The Personal Data Guardianship Code has been described as inconsistent and muddled.
William Malcolm, a specialist in data protection law at Pinsent Masons, claimed on Out-Law.com, claimed that its high-level guidance on the data life-span, stewardship and accountability ‘is helpful but very much echoes existing guidance from the Information Commissioner's Office and Government'.
Malcolm said: “It's an alternative approach but it's certainly not a new approach. The guidance on consent seems inconsistent and therefore muddled. The initial 'Principles' section [of the Code] suggests consent should be obtained where appropriate, which is the correct position. But the other sections seem to suggest that consent should be collected as a matter of course in a variety of situations.”
The ‘Principles' section states that ‘individuals should be given as much control as is possible over how their personal information is used and disclosed. This means giving them clear information about this when they provide their personal data and seeking their consent where this is appropriate.'
Malcolm claimed that this is consistent with the Data Protection Act and with existing guidance from the ICO. However, another section headed ‘Responsibilities of the data handler' states that ‘data handlers tasked with the collection of personal data should verify that the consent of the data subject has been obtained for the personal data collected.'
Malcolm claimed that this implies that consent is always required when collecting data. He said: “Consent is one ground for processing data, but it is not the only ground. In many cases an organisation only needs to notify individuals that it will be processing their data – it does not need their consent.
“As the ‘Principles' section of the Code notes, the focus should be on giving clear information about how data will be processed at the point of collection.”
Meanwhile, a new British Standard, BS10012, Data protection – Specification for a personal information management system, has been developed to establish best practice and aid compliance with data protection legislation.
Rather than prescribing exactly how operations should be run, BS 10012 provides the framework which will enable effective management of personal information. It can be used by organisations of any size and sector to create a tailored management system which includes procedures in areas such as training and awareness, risk assessment, data sharing, retention and disposal of data and disclosure to third parties.