The Codes of Practice for the Digital Economy Bill aren’t worth the paper they’re (not) printed on. They aren’t legally binding (para 11), and are effectively subservient to the ICO’s existing code, even while paragraph 60 pretends a single side of A4 is a valid Privacy Impact Assessment for data sharing for operational purposes.
As this is the case, why is there a code of practice necessary under the legislation? Is does nothing new. Is it solely to make it look more respectable than the dark and dank dodgy deal that it actually is?
In places such as supermarkets, you have a choice of whether to use a clubcard, and can easily use one of the other supermarkets that are available – Government doesn’t have competition promoting integrity. To ensure a citizen can see how Government uses data about them, there should be a statutory register of data sharing agreements (involving public sector data). A register prevents nothing (which seems to be the policy intent of the Bill), but is simply a list of stated intents. From the Register comes an informed discussion of what organisations are actually doing and sharing, rather than excessive secrecy and double dealing.
Opposition to a register comes from fear, based in Government’s lack of knowledge of what data they have, or currently share it. If you don’t have a clue where your data is, or why it’s there, you oppose a register because you don’t want to find out.
How this state of affairs came about, is at the heart of this Bill.
We’ve previously posted about the definition of Personal Data in the Investigatory Powers Bill. What about in the non-secret parts of Government?
In 2010, the Cabinet Office told GCHQ that “to be considered personal data, a dataset has to contain at least the actual names of individuals.” GCHQ being subject to the national security exceptions of the Data Protection Act.
In March 2015, the term “bulk personal datasets” was used by Parliament, and entered common terminology, but it wasn’t until November 2015 that the full definition of the Data Protection Act was restored (with DPA exceptions for National Security).
But, in the middle 7 months, the term gained increased currency within Government and used much more widely as it crossed into the non-secret sphere. The Cabinet Office took the existing meaning and thinking and applied it elsewhere.
It was never noted that the definitions in the non-secret parts of Government should have been different, likely weren’t, and hence possibly are invalid under DPA, because the narrow term for GCHQ was classified, and hence restricted. Ie “actual names” is not the DPA standard.
So what effect did this have?
Following the talk talk hacks, Government ran an exercise described as the “Cabinet Office audit 2016” looking at what each Department held, and the impact of them losing it.
We made FoI requests about what each department held, and got very interesting answers (we excluded national security or serious crime).
The Cabinet Office hold no bulk personal data (apparently… ).
DCMS hold some bulk personal datasets – on people who have responded to their consultations (and some data from the Olympics)… (erm… what?)
The Department of Transport gave a much longer answer, (but didn’t know how much was in each dataset).
Does the Government known what personal data it has, uses and shares, and where it keeps it? If so, did Departments share that list with the Cabinet when asked?
Since we can see they probably didn’t, are all uses of large datasets (whether they are considered personal data or otherwise) fully compliant with the definitions in the Data Protection Act?
How does the Bill and associated work help resolve this mess?