The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year (see our previous article here).   

These responses fed into the new Data Protection and Digital Information Bill which was introduced into Parliament on 18 July 2022.    

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

As the Bill is still working its way through Parliament it may be amended before it is given Royal Assent and becomes an Act but we have highlighted some of the key provisions for employers, as they currently stand, below. 

Amended Definition of ‘Personal Data’ 

The Bill limits the definition of personal data by focussing on the knowledge of the controller or processor and not, arguably, the whole world.   

Currently, an identifiable living individual is defined as ‘a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’. 

This is very wide.  However, the Bill seeks to limit this down by adding that the individual will only be identifiable if they are identifiable by the controller or processor through reasonable means at the time of the processing or where the controller or processor knows, or ought to know, that another person will (or is likely to) obtain the information as a result of the processing (for example if it is shared with them) and will be able to identify the individual using reasonable means at the time of the processing.   

In theory this may make it easier for businesses to anonymise data. In reality, it is unlikely to have much of an impact on employers with regard to the personal data they process on their employees which usually clearly identifies the employees by name, job title or employee number (all of which are known to the employer at the time of processing).   

Data Access Requests  

Vexatious and excessive requests 

The Bill changes the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.  

The revised threshold is intended to capture a wider set of unreasonable and/or disproportionate requests.  The onus will be on the controller to show that the request is vexatious or excessive if challenged.  

The Bill provides some factors for organisations to consider when looking at whether a request is vexatious or excessive, although these are similar to factors already highlighted in ICO guidance.  They include: 

• The nature of the request 
• The relationship between the data subject and controller 
• The resources available to the data controller  
• The extent to which the request repeats an earlier request and how long ago any such request was made 
• Whether the request overlaps with other requests made by the data subject 

The Bill highlights that requests intended to cause distress, not made in good faith and/or that are an abuse of process will be vexatious.  Some of these are already referred to, albeit to a limited extent, in ICO guidance (for example a request may be viewed as manifestly unfounded if the individual making it expressly states that they intend to cause disruption). 

The list is clearly helpful for organisations and may help employers who are faced with data access requests from ex-employees as part of Employment Tribunal proceedings (or the build up to these).  However, more guidance will be needed from the ICO on these factors to understand clearly what circumstances they cover.  

Requests for further information  

The Bill also adds wording to suggest that where an organisation needs more information to identify the personal data or processing activities it can request this.  This has the effect of pausing the time limit for compliance until the information is provided.  An example of when such information may be required is where the controller processes a large amount of information about the data subject.   

More guidance will be needed from the ICO on this point and when it can be used but it does suggest that employers who process a large amount of information on their employees could request further information and need not comply until such information is provided.  

New Legal Basis – Recognised Legitimate Interests 

The Bill introduces a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’.  

A list of recognised legitimate interests is provided within the Bill.  These are relatively limited and focus on matters of public interest but include, for example, where processing is necessary for the purposes of detecting, investigating or preventing crime which may be helpful to employers who need to complete checks such as those for anti-money laundering. 

Data Protection Officer (‘DPO’) 

The Bill removes the need for certain organisations to appoint a DPO and instead requires them to designate a ‘senior responsible individual’ who must be part of the organisations’ senior management.    As such this seems to be a departure from the original requirement under the UK GDPR for the DPO to be independent and many organisations who have already appointed external consultants may be concerned about this change.  Again, it would be useful to have further clarification on this point from the ICO.   

Accountability – Record Keeping 

The Bill states that controllers must retain ‘appropriate records’ of processing.  Much of the information that should be included in these records remains unchanged but the emphasis seems to be on controllers now to assess the nature, scope and processing of their activities, the risks to individuals rights and freedoms and their resources in deciding what is appropriate here. 

The Bill confirms that the exemption for organisations with less than 250 employees remains in place but says that those with less than 250 employees will need to comply if processing is likely to result in a high risk to individuals’ rights and freedoms.  This is slightly narrower than the current position which says those with less than 250 employees also need to comply if the processing is not occasional or involves the processing of special category of criminal convictions data. 

For those smaller organisations that have already retained records based on the broader current wording, it’s likely to be helpful to maintain this in any event to enable them to identify data flows which assists with compliance with wider data protection obligations.