4 minute read
5.5 Codes of Practice and Guidance
agreement of the Information Commissioner but there is no mechanism that permits a fully independent review by a third party.
373. The government proposes to empower the DCMS Secretary of State to initiate an independent review of the ICO’s activities and performance. Such a step may be taken if, for example, the ICO's performance were to slip below a threshold determined with reference to the enhanced accountability mechanisms set out above, or after prior notifications about shortcomings in performance. This would be comparable to, for example, HM Treasury’s ability to instruct a review of the efficiency and effectiveness of the Financial Conduct Authority (FCA), as set out in the Financial Services Act 2012.99
Advertisement
The government welcomes views on the following questions:
Q5.4.6. To what extent do you agree with the proposal to empower the DCMS Secretary of State to initiate an independent review of the ICO’s activities and performance? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q5.4.7. Please share your views on what, if any, criteria ought to be used to establish a threshold for the ICO's performance below which the government may initiate an independent review.
5.5 Codes of Practice and Guidance
374. Under the Data Protection Act 2018, the Information Commissioner is required to prepare codes of practice on four specified data processing activities in order to outline best-practice for organisations. The legislation also requires the Information Commissioner to consult the DCMS Secretary of State, and other parties considered appropriate, before preparing or amending three of the codes.100 In addition, under its general functions, the Information Commissioner has powers to publish guidance on processing activities that relate to data protection.
375. The ICO now carries out impact assessments, and undertakes enhanced consultation with both government and other stakeholders when developing codes of practice, and complex or novel guidance. This approach is set out in the ICO’s Regulatory Policy Methodology Framework.
376. The government proposes to oblige the ICO to undertake and publish impact
assessments, as well as conduct enhanced consultation, when developing codes of
practice, and complex or novel guidance. This will give the current processes a statutory underpinning.
99 Financial Services Act 2012, 1S, c. 21, PART 2, ‘Financial Conduct Authority and Prudential Regulation Authority’. 100 The data-sharing, direct marketing, age-appropriate design code.
377. Although the ICO has taken steps to produce ‘at a glance’ guides and sector-specific toolkits to assist smaller organisations, its core guidance may be very lengthy. It is crucial that the ICO's codes of practice and guidance are accessible and enable regulated entities to comply with the legislation efficiently and easily.
378. A robust consultation process is critical to this, particularly in relation to codes of practice or guidance which relate to more complex areas of legislation. As the ICO is a cross-sector regulator, a broad and transparent consultation process could improve the ICO’s understanding of how legislation should apply to different sectors and data use cases, its focus on the most relevant issues, and its production of bespoke products for certain groups or organisations, such as SMEs.
379. To encourage diverse debate, the government proposes to introduce a power for the
DCMS Secretary of State to require the ICO to set up a panel of persons with relevant
expertise when developing codes of practice, and complex or novel guidance. Such a process would not be feasible or proportionate for the development of every piece of guidance, hence its limitation to statutory codes, or complex and novel guidance. The ICO should select experts so that the panel is, as far as possible, representative of the primarily affected groups in the given context. The ICO will be required to explain, as part of its regulatory approach, its process and rationale for appointing expert panels. The ICO must publish the outcomes of the panel’s work, although it will not be bound by any recommendations of the panel.
380. Furthermore, the government proposes to give the Secretary of State for DCMS a parallel
power to that afforded to the Houses of Parliament in section 125(3) of the Data Protection
Act 2018 in the approval of codes of practice and complex or novel guidance.101 This will give the Secretary of State a 40-day period to approve a code of practice or complex or novel guidance. If the Secretary of State does not approve it, the ICO must not issue it and another version must be prepared.
The government welcomes views on the following questions:
Q5.5.1. To what extent do you agree with the proposal to oblige the ICO to undertake and publish impact assessments when developing codes of practice, and complex or novel guidance? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
Q5.5.2. To what extent do you agree with the proposal to give the Secretary of State the power to require the ICO to set up a panel of persons with expertise when developing codes of practice and complex or novel guidance? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree
