Local Government Lawyer Insight February 2018 LocalGovernmentLawyer 28 The government has just inserted clauses into the Data Protection (DP) Bill that allows the Secretary of State to issue a “Framework for Data Processing”, initially for each Government Department. This Framework has the status of statutory guidance and “will set out the manner in which government should process (personal) data”. In effect the Framework is like a statutory Code of Practice; its aim is to “improve the transparency and clarity of existing government data processing”. The Framework, according to the official explanation, “does not allow the government to create any new data processing powers” (but it does describe how the law applies). Indeed “the Framework should provide reassurance to data subjects about the approach government takes to processing data and the procedures that it follows when doing so. It will also help further strengthen the government’s compliance with the requirements of the GDPR and contribute to the provision of a clear, precise and foreseeable basis for government’s processing of data”. So apple pie and honey all round? Well I am sure the provisions are well intentioned, but as the proverb goes, “the way to hell is paved with good intentions”. This article seeks to traverse this “pathway to hell”. In summary, the clauses are defective as the content of the Framework is left to the Secretary of State to determine. In addition, the ICO cannot easily challenge the Framework text if there is a dispute as to how it describes how personal data should be processed. Taking the road to nowhere First, the assertion is that the Framework provides improved “transparency and clarity” (i.e. more transparency than the details provided by the “right to be informed” in Article 13 and 14 of the GDPR). Remember the details that have to be issued to each data subject, by each Government controller, in accordance with the ICO’s revamped Privacy Notices code of Practice? They include: details of retention times, recipients, purposes of the processing, legal basis for the processing, use of public sources etc etc? In short, I have difficulty in identifying what is more transparent than that. However, the real problems arise when the Framework contains details of how a government controller processes personal data which runs counter to the Information Commissioner’s view of how the data protection law should work. For instance, if there were to be a disputed view on data protection procedure, it is surprising to discover that the government can ignore the Information Commissioner’s view. This is because clause 175(5) states that before preparing a Framework, the “Secretary of State must consult the (Information) Commissioner” (my emphasis). Note the operative word is “consult” as in “Mrs Thatcher consulted widely about the superb brilliance of the Poll Tax prior to implementation”. In other words, the Secretary of State having consulted the ICO, is free to ignore the ICO’s concerns A Framework to undermine the ICO’s ability to enforce the new Data Protection Bill Chris Pounder asks whether the government’s new Framework for Data Processing could inadvertently impede the regulator’s efforts to enforce the GDPR.