The government could soon gain the power to judge the ethical use of data, through the addition of a framework to the Data Protection Bill that makes it exempt from legal oversight for public data processing.
If the current bill is approved by Parliament, it would let the government use citizens' data as it sees fit, privacy campaign group medConfidential told Techworld.
"There are no exclusions on what they can use this for in processing by a unit of government," says medConfidential coordinator Sam Smith.
This "Framework for Data Processing by Government" was added to the new Data Protection Bill through the addition of three new clauses during the Lords Committee stage of its passage through Parliament.
The government's late addition to the draft bill allowed little time for scrutiny. It was promptly passed and sent to the Commons for review on 17 January.
Clause 185 of the draft bill gives the secretary of state the power to prepare and later amend a framework containing guidance on data processing by government departments and other public bodies.
Smith believes the secretary of state that it refers to will be that of the Department of Digital, Culture, Media and Sport (DCMS), currently Matt Hancock. If it was enacted in its current form it would allow Hancock to decide whether data processing by the government is lawful.
It could cover Universal Credit claims processed by the Department for Work and Pensions (DWP), medical records held by the NHS, immigrations applications at the Home Office, and even information used by the private sector.
Many major government projects depend on effective data processing. When it fails they can end up in debacles such as the delay in benefits payments during Universal Credit or the Home Office mistakenly threatening around 100 EU nationals with deportation.
"These are all data processing problems," says Smith. "This framework says the law doesn't apply to them, the framework applies. And the framework is written by the ministers."
The growing use of algorithms to guide decisions adds to the importance of effective and transparent oversight for data processing by the government.
Information Commissioner Elizabeth Dunham raised concerns that the provisions went beyond the government’s stated ambition to clarify the legal basis for it to process personal data.
In a written response to the bill, the Commissioner argued that Clause 175(1)(b) of the document extends the framework to private companies using public data, such as Google DeepMind.
"This wording does not appear constrained to just public bodies who may have concerns about their legal basis, but to others who may be able to act privately but nevertheless undertake some limited functions of a public nature," wrote the Commissioner.
Her organisation may itself lose some of its influence as the framework creates guidance for the government that is separate to the ICO’s codes of practice.
In the report stage of the bill in the Lords on 10 January, DCMS Lord Ashton of Hyde, Under Secretary of State for DCMS, admitted the Information Commissioner had reservations over this issue.
"This is one of the few areas in the whole Bill, I think, where we do not have complete agreement with the Information Commissioner," he said. "I think that she is worried about complications regarding independence and the extent of her authority in this."
"Ministers might be happy with it, but ministers come and go," says Smith. "This lets any future government do whatever future ministers want with personal data, and the minister said [in the Lords] the ICO gets to be ignored."