7 minute read
4.4 Building Trust and Transparency
The government welcomes views on the following questions:
Q4.3.3. To what extent do you agree with the proposal to clarify that public and private bodies may lawfully process health data when necessary for reasons of substantial public interest in relation to public health or other emergencies? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Advertisement
Please explain your answer, providing supporting evidence where possible.
Q4.3.4. What, if any, additional safeguards should be considered if this proposal were pursued?
4.4 Building Trust and Transparency
287. Public trust is vital to the delivery of better public services and outcomes for individuals. This section outlines measures to strengthen the transparency and clarity of personal data processing by the public sector. Public bodies should also be empowered to share and utilise more personal data in the public interest, while safeguarding data subjects’ rights and interests.
Transparency mechanisms for algorithms
288. There are clear benefits to organisations, individuals and society in explaining algorithmic decision-making in the public sector. Providing explanations to individuals affected by such a decision can help organisations, including in the public sector, ensure greater fairness in the outcomes for different groups across society.
289. The UK’s current data protection framework already recognises the importance of public trust by imposing specific requirements on public authorities.
290. The government proposes introducing compulsory transparency reporting on the use of
algorithms in decision-making for public authorities, government departments and
government contractors using public data. This would provide much greater information about, for example, what datasets are being used, technical specifications of the algorithms, and how ethical considerations, such as mitigating bias, are addressed.
The government welcomes views on the following questions:
Q4.4.1. To what extent do you agree that compulsory transparency reporting on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data will improve public trust in government use of data? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your choice, and provide supporting evidence where possible.
Q4.4.2. Please share your views on the key contents of mandatory transparency reporting.
Q4.4.3. In what, if any, circumstances should exemptions apply to the compulsory transparency reporting requirement on the use of algorithms in decision-making for public authorities, government departments and government contractors using public data?
Processing in the ‘substantial public interest’
291. Sensitive personal data (‘special category data’ under Article 9 of the UK GDPR, and criminal convictions and offences data under Article 10 of the UK GDPR) includes, for example, personal data relating to a person’s health, racial or ethnic origins, political opinions or sexual orientation. It can also include genetic data and biometric data such as fingerprints, DNA or facial images.87 The default position is that sensitive data cannot be processed unless there is explicit consent from the data subject, or it is expressly permitted for purposes listed in the UK GDPR and Schedule 1 to the Data Protection Act 2018.
292. The UK GDPR and Schedule 1 to the Data Protection Act 2018 set out a range of situations when such sensitive data may be processed, and various tests or conditions that must also be met. These range from situations requiring sensitive data processing needed for counselling purposes, MPs’ constituency casework or to promote diversity at senior levels in organisations.
293. There are two key challenges to consider. The first is finding the balance between ensuring provisions are sufficiently flexible to allow all necessary processing of sensitive data, and ensuring provisions are specific enough to give data subjects transparency and controllers certainty. The government is considering whether to add new situations to those in
Schedule 1, or to amend existing situations in order to provide greater specificity.
294. The second key challenge is ensuring that each provision has the right safeguards or limitations in order to avoid misuse, and to provide greater transparency and certainty to data subjects and controllers. Part 2 of Schedule 1 to the Data Protection Act 2018 sets out situations where certain categories of sensitive data can be processed for reasons of ‘substantial public interest’, as per Article 9(2)(g) UK GDPR. In certain situations the controller must apply a test of whether the processing would be in the ‘substantial public interest’. This test is not required in other situations or for purposes that are deemed to always be in the ‘substantial public interest’ - for example, processing for the administration of justice.
295. The government has heard from some stakeholders that these rules are not sufficiently defined and there is no case law to assist with its interpretation. Data controllers may struggle to differentiate between 'public interest' and 'substantial public interest', given potential uncertainty about both terms. This uncertainty may discourage or delay data controllers from processing or
sharing sensitive data, even when there is a strong or urgent case in the public interest for doing so.
296. One option to tackle this uncertainty is to include in legislation a definition of 'substantial public interest'. Such a definition could provide reassurance or at least greater certainty to organisations that are hesitating over whether their purposes for processing constitute a substantial public interest. A key challenge would be to ensure the definition is not so narrow and rigid that it precludes lesser known or future purposes that ought to meet the test, and that it is not so broad and open to allow processing that could not have reasonably been expected.
297. Another option is to add to or amend the list of specific situations in Schedule 1 to the
Data Protection Act 2018 that are deemed to always be in the substantial public interest.
These would need to be considered carefully so that a high level of protection for individuals is maintained, but could include, for example, processing that is necessary for the purposes of safeguarding national security.
The government welcomes views on the following questions:
Q4.4.4. To what extent do you agree there are any situations involving the processing of sensitive data that are not adequately covered by the current list of activities in Schedule 1 to the Data Protection Act 2018? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer and provide supporting evidence where possible, including on: ○ What, if any, situations are not adequately covered by existing provisions ○ What, if any, further safeguards or limitations may be needed for any new situations
Q4.4.5. To what extent do you agree with the following statement: ‘It may be difficult to distinguish processing that is in the substantial public interest from processing in the public interest’? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q4.4.6. To what extent do you agree that it may be helpful to create a definition of the term 'substantial public interest'? ○ Strongly agree ○ Somewhat agree
○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible, including on: ○ What the risks and benefits of a definition would be ○ What such a definition might look like ○ What, if any, safeguards may be needed
Q4.4.7. To what extent do you agree that there may be a need to add to, or amend, the list of specific situations in Schedule 1 to the Data Protection Act 2018 that are deemed to always be in the substantial public interest? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible, including on: ○ What such situations may be ○ What the risks and benefits of listing those situations would be ○ What, if any, safeguards may be needed
Clarifying rules on the collection, use and retention of biometric data by the police
298. The legal framework should provide clarity and transparency on the processing of personal data by the public sector. It must also provide the UK’s law enforcement and national security communities with the tools to adapt to changing circumstances across all sectors and respond rapidly to emerging threats.
299. Biometric technologies like DNA analysis, fingerprints and, increasingly, facial image recognition are important tools in tackling knife crime, child sexual exploitation, terrorism and other offences. The public rightly expects the police to use biometrics appropriately to protect public safety within a framework that is fair, transparent and proportionate.
300. There is already a comprehensive legal framework in place covering use of biometric data for law enforcement purposes, but it is complex for both the police and the public to understand. This is a fast-developing area, with technological advancements regarding biometrics data, and the legal framework needs to be capable of keeping pace. Unless addressed, this could inhibit the confident adoption of new technologies that can improve public safety.
301. The government is therefore considering changes to make the legislative framework
