The Data Protection Act 1998 (DPA) applies across the whole of the United Kingdom and is enforced centrally by the Information Commissioner’s Office in Wilmslow (which also has offices in Belfast, Cardiff and Edinburgh). Anyone who has been following Scottish politics recently will be aware that a Commission has been established to make proposals on further devolution to Scotland following the Scottish Independence Referendum in September. It has been suggested by the Law Society of Scotland in their written evidence [pdf] to the Smith Commission that consideration should be given to devolving data protection to Scotland.
This was a proposal that caught my eye when I read the Law Society of Scotland’s evidence, and it is an interesting one. Is there any real reason as to why Data Protection ought not to be devolved?
The Law Society of Scotland narrate within their evidence the confusion that can arise with the Scottish Information Commissioner being approached in respect of enforcement action relating to Data Protection, a function that she does not presently undertake. The Scottish Information Commissioner enforces the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009. In their evidence, the Society makes reference to the way in which Freedom of Information (Scotland) Act 2002 and the DPA interact. They rightly point out that the Scottish Information Commissioner is required to make decisions in respect of whether it would breach the DPA to release personal data in response to a FOI request.
The interaction between DPA and FOI is a well known difficulty and there has been litigation surrounding it, such as in South Lanarkshire Council v the Scottish Information Commissioner (on which I have previously written here and here). Understandably it must be difficult for the Scottish Information Commissioner to take decisions on disclosure in respect of personal data when her office is not also responsible for enforcing the DPA – it risks her taking a decision with which the Information Commissioner in Wilmslow might well disagree with (and consequently result in a Scottish public Authority breaching its obligations under the DPA).
The law relating to Data Protection comes from the EU, but that on its own would not prohibit its devolution. The INSPIRE (Scotland) Regulations 2009 and the Environmental Information (Scotland) Regulations 2004 both give effect to EU Directives in Scotland. Ultimately, it is the UK Government that is accountable to the EU for the implementation of EU law within the United Kingdom. That fact though doesn’t appear to have stopped the UK Government from devolving to Scotland the power to implement EU law into Scots law in some areas already.
There is a difference between the DPA and the legislation that the Scottish Information Commissioner currently enforces. The DPA applies to the private sector to the same extent as the public sector. The legislation currently enforced by the Scottish Information Commissioner applies to public sector and bodies falling within certain definitions that provide functions of a public nature only. There is a degree of difference between them; for example, the bodies caught by the Environmental Information (Scotland) Regulations is wider than the bodies caught by the Freedom of Information (Scotland) Act 2002. What has this got to do with devolving Data Protection? It might not be of an immediately obvious nature; however, the bodies covered by the Freedom of Information (Scotland) Act 2002, the Environmental Information (Scotland) Regulations 2004 and the INSPIRE (Scotland) Regulations 2009 are all largely based entirely within Scotland; there are almost no examples of where the Scottish law here applies to bodies carrying out functions elsewhere in the UK. Is this difference (i.e. the cross jurisdictional aspect of Data Protection) a sufficient reason not to devolve Data Protection to Scotland?
In terms of FOI, public bodies which have functions across the whole of the UK, or are part of the UK Central Government, are covered by the UK equivalent and not the Scottish law. Some examples include: the BBC, the British Transport Police, the Scotland Office, the Office of the Advocate General for Scotland, the Home Office, the Department for Work and Pensions and HMRC. In these cases the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply and it is the UK Information Commissioner in Wilmslow who enforces their compliance.
In terms of devolution, it is logical why the Freedom of Information Act 2000, the Environmental Information Regulations 2004 and the INSPIRE Regulations 2009 apply to UK wide bodies. It would undoubtedly present difficulties for those organisations if they had to comply with different requirements in different parts of the UK. However, in terms of FOI, some bodies already have that difficulty.
