| A | B | C | D | E | |
|---|---|---|---|---|---|
1 | September 2021 | June 2022 update here | |||
2 | Open Data Institute (ODI) policy team mapping tool | ||||
3 | UK data protection reform proposals: "Data: a new direction" | ||||
4 | Consultation document here | ||||
5 | |||||
6 | |||||
7 | Chapter 1: Reducing barriers to responsible innovation | Location | Proposals | Consultation questions | |
8 | 1.2: Research purposes | ||||
9 | p13/clause 40 | the government is proposing to consolidate and bring together research-specific provisions | |||
10 | Q1.2.1 To what extent do you agree that consolidating and bringing together research-specific provisions will allow researchers to navigate the relevant law more easily? Please explain your answer, and provide supporting evidence where possible. | ||||
11 | Q1.2.1a. Please explain your answer, and provide supporting evidence where possible. | ||||
12 | |||||
13 | p14/clause 42 | The government therefore proposes to incorporate a clearer definition of 'scientific research' into legislation | |||
14 | Q1.2.2. To what extent do you agree that creating a statutory definition of 'scientific research' would result in greater certainty for researchers? | ||||
15 | Q1.2.2a. Please explain your answer, and provide supporting evidence where possible. | ||||
16 | Q1.2.3. Is the definition of scientific research currently provided by Recital 159 of the UK GDPR (‘technological development and demonstration, fundamental research, applied research and privately funded research’) a suitable basis for a statutory definition? | ||||
17 | Q1.2.3a. Please explain your answer, providing supplementary or alternative definitions of 'scientific research' if applicable. | ||||
18 | |||||
19 | p14-15/clause 44 | The government is considering the following two proposals to tackle the challenge of determining the best lawful ground to apply to the use of personal data for research purposes: (a) Clarifying in legislation how university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground for personal data processing. (b) Creating a new, separate lawful ground for research, subject to suitable safeguards. | |||
20 | Q1.2.4. To what extent do you agree that identifying a lawful ground for personal data processing for research processes creates barriers for researchers? | ||||
21 | Q1.2.4a. Please explain your answer, and provide supporting evidence where possible, including by describing the nature and extent of the challenges. | ||||
22 | Q1.2.5. To what extent do you agree that clarifying that university research projects can rely on tasks in the public interest (Article 6(1)(e) of the UK GDPR) as a lawful ground would support researchers to select the best lawful ground for processing personal data? | ||||
23 | Q1.2.5a. Please explain your answer, and provide supporting evidence where possible. | ||||
24 | Q1.2.6. To what extent do you agree that creating a new, separate lawful ground for research (subject to suitable safeguards) would support researchers to select the best lawful ground for processing personal data? | ||||
25 | Q1.2.6a. Please explain your answer, and provide supporting evidence where possible. | ||||
26 | Q1.2.7. What safeguards should be built into a legal ground for research? | ||||
27 | |||||
28 | p16/clause 48 | The government proposes clarifying in legislation that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection. The government also proposes stating explicitly that the further use of data for research purposes is both (i) always compatible with the original purpose and (ii) lawful under Article 6(1) of the UK GDPR. | |||
29 | Q1.2.8. To what extent do you agree that it would benefit researchers to clarify that data subjects should be allowed to give their consent to broader areas of scientific research when it is not possible to fully identify the purpose of personal data processing at the time of data collection? | ||||
30 | Q1.2.8a. Please explain your answer, and provide supporting evidence where possible. | ||||
31 | Q1.2.9. To what extent do you agree that researchers would benefit from clarity that further processing for research purposes is both (i) compatible with the original purpose and (ii) lawful under Article 6(1) of the UK GDPR? | ||||
32 | Q1.2.9a. Please explain your answer, and provide supporting evidence where possible. | ||||
33 | |||||
34 | p17/clause 50 | The government is considering replicating the Article 14(5)(b) exemption in Article 13, limited only to controllers processing personal data for research purposes. | |||
35 | Q1.2.10. To what extent do you agree with the proposals to disapply the current requirement for controllers who collected personal data directly from the data subject to provide further information to the data subject prior to any further processing, but only where that further processing is for a research purpose and it where it would require a disproportionate effort to do so? | ||||
36 | Q1.2.10a. Please explain your answer, and provide supporting evidence where possible. | ||||
37 | Q1.2.11. What, if any, additional safeguards should be considered as part of this exemption? | ||||
38 | |||||
39 | 1.3 Further processing | ||||
40 | p19/clause 54 | The government proposes to clarify that further processing for an incompatible purpose may be permitted when it safeguards an important public interest. The government is considering whether it would be useful to clarify the circumstances, if any, in which further processing can be undertaken by a controller different from the original controller, while ensuring fairness and transparency. The government considers that a clarification in law may be helpful to confirm that further processing may be permitted, whether it is compatible or incompatible, when it is based on a law that safeguards an important public interest. | |||
