Data: protection, possibilities, purpose
The Data Protection and Digital Information Bill has arrived in the House of Lords and myself, and colleagues, have had a welcome opportunity to raise issues and question the minister about this important draft legislation.
During the second reading debate (December 19, 2023) I covered four important areas: data adequacy, AI, smart data, and digital ID.
Aims of the Bill
The government has said that this new law will maintain high data protection standards whilst reducing the administrative burden on organisations.
Under existing data protection law, the processing of people’s personal data is covered by various frameworks, including the UK GDPR and the Data Protection Act 2018, depending on the type of processing taking place and who is doing it.
The Data Protection and Digital Information Bill will amend these frameworks and can be thought of in terms of three key pillars: data protection, digital identity, and smart data.
Data protection
Concerns have been expressed about ‘Data Adequacy’, that is whether the new rules will be deemed by the EU to provide an ‘essentially equivalent’ level of data protection.
The government has said that the Bill will:
- introduce a clear, business-friendly framework that incorporates the key elements and objectives of GDPR but provides more flexibility about how to comply;
- provide organisations with greater confidence about when they can process personal data without consent (and therefore when they can’t);
- clarify when safeguards apply to automated decision-making through AI technologies.
During the debate, I asked the minister how the Bill will assure adequacy between data protection regimes in the UK and the EU. I also asked how the proposed shift from the (UK GDPR required) data protection officer to a ‘senior responsible individual’ would improve things?
We must ensure our data protection regime provides UK firms operating in the EU – and the wider international community – with confidence in the robustness of the UK’s data protection standards.
In his response the minister insisted that “the fundamental data protection principles set out in the UK GDPR … remain at the heart of the UK’s data protection regime”.
Another area of concern for me was related to the use of AI throughout the bill, including the regulation of decisions made by autonomous systems. I believe there must be a greater focus on transparency, trustworthiness, and human oversight.
The minister replied that it was the government’s view “that it would not be effective to regulate the use of AI in this context solely through the lens of data protection” but I look forward to coming back to more detailed discussions on these and other aspects of the bill during committee stage in the new year.
Digital identity
The new law paves the way for a cross-sector re-usable Digital Identity framework, providing: equivalence between digital and paper forms of identity; access to government data attributes for certified identity providers; and the certification regime itself.
Once a citizen has created a re-usable digital identity, they will, potentially, be able to re-use it to assert their identity or provide verification for something about themselves such as their age or address.
This would give individuals more control over the data points they share, rather than sharing a whole document that doesn’t allow an adjustable level of control.
I have long argued for the significant social and economic benefits of a distributed digital ID. Digital ID will be a significant driver to the greater adoption of Open Finance.
A trusted and effective citizen created digital ID could enable and empower individuals currently (or potentially) excluded from exercising their rights and accessing basic financial services. In 2011, at our last census, 17 per cent of us had no passport; digital ID could effortlessly get past this problem.
One example, set out in the bill, is the use of digital verification services in property transactions. I asked what other areas have been looked at and whether the proposals in the bill are consistent with work on digital ID taking place in other parts of government.
Smart data
Data-sharing proposals in part three of the Bill are intended to spur innovation and improve consumer outcomes by facilitating private sector data sharing across the UK economy.
The potential is considerable and could include (for example) data about energy or telecoms usage. Imagine if you could give permission to an authorised third-party provider (ATPs) about your energy usage that they then used to provide a personalised service such as automatic switching to best priced energy provider.
Considering those at the sharp end of the energy crisis, the possibility of not only shifting tariffs but, potentially, helping people avoid getting stuck with the higher costs of prepayment metres.
Enabling consumers and expunging the pernicious poverty premium, where all too often we find those with the least being forced to pay the most.
Open banking – born in Britain – is the best current example of open data. This Bill gives the government powers to create a much wider open data economy. These powers go beyond that of what is currently being explored in Europe. The European Banking Federation (EBF) recently acknowledged that PSD2 does not serve as a model for data sharing and is now looking at an incentive-based voluntary framework.
Australia has also recently consulted on how to extend its ‘Consumer Data Right’ to nonbank lending. I asked which markets, in addition to energy and telecommunications, that the government are considering that Smart Data regimes could be applied to?
More generally I am interested in what opportunities an open data economy could create for financial services companies.
Possibilities and purpose
This is an important piece of legislation and the questions about data, what it is and how it is used are absolutely essential for maintaining trust and ultimately facing the challenges and maximising the extensive possibilities of the digital economy.
The mission is identical in so much of this digital transition, optimising our talent and technologies to deliver economic, social, and psychological growth across the country, connected, interoperable, across our world.