On December 18, 2023, the updated response from UK Information Commissioner John Edwards to the Data Protection and Digital Information (No 2) Bill (the “Bill”) was published on the website of the Information Commissioner’s Office (ICO). The Commissioner’s original response was published in March 2023. In the latest response, the Commissioner states that he is “pleased to note that government made some changes…in response to my comments,” specifically with regards the definition of “vexatious requests” in respect of requests made to the Information Commissioner’s Office, and the drafting of the changes to the safeguards for processing for research purposes. However, the Commissioner goes on to state that the majority of his comments currently remain unaddressed, including with regards the definition of high risk processing.
The Bill has recently been returned to Parliament for House of Commons consideration and the UK government has introduced a significant number of new clauses, on which the Commissioner has been consulted. In this respect, the Commissioner notes that certain of these new clauses “amount to substantive new policy that has not been the subject of wider public consultation.” He states that he is “content” with and welcomes most of the changes, including, for example, removing the Secretary of State approval over statutory ICO codes of practice and the extension of the reporting period for personal data breaches under the Privacy and Electronic Communications Regulations from 24 to 72 hours, to align with UK GDPR. However, he expresses his concerns about the proposed power to require information for social security purposes, noting in particular that the measure is currently insufficiently tightly drawn in the legislation to provide the appropriate safeguards. The Bill is currently at the Committee Stage of the House of Lords and further progress is expected during the course of 2024.