B1397 – Right of Access to Personal Data Bill 2018 Watch

This discussion is closed.
Saracen's Fez
Badges: 20
Rep:
?
#1
Report Thread starter 1 year ago
#1
B1397 – Right of Access to Personal Data Bill 2018, TSR Government
A
BILL
TO


Augment and ameliorate the right to one’s personal data, especially that held by large and otherwise influential businesses and organisations

BE IT ENACTED by the Queen's Most Excellent Majesty, by and with the advice and consent of the Commons in this present Parliament assembled, in accordance with the provisions of the Parliament Acts 1911 and 1949, and by the authority of the same, as follows:—

1(X)Definitions

(1) Within the scope of this Bill, and the wider context of the Data Protection Act 2018, to be defined as follows:-
(X) unless context otherwise requires:-
(X) (X) (a) ‘personal data’ shall refer to information relating to an identified or identifiable living individual which:-
(X) (X) (X) (i) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(X) (X) (X) (ii) is recorded with the intention that it should be processed by means of such equipment,
(X) (X) (X) (iii) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(X) (X) (X) (iv) does not fall within paragraph (i), (ii) or (iii) but forms part of an accessible health, educational or otherwise public record;
(X) (X) (X) (v) is recorded information held by a public authority and does not fall within any of paragraphs (i) to (iv).
(X) (X) (b) ‘identifiable living individual’ shall refer to an individual, living, who can be identified, directly, or indirectly, in particular by reference to:-
(X) (X) (X) (i) an identifier such as a name, an identification number, location data or an online identifier, or;
(X) (X) (X) (ii) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(X) (X) (c) ‘data controller’ shall refer to any person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
(X) (X) (d) ‘data processor’ shall, in relation to personal data, refer to any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
(X) (X) (d) ‘data subject’ shall refer to any individual who is the subject of personal data, that is to say the identified or identifiable living individual to whom personal data relates.
(2) Within the sole scope of this Bill, the following are to be defined as follows:-
(X) (a) ‘an entity of significant proportion’ shall refer to any organisation, business or legal entity, barring government entities, employing more than 200 employees, providing goods or services to 200,000 people or more and/or one with a gross annual turnover exceeding 1,000,000 GBP.
(X) (b) ‘a governmental entity’ shall refer to any ministerial department, non-ministerial department, agency or other public body of Her Majesty’s Government otherwise subject to the provisions of the Freedom of Information Act 2000.
(X) (c) ‘an influential entity’ shall refer to any organisation, business or legal entity that carries a significant market share or is otherwise involved in the management, analysis or transmission of data.
(X) (d) ‘automatic provisions’ shall refer to systems, with minimal human involvement, facilitating:-
(X) (X) (i) the automatic verification of identity;
(X) (X) (ii) the automatic verification of the existence of data relating to the data subject, in question;
(X) (X) (iii) the automatic relay of a description of the purposes for which data, held by the data controller, is being or is about to be processed;
(X) (X) (iv) the automatic relay of a description of the recipients or classes of recipients to whom data may be, or has been, disclosed.
(X) (X) (v) the automatic relay, without undue delay and within a reasonable time scheme not exceeding seven working days, of all, or, if a request is limited by the data subject, the requested data held relating to the data subject, in question.

PART I
GENERAL

2(X)Automatic provisions
(1) Data subjects shall be entitled to, through automatic provisions, access to their personal data, when said personal data is held by an entity of significant proportion or an influential entity.
(2) Government entities shall be exempt from subsection (1).
(3) Data controllers retain the right to implement security and validation measures as to ensure that the data subject is who he is purporting to be.
(4) Security and validation measures, in respect to subsection (3), cannot unduly delay access to personal data, and cannot require physical documentation to be validated.


PART II
AMENDMENTS

3(X)Amendments to the Data Protection Act 2018
(1) Section 24(5) of the Data Protection Act 2018 is to be amended as to read as follows:-
(X) (5) A controller is not obliged to comply with Article 15(1) to (3) of the applied GDPR (right of access by the data subject) in relation to personal data to which this Chapter applies by virtue of section 21(2), in circumstances where the data controller is not that of an entity of significant proportion or that of an influential entity, if—
(X) (X) (a) the request under that Article does not contain a description of the personal data, or
(X) (X) (b) the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.

