Eye Tea

While I was on holiday in July the Government started a review of how UK and EC data protection law is going. It wants case studies that illustrate how we are all finding the law – good things and bad – to inform its negotiations on the new EC Directive.  At the same time the Government is assessing the impact of the Data Protection Act 1998.

What are your experiences? What works and makes things better for business and consumers? What’s rubbish? If we get a good raft of comments on this page, I’ll batch them up and submit them. The doors close on this stage of the review on 6 October.

Here are a few initial thoughts from me:

• The £10 fee for making disclosures to the data subject is disproportionately low in most cases.  It costs more than £10 in real terms to drop a letter or phone call back to the requester asking them if they will consider narrowing down their request. 
• The burden of regulation should apply directly to data processors.  It’s not appropriate for data controllers to carry the can for a processor’s breach, or for that risk to be a topic of negotiation in the contract.
• Data sharing between organisations is essential across all sectors, often driven by outsourcing or partnerings.  It gets complicated, and in this context the legal concepts of “data controller” and “data processor” are blunt and inadequate.  We need some extra concepts to deal with the subtleties.
• What about sensitive personal data?  Is it right to give special status to certain categories of personal information?  Should special status be available to any information if the risks require?  Shouldn’t payment card details be included in the list?
• Does management of consents and permissions from customers give you a headache?  Would it be helpful if the law clarified what constitutes “consent”, especially where you lawfully hold personal data but need to cost-effectively change how you use it as your organisation develops?  Would it work if the law was relaxed for organisations who give their customers and contacts transparent information and control over their permissions, eg via a website?
• Do the opportunities for processing personal data without consent need to be wider?
• Do you think the law is realistic, or too high level?  Would you like more regulation so you have less discretion but more clarity about how to deal with compliance?  Or less regulation and more effective guidance from the regulator?
• If your organisation is international, how do you find it dealing with several different regulators and different laws, even within the EU?
• Is compulsory notification to the regulator really necessary?

The new directive will be with us for many years – the current one will have done over 15 years service by next year.  The changes are expected to include a move towards an “accountability” model, where rules are replaced by a more flexible, outcome-focused approach to regulation, and the regulator is re-cast as the overseer and auditor of a largely self-regulating system.  What do you think?  Old wine in new skins, or a worthwhile change?  What are the essential benefits?  What do we need to avoid?

Link: http://www.justice.gov.uk/call-for-evidence-060710.htm