The government is set to hand itself new powers to regularly check the bank accounts of benefit claimants under proposed changes to the data protection and digital information bill, the UK’s post-Brexit GDPR replacement.
An amended version of the bill will return to parliament next week. The government claims it will “allow the country to realise new post-Brexit freedoms while delivering new economic opportunities to the tune of £5.9 billion.” But privacy campaigners – and some MPs – have raised concerns that the measures water down those protections currently afforded to UK citizens and businesses under GDPR.
Changes to the data protection bill incoming
Under the amendments, government agencies will be able to request data from businesses, particularly those in the financial sector, to help reduce benefit fraud.
Currently, the Department for Work and Pensions (DWP) can only undertake fraud checks on a claimant on an individual basis, where there is already a suspicion of fraud, but the new proposals would “allow regular checks to be carried out on the bank accounts held by benefit claimants to spot increases in their savings which push them over the benefit eligibility threshold, or when people send more time overseas than the benefit rules allow for.”
A government statement said this “will help identify fraud take action more quickly”, adding: “To make sure that privacy concerns are at the heart of these new measures, only a minimum amount of data will be accessed and only in instances which show a potential risk of fraud and error.”
The use of biometric data, such as fingerprints, to strengthen national security is also covered by the amendments, handing counter-terrorism police the ability to hold onto the biometrics of individuals who pose a potential threat, and which are supplied by organisations such as Interpol, being bolstered.
Officers would be able to retain biometric data for as long as an Interpol notice is in force. The amendments will also ensure that where an individual has a foreign conviction, their biometrics will be able to be retained indefinitely in the same way as is already possible for individuals with UK convictions. The government says this is particularly important where foreign nationals may have existing convictions for serious offences, including terrorist offences.
Technology secretary Michelle Donelan said the bill is indicative of the fact that Britain “has seized a key Brexit opportunity – boosting small businesses, protecting consumers and cracking down on criminal enterprises like nuisance calling and benefit fraud.”
Donelan added: “These changes protect our privacy and data while also injecting common sense into the system – whether it is cracking down on cookies, scrapping pointless paperwork which stifles productivity, tackling benefit fraud or making it easier to protect our citizens from criminals.
“These changes help to establish the UK as a world-leading data economy; one that puts consumers and businesses at the centre and removes the ‘one-size-fits-all’ barriers that have held many British businesses back.”
Does the data protection bill maintain privacy standards?
The legislation has a chequered history, having first been introduced into parliament in September 2022. But its progress through the House of Commons was almost immediately paused to allow for further consultation with industry, and a revised version was presented earlier this year. The bill was included in the King’s Speech, which sets out the government’s legislative programme for the year, indicating that Downing Street thinks it will be able to put the proposals into law in the next 12 months.
For some small businesses, the legislation removes the need for a data protection officer, something which is mandatory under GDPR. Consent rules around personal data use are also being changed to allow wider use of information in scientific research. The bill also removes a mandatory GDPR requirement for data protection impact assessment, replacing it with a less detailed assessment of high-risk processing.
The government hopes these measures will make life easier for businesses, but some fear this will come at the expense of citizens’ privacy. Speaking in the House of Commons earlier this year during a debate on the bill, Labour’s Lucy Powell said: “They are tilting the rules in favour of the companies that are processing our data.”
“Data protection impact assessments will no longer be needed, and protections against automated decision-making are being weakened.”
Giving police more power to hold biometric data may also raise concerns given that the government has abolished the post of Biometrics and Surveillance Camera Commissioner (BSCC), the independent watchdog which oversaw how this information is used in law enforcement.
A government-backed report published last month warned that not adequately replacing the role of the BSCC will leave the UK without proper oversight of the technologies.
Outgoing BSCC Fraser Sampson told Tech Monitor at the time that the the government risked “creating a worrying vacuum” around safeguarding the public from the potentially harmful effects of biometric technology and surveillance cameras, and that its lack of planning for the future is “tantamount to vandalism”.
Under the new data laws, the responsibilities currently held by the BSCC will be transferred to other watchdogs including the Information Commissioner’s Office and the Investigatory Powers Commissioner’s Office.