(2) Section 45(3) of the Data Protection Act 2018 is to be amended as to read as follows:-
(X) (3) Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must—
(X) (X) (a) be provided through the mechanism in which the request was made in the first instance;
(X) (X) (b) be provided through automatic provisions, in the case of entities of significant proportion or influential entities;
(X) (X) (c) be provided without undue delay, and
(X) (X) (d) in any event, provided before the end of the applicable time period (as to which see section 54)

(3) Section 45(4) is to be inserted into the Data Protection Act 2018 and read as follows:-
(X) (4) Where a data controller—
(X) (X) (a) reasonably requires further information in order to satisfy himself as to the identity of the person making a request under this section and to locate the information which that person seeks, and
(X) (X) (b) has informed him of that requirement,
(X) the data controller is not obliged to comply with the request, nor shall statute concerning ‘automatic provisions’ apply, unless he is supplied with that further information.

(4) Section 45(9) is to be inserted into the Data Protection Act 2018 and read as follows:-
(X) (9) Entities of significant proportion, and influential entities must have ‘automatic provisions’ in respect to section 45(1) of this Act.
(5) Section 45(10) is to be inserted into the Data Protection Act 2018 and read as follows:-
(X) (10) Entities of significant proportion, and influential entities shall have twelve calendar months from the date of enactment to implement the provisions, systems and procedures within section 45(3), section 45(4) and section 45(9).
(4) Section 45(11) is to be inserted into the Data Protection Act 2018 and read as follows:-
(X) (11) Entities of significant proportion, and influential entities who fail to implement provisions, systems and procedures within section 45(3), section 45(4) and section 45(9) are to be deemed to have ‘contravened a data protection principle’ and shall be subject to the provisions of part 6 of this Act

PART III
CITATION AND COMMENCEMENT

4(X)Citation and Commencement:
(1) This act extends to the whole of the United Kingdom.
(2) This act will come into force upon Royal Assent.
(3) This act may be cited as the Right of Access to Personal Data Bill 2018


Notes Given the Cambridge Analytica/AggregateIQ & Facebook scandal concerning data held, it is vital that one’s right to access to one’s personal data remains not only unimpeded but fortified. This Bill set outs amendments to the Data Protection Act 2018 to augment and ameliorate one’s access to one’s personal data, as to increase transparency and restore long-term trust in data handlers.

Notably, this Bill requires all large and influential organisations to have automatic provisions - e.g. a simple online questionnaire within a logged-in account for accessing personal data, and no longer requires written requests in our ever modernising age.. The current provisions for governmental entities shall remain due to the increased sensitivity of data.

0
Aph
Badges: 22
Rep:
?
#2
Report 1 year ago
#2
"a simple online questionaire" means it is so much easier for scammers to get hold of peoples personal data. This bill makes data less secure not more so!!!

The rest of this bill is rather needless IMO. The scandles in question happened before the GDPR was in force. no point changing them now when we don't know how well they work yet.
0
ns_2
  • Political Ambassador
Badges: 18
Rep:
?
#3
Report 1 year ago
#3
(Original post by Aph)
"a simple online questionaire" means it is so much easier for scammers to get hold of peoples personal data. This bill makes data less secure not more so!!!

The rest of this bill is rather needless IMO. The scandles in question happened before the GDPR was in force. no point changing them now when we don't know how well they work yet.
"a simple online questionnaire within a logged-in account"

Although Facebook received much criticism for its handling of the Cambridge Analytica scandal, it must receive praise for its protocol in respect to personal data - anyone with a Facebook account can download and view exactly what data Facebook has stored on them. This Bill proposes that all large and significant entities have established systems to enable the automatic access to one's personal data.

In respect to security, it is clear that you have failed to read the Bill properly - this Bill enables entities to have in place security validation procedures to ensure that the person requesting the data is the person to whom the data applies e.g. 2FA.
0
Aph
Badges: 22
Rep:
?
#4
Report 1 year ago
#4
(Original post by ns_2)
"a simple online questionnaire within a logged-in account"

Although Facebook received much criticism for its handling of the Cambridge Analytica scandal, it must receive praise for its protocol in respect to personal data - anyone with a Facebook account can download and view exactly what data Facebook has stored on them. This Bill proposes that all large and significant entities have established systems to enable the automatic access to one's personal data.

In respect to security, it is clear that you have failed to read the Bill properly - this Bill enables entities to have in place security validation procedures to ensure that the person requesting the data is the person to whom the data applies e.g. 2FA.
No, I read that just fine. the issue is that you can never confirm who someone is online, having this data made more accessible damages security inherently.

