New commentary from the ICO on the Coroners and Justice Bill, clauses 151 to 154 gives an interesting insight into the reach, and limits, of the new proposals. It is clear for the level of dissatisfaction expressed that the ICO is far from driving these proposals but it is also all the clearer that the proposals will add important extra strength to the ICO’s arm, especially if the ICO’s wishes for further amendment are granted.
The commentary on the proposals for assessment notices asks that their applicability be extended beyond the public sector and that a sanction for non-compliance with an assessment notice be created.
The ICO also indicates considerable dissatisfaction with the proposed new s 41B(7) of the Data Protection Act, which provides for the publication of a code of practice on their use: ‘We have difficulty seeing the justification for requiring the Secretary of State’s approval for issuing the Code. This could call the ICO’s independence into question and could undermine the credibility of the assessment process. Sub-section 7 should be deleted’
In perhaps the most fundamental criticism, the ICO commentary describes the Bill’s proposals on information sharing as ‘too wide, and its safeguards relatively weak. The provisions should only apply in precisely defined circumstances where there is a legal barrier to information sharing that would be in the public interest. The Bill needs an additional safeguard, to prevent the use of information-sharing orders in the context of large-scale data sharing initiatives that would constitute significant changes to public policy.’
Data protection lawyers will especially enjoy the ICO’s slap on the wrist to the legislative draftsman for careless use of the terms ‘data’, personal data’ and ‘information’. The wider public may in turn smile wryly at the suggestion that the definition of information sharing is ‘legally convoluted’ (unlike all other DP legislation, obviously).
The ICO’s further comments indicate a desire to have power to serve an information notice on any person who holds relevant information (not just a data controller as proposed).
The ICO also seeks power to obtain a warrant for entry and inspection where he has reason to believe that the data controller is likely to contravene any of the data protection principles so as to avoid a significant risk rather than mopping up after a breach has occurred.
The full commentary and earlier comments can be read here.