41 | Q1.3.1 To what extent do you agree that the provisions in Article 6(4) of the UK GDPR on further processing can cause confusion when determining what is lawful, including on the application of the elements in the compatibility test? | ||||
42 | Q1.3.1a. Please explain your answer, and provide supporting evidence where possible. | ||||
43 | Q1.3.2. To what extent do you agree that the Government should seek to clarify in the legislative text itself that further processing may be lawful when it is a) compatible or b) incompatible but based on a law that safeguards an important public interest? | ||||
44 | Q1.3.2a. Please explain your answer and provide supporting evidence where possible, including on: what risks and benefits you envisage; what limitations or safeguards should be considered | ||||
45 | Q1.3.3. To what extent do you agree that the Government should seek to clarify when further processing can be undertaken by a controller different from the original controller? | ||||
46 | Q1.3.3a. Please explain your answer and provide supporting evidence where possible, including on: How you envisage clarifying when further processing can take place; How you envisage clarifying the distinction between further processing, and new processing; What risks and benefits you envisage; What limitations or safeguards should be considered | ||||
47 | Q1.3.4. To what extent do you agree that the Government should seek to clarify when further processing may occur, when the original lawful ground was consent? | ||||
48 | Q1.3.4a. Please explain your answer and provide supporting evidence where possible, including on: How you envisage clarifying when further processing can take place; How you envisage clarifying the distinction between further processing, and new processing; What risks and benefits you envisage; What limitations or safeguards should be considered | ||||
49 | |||||
50 | 1.4 Legitimate interests | ||||
51 | p22 / clause 60 | The government therefore proposes to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test in order to give them more confidence to process personal data without unnecessary recourse to consent | |||
52 | Q1.4.1. To what extent do you agree with the proposal to create a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test? | ||||
53 | Q1.4.1a. Please explain your answer, and provide supporting evidence where possible. | ||||
54 | Q1.4.2. To what extent do you agree with the suggested list of activities where the legitimate interests balancing test would not be required? | ||||
55 | Q1.4.2a. Please explain your answer, indicating whether and why you would remove any activities listed above or add further activities to this list. | ||||
56 | Q1.4.3. What, if any, additional safeguards do you think would ned to be put in place? | ||||
57 | Q1.4.4. To what extent do you agree that the legitimate interests balancing test should be maintained for children’s data, irrespective of whether the data is being processed for one of the listed activities? | ||||
58 | Q1.4.4a. Please explain your answer, and provide supporting evidence where possible. | ||||
59 | |||||
60 | 1.5 AI and Machine Learning | ||||
61 | p30 / clause 78 | The government is concerned that there is uncertainty about the scope and substance of 'fairness' in the data protection regime as applied to the development and deployment of AI systems, and the ICO's regulatory reach. | |||
62 | Q1.5.1. To what extent do you agree that the current legal obligations with regards to fairness are clear when developing or deploying an AI system? | ||||
63 | Q1.5.1a. Please explain your answer, and provide supporting evidence where possible. | ||||
64 | Q1.5.2. To what extent do you agree that the application of the concept of fairness within the data protection regime in relation to AI systems is currently unclear? | ||||
65 | Q1.5.2a. Please explain your answer, and provide supporting evidence where possible. | ||||
66 | Q1.5.3. What legislative regimes and associated regulators should play a role in substantive assessments of fairness, especially of outcomes, in the AI context? Please explain your response. | ||||
67 | Q1.5.4. To what extent do you agree that the development of a substantive concept of outcome fairness in the data protection regime - that is independent of or supplementary to the operation of other legislation regulating areas within the ambit of fairness - poses risks? | ||||
68 | Q1.5.4a. Please explain your answer, and provide supporting evidence where possible, including on the risks. | ||||
69 | |||||
70 | p32 / clause 82 | The government is considering how to develop a safe regulatory space for the responsible development, testing and training of AI. | |||
71 | Q1.5.5. To what extent do you agree that the Government should permit organisations to use personal data more freely, subject to appropriate safeguards, for the purpose of training and testing AI responsibly? | ||||
72 | Q1.5.5a. Please explain your answer, and provide supporting evidence where possible, including which safeguards should be in place. | ||||
73 | Q1.5.6. When developing and deploying AI, do you experience issues with identifying an initial lawful ground? | ||||
74 | Q1.5.6a. Please explain your answer, and provide supporting evidence where possible. | ||||
75 | Q1.5.7. When developing and deploying AI, do you experience issues with navigating re-use limitations in the current framework? | ||||
76 | Q1.5.7a. Please explain your answer, and provide supporting evidence where possible. | ||||
77 | Q1.5.8. When developing and deploying AI, do you experience issues with navigating relevant research provisions? | ||||
