Government response to data protection consultation

On Friday, the government published a response to the data protection consultation, Data: a new direction – government response to consultation – GOV.UK ( , ahead of the release of the Data Reform Bill. This week they also released a Parliamentary Statement on planned data reforms (20 June).

This consultation was conducted late last year and primarily focussed on whether changes should be made to data protection legislation to make research easier and to reduce unnecessary burdens on businesses. The main themes of the Londonwide LMCs response submitted in November 2021 were that existing safeguards should remain in place, so patients can have confidence in the confidentiality of information provided in GP consultations, and that GPs as data controllers should not be burdened with additional bureaucracy in order to facilitate research.

The Government response includes a number of references to the majority of respondents disagreeing with specific proposals. However in each instance the document indicates that the Government decision is to press ahead with the proposals.


Highlights from the Government’s response include:

  • No more mandatory Data Protection Officers (DPOs). Most of the tasks of a DPO will become the responsibility of a designated senior individual but without the statutory protection to act in an independent manner. We believe that this could increase practice workload as there would still need to be a designated senior individual within the practice responsible for privacy management.
  • No more mandatory Data Protection Impact Assessments, replaced with risk assessment tools across the organisation
  • No more requirement for a record of processing activities (ROPA), instead organisations will need to have personal data inventories.
  • A new privacy management programme where organisations will still be required to identify and manage risks, but with greater flexibility as to how they meet these requirements.
  • Changes to when the balancing test will be required when processing is under the lawful basis of legitimate interests.
  • No changes to breach reporting requirements.
  • No significant changes to Subject Access Requests (SARs) and fees won’t be re-introduced.
  • Refinements to research purposes but adopting Recital 159 as a definition of scientific research rather than creating a new definition.
  • The Government intends to clarify in legislation when a living individual is identifiable and the test should be a relative one to determine when data would be anonymous and therefore out of scope of data protection legislation. Likely to use the amended wording from the Council of Europe’s Convention 108.
  • Changes to cookies, the Government intends to remove the need for websites to display barriers to UK residents, although it is unclear whose responsibility it is to ensure that site visitor is from the UK.
  • Extension of the soft opt in for marketing to be extended to non-commercial organisations.
  • There will be reforms to the ICO but it will retain more independence than was originally proposed. The ICO response to the Government’s comments is largely supportive.


The measures are expected to be formalised through the Data Reform Bill yet, which is expected be published in draft shortly. A Draft Bill is published to enable consultation and pre-legislative scrutiny. Further information will be published here when available.