Guidance

Guidance on the application of Article 36(4) of the General Data Protection Regulation (GDPR)

Updated 29 November 2023

1. Contact details

This document provides formal guidance to Government Departments and relevant public sector bodies who are subject to the requirement under Article 36(4) of the General Data Protection Regulation (GDPR) to consult with the Information Commissioner’s Office (ICO) on policy proposals for legislative or statutory measures relating to the processing of personal data.

Queries about this document can be sent to:

Data Protection Team

Department for Digital, Culture, Media & Sport

4th Floor

100 Parliament Street

London

SW1A 2BQ

Telephone: 020 7211 6000

Email: enquiries@culture.gov.uk

Complaints or comments

If you have any complaints or comments about this guidance you should contact the Data Protection Team at the above address.

2. Background and overview

Introduction

2.1. The General Data Protection Regulation (‘GDPR’) is an EU Regulation designed to protect the information rights of individuals. It applies directly to all Member States within the EU, and is supplemented in UK law by the Data Protection Act 2018 (‘DPA 2018’). GDPR and the DPA 2018 both came into force on 25 May 2018, introducing an updated regulatory framework for data protection in the UK, including a number of new requirements for data controllers.

2.2. This document provides guidance to Government Departments and relevant public sector organisations on their responsibilities under Article 36(4) of the GDPR, and what they need to do to meet the requirements of this Article.

2.3. This guidance is supported by the Article 36(4) Enquiry Form, which should be used to engage with the ICO in the first instance for consultation under Article 36(4).

Overview of Article 36(4)

2.4. Article 36(4) is a provision of GDPR which specifically imposes a requirement on UK Government to consult with the UK’s Data Protection Authority (the ICO) when developing policy proposals relating to the processing of personal data.

2.5. Article 36(4) states that:

“Member States shall consult the supervisory authority during the preparation of a proposal for a legislative measure to be adopted by a national parliament, or of a regulatory measure based on such a legislative measure, which relates to processing.”

2.6. Further information is provided in Recital 96, which states that: “A consultation of the supervisory authority should also take place in the course of the preparation of a legislative or regulatory measure which provides for the processing of personal data, in order to ensure compliance of the intended processing with this Regulation and in particular to mitigate the risk involved for the data subject.”

2.7. This is a legally binding requirement on all public sector organisations with responsibility for legislative or statutory measures, and failure to adequately consult with the ICO would constitute a breach of the GDPR.

Scope and application

2.8. All public sector officials (including those in Government Departments and Arm’s Length Bodies) who are developing proposals for legislation which concerns, requires or provides for data processing are obliged to comply with this provision.

2.9. The requirement to consult with the ICO covers all relevant policy proposals for legislation adopted by a national parliament. This includes:

● primary and secondary legislation

● regulatory measures (such as directions and orders) made under primary or secondary legislation

● statutory codes of practice and

● statutory guidance

2.10. Article 36(4) applies directly to the UK, and therefore the requirements of this provision also apply to legislative and statutory measures adopted by the devolved legislatures.

2.11. Article 36(4), in itself, does not convey a legal requirement on Government and the wider public sector to consult with the ICO on policy proposals relating to personal data that will not have a legislative or statutory output. However, depending on the content of these proposals, it may be advisable for policy leads to consult with the ICO outside of the requirements of Article 36(4).

2.12. Article 36(4) also does not convey a specific requirement for wider public or stakeholder consultation on policy proposals relating to personal data.

2.13. A separate provision under Article 36, (Article 36(1)) requires consultation with the ICO when a data protection impact assessment (DPIA) has indicated that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. This requirement applies regardless of whether processing activities require new legislation. Guidance on DPIAs and when consultation with the ICO is required can be found on the ICO website.

Types of processing covered

2.14. Data processing is defined by the GDPR under Article 4(2) as: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”

2.15. Personal data only includes information relating to a living person who can be identified or who is identifiable directly from the information in question; or who can be indirectly identified from that information in combination with other information. For example this can include: name, bank details, address, salary or photographs of an individual. Additional guidance on the definition of personal data can be found on the ICO website.

2.16. In practice, any proposal resulting in a legislative or statutory measure which directly and explicitly references the processing of personal data will fall within the scope of this provision. Examples include:

● Introducing a new requirement to collect personal data

● Mandating for new or revised sharing of existing data sets

● Additional requirements for the disclosure of personal information

● The creation of a database to store individuals’ names and addresses

2.17. Data processing in this context can be by either automated or non-automated (manual) means (such as a filing system for paper records, as defined under Article 2(1) of the GDPR).

Principles of consultation

2.18. To effectively meet the principles of this requirement, consultation with the ICO should be undertaken during the formative stages of the development of policy proposals, to ensure that there is the opportunity to give due consideration to input from the ICO before proposals are finalised. Where appropriate, consultation should be in accordance with standard Cabinet Office consultation principles. It is important that early engagement is undertaken by policy leads, in conjunction with their organisation’s Data Protection Officer, to meet the spirit of this requirement. The requirement to consult is a continuous one, and policy leads should keep the ICO updated throughout the development of their policy proposals, particularly where there are significant policy changes following the initial consultation. Any response provided by the ICO as a result of consultation under Article 36(4) will be in accordance with their status as an independent regulator.

2.19. Although there is no fixed timeframe in which consultation should take place, it is recommended that policy leads allow a minimum of 12 weeks from initial contact with the ICO to finalisation of their policy proposals. A failure to allow sufficient consultation time could unduly delay timescales for laying legislative measures in Parliament or the publication of statutory codes of conduct or guidance, should last minute revisions be required.

2.20. In accordance with normal consultation principles, the Government is not bound to act on any response the ICO may make to any consultation process, or any advice the ICO may give, but must take the ICO’s views into account.

Data protection policy after Brexit

2.21. From exit day (currently 29 March 2019, unless amended by the Withdrawal Agreement) the GDPR will be retained in UK law under the European Union (Withdrawal) Act 2018. Regulations made under that Act will ‘domesticate’ the GDPR so that it continues to be operable in a UK context, but the fundamental principles, including the requirement of Article 36(4) will remain the same. Therefore Government Departments and relevant public sector bodies will still be required by law to consult, within an appropriate time-frame, with the ICO on legislation and statutory measures relating to data processing.

2.22. Any queries on this matter can be addressed to the DCMS Data Protection Team at the address above.

3. Consultation process

3.1. The Article 36(4) Enquiry Form is designed to capture the initial information the ICO requires to assess whether or not policy proposals require formal consultation under Article 36(4).

3.2. Policy leads should complete the form, in consultation with their organisation’s Data Protection Officer, and send it to the ICO at legcon@ico.org.uk to begin the consultation process.

3.3. An acknowledgement email should be received from the ICO within 48 hours of this form being submitted. Follow up contact will be made within two weeks to confirm whether the ICO have identified any preliminary issues from the initial information provided and confirming whether further consultation is required.