78 | Q1.5.8a. Please explain your answer, and provide supporting evidence where possible. | ||||
79 | Q1.5.9. When developing and deploying AI, do you experience issues in other areas that are not covered by the questions immediately above? | ||||
80 | Q1.5.9a. Please explain your answer, and provide supporting evidence where possible. | ||||
81 | p35/clause 90 | The government proposes to stipulate in this list [of legitimate interests] that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in the terms of Article 6(1)(f) for which the balancing test is not required. Where bias monitoring, detection or correction can only be undertaken with the use of sensitive personal data, the government proposes to either: (a) Make it clear that the existing derogation in Paragraph 8 of Schedule 1 to the Data Protection Act 2018 can be used for this type of processing. (b) Create a new condition within Schedule 1 to the Data Protection Act 2018 which specifically addresses the processing of sensitive personal data as necessary for bias monitoring, detection and correction in relation to AI systems. | |||
82 | Q1.5.10. To what extent do you agree with the proposal to make it explicit, that the processing of personal data for the purpose of bias monitoring, detection and correction in relation to AI systems should be part of a limited, exhaustive list of legitimate interests that organisations can use personal data for without applying the balancing test? | ||||
83 | Q1.5.10a. Please explain your answer, and provide supporting evidence where possible, including on: The key benefits or risks you envisage; What you envisage the parameters of the processing activity should be | ||||
84 | Q1.5.11. To what extent do you agree that further legal clarity is needed on how sensitive personal data can be lawfully processed for the purpose of ensuring bias monitoring, detection and correction in relation to AI systems? | ||||
85 | Q1.5.11a. Please explain your answer, and provide supporting evidence where possible. | ||||
86 | Q1.5.12. To what extent do you agree with the proposal to create a new condition within Schedule 1 to the Data Protection Act 2018 to support the processing of sensitive personal data for the purpose of bias monitoring, detection and correction in relation to AI systems? | ||||
87 | Q1.5.12a. Please explain your answer, and provide supporting evidence where possible. | ||||
88 | Q1.5.13. What additional safeguards do you think would need to be put in place? | ||||
89 | |||||
90 | p40/clause 100 | the government is seeking further evidence on the potential need for legislative reform rather than making proposals at this stage | |||
91 | Q1.5.14. To what extent do you agree with what the Government is considering in relation to clarifying the limits and scope of what constitutes ‘a decision based solely on automated processing’ and ‘produc[ing] legal effects concerning [a person] or similarly significant effects? | ||||
92 | Q1.5.14a. Please explain your answer, and provide supporting evidence where possible, including on: The benefits and risks of clarifying the limits and scope of ‘solely automated processing’; The benefits and risks of clarifying the limits and scope of ‘similarly significant effects’ | ||||
93 | Q1.5.15. Are there any alternatives you would consider to address the problem? | ||||
94 | Q1.5.15a. Please explain your answer, and provide supporting evidence where possible. | ||||
95 | 1.5.16. To what extent do you agree with the following statement: 'In the expectation of more widespread adoption of automated decision-making, Article 22 is (i) sufficiently future-proofed, so as to be practical and proportionate, whilst (ii) retaining meaningful safeguards'? | ||||
96 | Q1.5.16a. Please explain your answer, and provide supporting evidence where possible, on both elements of this question, providing suggestions for change where relevant. | ||||
97 | Q1.5.17. To what extent do you agree with the Taskforce on Innovation, Growth and Regulatory Reform’s recommendation that Article 22 of UK GDPR should be removed and solely automated decision making permitted where it meets a lawful ground in Article 6(1) (and Article 9-10 (as supplemented by Schedule 1 to the Data Protection Act 2018) where relevant) and subject to compliance with the rest of the data protection legislation? | ||||
98 | Q1.5.17a. Please explain your answer, and provide supporting evidence where possible, including: (a) The benefits and risks of the Taskforce’s proposal to remove Article 22 and permit solely automated decision making where (i) it meets a lawful ground in Article 6(1) (and, Articles 9 and 10, as supplemented by Schedule 1 to the Data Protection Act 2018) in relation to sensitive personal data, where relevant) and subject to compliance with the rest of the data protection legislation. (b) Any additional safeguards that should be in place for solely automated processing of personal data, given that removal of Article 22 would remove the safeguards currently listed in Article 22 (3) and (4) | ||||
99 | Q1.5.18. Please share your views on the effectiveness and proportionality of data protection tools, provisions and definitions to address profiling issues and their impact on specific groups (as described in the section on public trust in the use of data-driven systems), including whether or not you think it is necessary for the Government to address this in data protection legislation. | ||||
100 | Q1.5.19. Please share your views on what, if any, further legislative changes the Government can consider to enhance public scrutiny of automated decision-making and to encourage the types of transparency that demonstrate accountability (e.g. revealing the purposes and training data behind algorithms, as well as looking at their impacts). |