identifying and managing high-risk data processing activities. It is suggested that the Bill should explicitly list such activities and empower the ICO to designate additional ones, as well as mandate data protection impact assessments (DPIAs) for them. This aims to enhance protections and adapt to technological advancements. The decision on whether to allow the collection of information for social security purposes is a matter for Parliament to decide. The Commissioner emphasises the importance of carefully drafting the legislation to limit data collection and clearly define the scope and purpose of processing. This will ensure that any interference with privacy rights is necessary and proportionate.