Key Facts

• Clause 25 allows qualifying authorities to jointly process data under one regime.
• Amendment 105 proposes replacing consultation with a requirement for ICO approval on designation notices.
• Clause 27 introduces strategic objectives for the Information Commissioner, focusing on protection of personal data and public trust.
• Clause 27 introduces new duties for the Information Commissioner.
• The commissioner is required to publish a forward-looking strategy and an annual report on compliance with these duties.
• Clause 28 provides the Secretary of State with the power to prepare a statement of strategic priorities for data protection.
• Clause 30 and Clause 31 stand part for discussion.
• Amendment 111 seeks to modify clause 31 by limiting the number of times the Secretary of State can require a revised code from the Commissioner.
• The amendment would insert new text into clause 31 requiring the Secretary of State to approve any revised code submitted under subsection (5)(b) after the first revision.
• The Information Commissioner is required to publish four statutory codes: data sharing, direct marketing, age-appropriate design, and data protection and journalism.
• Clause 29 replaces section 128 with new section 124A for consistency in the approval process and legal effect of codes requested by the Secretary of State.
• Clauses 30 and 31 introduce reforms including impact assessments and expert consultation panels to improve democratic accountability.
• Codes of practice are important for the effectiveness of the ICO's remit.
• Clause 30 requires transparency in the establishment of expert panels and publishing statements on their recommendations.
• Amendment 111 aims to limit Secretary of State interference to one round of amendments if needed.
• Losing EU adequacy agreement could cost up to £460 million initially and £410 million annually.
• Amendment 111 seeks to limit the Secretary of State's ability to require a revised code from the Commissioner to only one occasion.
• The Information Commissioner believes that the amendment does not pose any risk and maintains his independence in enforcement functions regardless.
• Clause 31 is ordered to stand part of the bill despite opposition.
• Clauses 35 to 38 are discussed.
• Government amendment 47 is mentioned.
• Clause 42 stands part.
• Clause 34 clarifies the Information Commissioner’s power to require specific documents under section 142 of the Data Protection Act.
• Clause 35 allows the commissioner to commission reports from approved persons in complex investigations.
• Clause 36 grants powers to compel interviews and answers during investigations.
• Clauses 37 extends the timeframe for issuing final penalty notices after a notice of intent is issued.
• Clause 42 amends the EITSET regulations to align with new enforcement powers for trust service providers.
• Clause 34 clarifies that the Information Commissioner can require documents as well as information.
• Clause 35 grants powers to the ICO to require approved persons to prepare technical reports, with guidance on deciding when and whom it might be required from.
• Clause 36 allows the ICO to compel witnesses to comply with interviews during investigations, including safeguards against self-incrimination and legal professional privilege.
• Clause 37 permits the ICO an extension of up to six months beyond the usual six-month timeframe for issuing penalty notices in complex cases.
• Clause 38 requires the ICO to publish annual reports on its investigations and use of powers.
• Clause 39 enables data subjects to complain directly to controllers and requires them to take appropriate steps, such as providing a complaints form.
• Clause 40 gives the Information Commissioner power to refuse certain types of complaints if they are not made to the relevant controller or if they are considered vexatious or excessive.
• Schedule 8 contains miscellaneous minor amendments to UK GDPR and DPA relating to complaints by data subjects.
• Clause 43 creates a presumption that future laws permitting or requiring personal data processing are subject to existing data protection rules unless Parliament specifies otherwise.
• The measure respects parliamentary sovereignty by allowing exceptions if Parliament deems it appropriate.
• It addresses the risks of legal uncertainty and ensures consistent interpretation of data protection legislation.
• The clause outlines the process for making regulations under powers in the UK GDPR.
• Clause 46 provides an overview of part 2's provisions aimed at securing reliable digital verification services through a trust framework, public register, information gateway, and trust mark.
• Clause 47 requires the Secretary of State to prepare and publish a trust framework for digital verification service providers, consult with the Information Commissioner during preparation and review every 12 months.
• The clause sets out a definition of digital verification services provided at individual request.
• Keith Rosser highlighted the benefits, including reducing hiring time from an average week to three minutes and thirty seconds for 70,000 hires.
• There is concern about privacy protections when it comes to digital verification.
• The government proposes to establish an office for digital identities and attributes.
• There is no discussion in the Bill of the duties or oversight mechanisms of the new office.
• The industry has called for clarity on regulatory frameworks.