Also, automatic access does not prevent said data being sold on, it does not make data more secure in any was shape or form. This bill is completely pointless.
0
ns_2
  • Political Ambassador
Badges: 18
Rep:
?
#5
Report 1 year ago
#5
(Original post by Aph)
No, I read that just fine. the issue is that you can never confirm who someone is online, having this data made more accessible damages security inherently.

Also, automatic access does not prevent said data being sold on, it does not make data more secure in any was shape or form. This bill is completely pointless.
This Bill greatly increases transparency and enables companies to imbue a greater sense of confidence in amongst their customers.

This applies supplementary to GDPR which already brings into force greater security requirements for data access; this Bill does not contradict these requirements, which still stand.

In respect to this Bill being pointless, that is your subjective opinion.
0
Aph
Badges: 22
Rep:
?
#6
Report 1 year ago
#6
(Original post by ns_2)
This Bill greatly increases transparency and enables companies to imbue a greater sense of confidence in amongst their customers.

This applies supplementary to GDPR which already brings into force greater security requirements for data access; this Bill does not contradict these requirements, which still stand.

In respect to this Bill being pointless, that is your subjective opinion.
"enables companies to imbue a greater sense of confidence amongst their customers" as you yourself have pointed out, this is something that facebook is already doing and is already legal. Clearly if the customer demand was there companie would already be doing this.

I know, but you are acting as if this bill makes data more secure somehow. Ultimately this might make a few hundred curious people who can't be bothered to email find out what companies have on them but will make no difference to peoples lives so is pointless.
0
Jammy Duel
  • Political Ambassador
Badges: 21
Rep:
?
#7
Report 1 year ago
#7
*read full title* Since the author is trying to look smart by using fancy words I think we all know who wrote it, that and it being unnecessarily broken into parts each one section long
0
Jammy Duel
  • Political Ambassador
Badges: 21
Rep:
?
#8
Report 1 year ago
#8
2(2) is redundant due to the definition of "significant proportion" which already excludes government departments, which I think is wrong in the first place, while there is some circumstances where this is appropriate it should be exceptions for those cases, not all government functions
0
ns_2
  • Political Ambassador
Badges: 18
Rep:
?
#9
Report 1 year ago
#9
(Original post by Jammy Duel)
2(2) is redundant due to the definition of "significant proportion" which already excludes government departments, which I think is wrong in the first place, while there is some circumstances where this is appropriate it should be exceptions for those cases, not all government functions
2(2) is included as some may argue that government departments could qualify as 'influential entities'.

In respect to all government departments, it is obvious that some, due to sensitive information, ought not to qualify e.g. Health, DWP and maybe HMRC.

However, assessing other departments and the nature of their data is difficulty, as it is not readily published.
0
Saunders16
  • Political Ambassador
Badges: 14
Rep:
?
#10
Report 1 year ago
#10
I am not sure what this really achieves so I will pass judgement until I know more about it. With large bills like this, I prefer more detailed notes that make the bills clear as it is somewhat hard to dissect.

Why should people vote for this and what significant changes does it make to the status quo?
0
Jammy Duel
  • Political Ambassador
Badges: 21
Rep:
?
#11
Report 1 year ago
#11
(Original post by ns_2)
2(2) is included as some may argue that government departments could qualify as 'influential entities'.

In respect to all government departments, it is obvious that some, due to sensitive information, ought not to qualify e.g. Health, DWP and maybe HMRC.

However, assessing other departments and the nature of their data is difficulty, as it is not readily published.
The thing is the "Health, DWP, HMRC" (definitely HMRC because they have data allowing identity theft) can be covered based on the definitions, the automated access requires verification of identity and this is already a thing (I need to ring HMRC anyway so I'll check if there is further verification after the "my voice is my password" thing tomorrow)
0
ns_2
  • Political Ambassador
Badges: 18
Rep:
?
#12
Report 1 year ago
#12
(Original post by Jammy Duel)
The thing is the "Health, DWP, HMRC" (definitely HMRC because they have data allowing identity theft) can be covered based on the definitions, the automated access requires verification of identity and this is already a thing (I need to ring HMRC anyway so I'll check if there is further verification after the "my voice is my password" thing tomorrow)
HMRC, to the best of my knowledge using their online systems, use a central 'GOV.UK Verify' verification system.

