This post was also written by Nick Tyler.
The Information Commissioner’s Office (ICO), the UK data protection regulator, has recently responded to the UK Government’s Call for Evidence on the current data protection legislative framework. The Ministry of Justice sought evidence about how the European Data Protection Directive 95/46/EC and the Data Protection Act 1998 are working, and their impact on individuals and organisations. The Call for Evidence, which closed on 6 October, seeks to inform the UK negotiation position for a new EU data protection instrument, expected to start in early 2011.
In its response, the ICO asserts that the data protection principles are “sound and should be maintained”, although it acknowledges that changes are needed. The ICO listed key ‘must-haves’ for “an effective new data protection framework”:
- A “much clearer” definition of personal data “more relevant to modern technologies and…practical realities” capable of recognising the many different levels of “identifiability”, and in turn protection, which technology can provide;
- A “more flexible and contextual” concept of sensitive personal data, with financial and geo-location data being examples of non-sensitive data that warrant increased vigilance and protection;
- A revisit of the definitions of processor and controller and a more collective form of responsibility that deals “more realistically with the collaborative nature of modern business and service delivery”;
- A consistent approach to transparency and consent in Europe as the two concepts are not interchangeable, in meaning or legal effect.
- A new requirement of accountability to “reinforce the responsibility of data controllers”, which can be scaled to an organisation’s size and the risks of their processing of personal data.
- Significant changes to international data transfers to “deal more realistically with current and future international data flows” by focusing on the exporting data controller’s risk assessment and responsibilities, regardless of location, as well as on assessing ‘adequacy’ based on the specific circumstances and method of transfer as opposed to whether or not a country is designated as ‘adequate’.
- An explicit privacy by design requirement that ensures the building-in of data protection compliance measures at each stage of the information lifecycle as opposed to bolting-on remedial measures.
The ICO’s response is typically pragmatic and builds on several earlier contributions made over the last 18 months. Read together they provide a consistent and compelling case for change.