It does not appear to be widely known, but some of the UKs biggest businesses are covered by FOI law to a very limited extent. The likes of Tesco, Sainsbury’s, Asda and Boots are all subject to FOI law in respect of their NHS Pharmaceutical and Optometry services. These are the bodies that have the difficulty of complying with two separate FOI regimes. In respect of their services contracted by the NHS in Scotland it is the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004 that apply (and the Scottish Information Commissioner is responsible for enforcement) while in respect of their services contracted by the NHS in England it is the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 that apply (and the UK Information Commissioner is responsible for enforcement). A request to one of those bodies for information on a UK wide scale would require them to deal with the request under two separate access to information schemes (potentially four if the information was environmental in nature). Outside of the world of access to information legislation there is a great deal of differences between the legal frameworks in which UK wide businesses operate across the UK. A contemporary example might be statutory charges for carrier bags. Wales, Northern Ireland and Scotland all have them while England does not. As a consequence businesses operating across the UK have to adopt difference practices on carrier bags to ensure legal compliance in those parts of the UK that do require charges to be made for carrier bags. This is a fairly minor example, but there are some which are much more substantial in nature.
In terms of devolving data protection to Scotland, if it were to be devolved at all, there are two options. The first would be to devolve it only in respect of data controllers domiciled in Scotland. This would mean Scottish domiciled data controllers would have to comply with a Scottish Data Protection Act while data controllers domiciled elsewhere in the UK would have to comply with a UK Data Protection Act. This is probably not a good option from the point of view of Data Subjects; some UK wide companies would be domiciled in Scotland and some would be domiciled elsewhere in the UK. This could cause confusion as to which Information Commissioner they ought to be dealing with in relation to a data protection concern. For example, in that situation customers of RBS might find themselves dealing with the Scottish Commissioner as RBS is a company registered in Scotland. This is the sort of confusion that the Law Society of Scotland mentioned within their response as to why consideration ought to be given to devolving data protection to Scotland. The other option is to simply devolve Data Protection and that would mean any UK-wide organisation operating in Scotland would have to comply with both the UK and the Scottish Data Protection Acts – it would be no different to multi-nationals who have to comply with the different Data Protection regimes across the world or the multitude of other areas where UK-wide businesses already have to comply with different laws north and south of the border.
Devolving Data Protection to Scotland wouldn’t end the UK Information Commissioner’s responsibilities in Scotland. He would still be responsible for dealing with Freedom of Information in respect of the many bodies covered by the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 which operate in Scotland. His office would also still be responsible for enforcing the Privacy and Electronic Communications (EC Directive) Regulations 2003 (which overlap considerably with data protection) unless responsibility for implementing the E-Privacy Directive upon which they are based was similarly devolved to Scotland.
So, should Data Protection be devolved? Well, there is no good reason against it that I can see. There would be a good opportunity for devolution in the form of the Data Protection Regulation currently working its way through the EU legislative process. At that stage Data Protection law in the UK will have to change and if this were to be an area for devolution to Scotland that would seem like a sensible time to do it. However, given the nature of EU Regulations as opposed to EU Directives, the practical effect of devolving Data Protection to the Scottish Parliament would be limited. The question would become “what is the point?”. The arguments in favour of further devolution to Scotland centre around the Scottish Parliament taking decisions on matters for Scotland which do not need to be reserved; however, the practical effect of the new Data Protection Regulation would be that there would be almost no scope for the Scottish Parliament to take decisions on data protection; there would be an EU Regulation which has direct effect in all EU member states, without the need to pass domestic legislation. Any legislation, UK or Scottish, would simply be regurgitating the Regulation alongside some minor consequential and transitional matters.
The Law Society of Scotland argues that the new regulation means that there is less of a need for data protection to be a reserved matter; that would be true because from an EU compliance point of view there would be no risk to the UK Government. They also seem to place a lot of weight on the issue of confusion between the responsibilities of the two information commissioners; however, I’m not sure that would be resolved by devolving data protection – in fact there is real potential for it to be compounded rather than resolved. The only real argument is the one concerning FOI decisions involving third party personal data, but so far that doesn’t appear to have been an issue. Indeed, in the South Lanarkshire Council case mentioned above, the Supreme Court agreed with the approach of the Scottish Information Commissioner; although there is always scope for the Scottish Information Commissioner to get things wrong. That said, the UK Information Commissioner could equally get things wrong and wrongly order the disclosure of personal data under FOI.
Should data protection be devolved? There doesn’t seem to be strong case one way or the other. In the grand scheme of things there are far more important issues in the devolution debate than whether the Scottish Parliament should get power devolved over an issue that won’t actually amount to much power at all.