UK Politicians Demand Privacy Regulator Enforce Law Against Government

By Robert Bateman

The U.K. government has shown “scant regard to both privacy concerns and data protection duties” — and the country’s privacy regulator has failed to protect the public’s personal information, according to a letter from 22 opposition politicians.

The Aug. 21 letter, signed by 22 members of Parliament from four political parties, was addressed to the Information Commissioner’s Office (ICO) — the “data protection authority” responsible for enforcing privacy law in the U.K.

The office is headed by Information Commissioner Elizabeth Denham.

The government has been accused of breaching privacy law on numerous occasions throughout the COVID-19 pandemic, including in July, when it admitted that it had not assessed the privacy risks involved in its “test and trace” program properly.

In April, the ICO said it would take a more relaxed approach to enforcing privacy law during the pandemic. Critics claim this has allowed the government to circumvent legal obligations.

One Signatory Speaks

One signatory was Apsana Begum, a member of Parliament representing the Poplar and Limehouse districts in London.

“There needs to be both transparency and consultation on how data is being captured, used and shared.”

Apsana Begum, U.K. Parliament member.

She told Digital Privacy News that the government was failing to protect citizens’ health information.

“Striving to ensure that the spread of COVID-19 is limited must the priority for any country in the world,” Begum said. “This should not, however, come at the cost of health records no longer remaining confidential and private.

“There needs to be both transparency and consultation on how data is being captured, used and shared,” she continued. “I would urge fellow members of Parliament to ask questions of the government on this matter.”

Commissioner Responds

Responding to the letter in a statement on ICO’s website, Denham said: “I can assure you that the priority of my office throughout this period has been to challenge appropriately to ensure that privacy and data-protection rights are upheld; and to do so in a way that does not impede unnecessarily the need to safeguard the public’s health.

“The public must have confidence their data is being treated safely and legally,” Denham said. “Our suite of regulatory tools can both pull and push in the right direction to ensure privacy is protected, whilst not holding up significant measures to protect public health.”

A representative of the U.K. Department of Health and Social Care responded to Digital Privacy News about the MPs’ allegation that it had not carried out a data-protection impact assessment (DPIA) for the “test and trace” program, as required by law.

“It is completely wrong to claim that there are no DPIAs in place or that the NHS test and trace service is unlawful,” the representative said in a statement.

“We have undertaken a number of separate DPIAs covering the constituent parts of the NHS test and trace service, with more in development — including an overarching DPIA.

“An entire industry has been successfully set up at speed to tackle the most serious public-health crisis we have faced in a century,” the statement added. “Our priority has been to save lives and protect public health — and we will not apologize for doing so.

“NHS test and trace is committed to the highest ethical and data-governance standards,” the representative said, “and there is no evidence of data being used unlawfully.”

‘Skeptical’ of Privacy Rights

Ian Brown, a privacy consultant and author, told Digital Privacy News that recent events stemmed from a systemic and long-standing problem — for both the government and ICO.

“Going back decades, the U.K. government has been very skeptical about the whole notion of privacy and data-protection rights,” he said.

“They have done their very best to dilute them, even when the E.U. has tried to strengthen them.”

Brown said a major problem was that ICO acted both as an advisory body and a law-enforcement agency. Once the government has acted on ICO’s advice, it becomes difficult for the agency to criticize it publicly.

“The U.K. government has been very skeptical about the whole notion of privacy and data-protection rights.”

Ian Brown, privacy consultant and author.

Brown argued that ICO’s issue was not Denham herself — who, in Brown’s opinion, has performed better than previous information commissioners.

“This is a longer-running issue with the ICO, going back multiple commissioners,” Brown said. “The ICO’s budget has never been the level that it needs to be to enforce the law effectively.”

ICO is tasked with enforcing such laws as the Data Protection Act and the General Data Protection Regulation (GDPR), which came into force in 2018.

Regulators across Europe have struggled to respond to complaints about violations of the GDPR, which — on paper — is among the strictest privacy laws in the world.

Not Enough Money

Part of the problem appears to be budgetary constraints. According to a report in April by the web-browser company Brave, half of the E.U.’s data-protection authorities have annual budgets of $5.9 million or less.

“It is important that individuals have confidence that the core of data-protection will be robustly upheld.”

David Erdos, University of Cambridge.

David Erdos, a senior lecturer in law at the University of Cambridge and deputy director of the Centre for Intellectual Property and Information Law (CIPIL), agreed that ICO was ill-equipped to deliver the strong privacy standards promised by GDPR.

“There are legitimate concerns that the ICO has been adopting an overly discretionary and selective approach,” Erdos told Digital Privacy News.

He contended that that the U.K. should give greater powers to the country’s Information Rights Tribunal, which settle disputes between individuals and ICO.

“The Information Rights Tribunal system can and should play a more active role in policing the ICO’s response to data subject complaints lodged with it,” Erdos said.

“It is important that individuals have confidence that the core of data-protection will be robustly upheld, especially when the type of data or the context is sensitive.”

Robert Bateman is a writer in Brighton, U.K.

Sources (external links):