I, nonetheless, agree to an extent. The information HMRC holds on most people can be devastating if released to the wrong person.

Hence, I propose that the following (restricted governmental entities)
are exempt from the clauses of this Bill (all mainly due to the highly sensitivity nature of the data they hold)
  • HM Land Registry,
  • Companies House,
  • Insolvency Service,
  • Intellectual Property Office,
  • Competition and Markets Authority,
  • Crown Prosecution Service,
  • Serious Fraud Office,
  • Teaching Regulation Agency,
  • Driver and Vehicle Licensing Agency,
  • Driver and Vehicle Standards Agency,
  • Civil Aviation Authority,
  • the Department for Work and Pensions (and all its non-department public bodies),
  • the Department for Health and Social Care (and all its non-department public bodies),
  • NS&I,
  • Disclosure and Barring Service,
  • National Counter Terrorism Security Office,
  • the Home Office,
  • the Ministry of Defence (and all its non-department public bodies),
  • the Ministry of Justice (and all its non-department public bodies), and
  • HM Revenue and Customs.

All other departments and entities will be subject to the terms of this Bill.

I welcome your comments on the list of 'restricted governmental entities'.
0
Rakas21
Badges: 21
Rep:
?
#13
Report 1 year ago
#13
Aye.
0
CatusStarbright
Badges: 22
Rep:
?
#14
Report 1 year ago
#14
I'm finding this a little tricky to chew through and find out what exactly each provision of this bill does. I'm also not sure how this bill fortifies the right to access your personal information, having just read a law firm's policy on the processing of personal data and how they handle requests from people to see what the company has on them. The policy is very clear as to what must happen (which is to give them the data, subject to some narrow exceptions).

What I have picked out is: "providing goods or services to 200,000 people" - how can you measure this?
0
Jammy Duel
  • Political Ambassador
Badges: 21
Rep:
?
#15
Report 1 year ago
#15
(Original post by ns_2)
HMRC, to the best of my knowledge using their online systems, use a central 'GOV.UK Verify' verification system.

I, nonetheless, agree to an extent. The information HMRC holds on most people can be devastating if released to the wrong person.

Hence, I propose that the following (restricted governmental entities)
are exempt from the clauses of this Bill (all mainly due to the highly sensitivity nature of the data they hold)
  • HM Land Registry,
  • Companies House,
  • Insolvency Service,
  • Intellectual Property Office,
  • Competition and Markets Authority,
  • Crown Prosecution Service,
  • Serious Fraud Office,
  • Teaching Regulation Agency,
  • Driver and Vehicle Licensing Agency,
  • Driver and Vehicle Standards Agency,
  • Civil Aviation Authority,
  • the Department for Work and Pensions (and all its non-department public bodies),
  • the Department for Health and Social Care (and all its non-department public bodies),
  • NS&I,
  • Disclosure and Barring Service,
  • National Counter Terrorism Security Office,
  • the Home Office,
  • the Ministry of Defence (and all its non-department public bodies),
  • the Ministry of Justice (and all its non-department public bodies), and
  • HM Revenue and Customs.


All other departments and entities will be subject to the terms of this Bill.

I welcome your comments on the list of 'restricted governmental entities'.
If the access to information is so insecure why is it that so much is available to you online with the appropriate verification of identity?
0
04MR17
Badges: 22
Rep:
?
#16
Report 1 year ago
#16
Loving the use of white text

2.1 What automatic provisions?
2.2 Disagree. Only some should be exempt (security). Something like Work and Pensions should not, for instance.

Don't see too many problems and could support.
0
Saracen's Fez
Badges: 20
Rep:
?
#17
Report Thread starter 1 year ago
#17
This bill is in cessation.
0
Saracen's Fez
Badges: 20
Rep:
?
#18
Report Thread starter 1 year ago
#18
This bill has gone to a second reading.
0
X
new posts
Back
to top
Latest
My Feed

See more of what you like on
The Student Room

You can personalise what you see on TSR. Tell us a little about yourself to get started.

Personalise

Why wouldn't you turn to teachers if you were being bullied?

They might tell my parents (11)
6.04%
They might tell the bully (18)
9.89%
I don't think they'd understand (32)
17.58%
It might lead to more bullying (69)
37.91%
There's nothing they could do (52)
28.57%

Watched Threads

View All