As set out in Section II, one of the biggest changes in 2018 was the implementation of the GDPR and DPA 2018.
Data protection law applies whenever a data controller processes personal data. A data controller is the person who determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed. The term 'processing' has a very broad meaning under the GDPR. It is intended to cover any conceivable operation of data, ranging from collecting, recording and holding of data, and the carrying out of any operation on that data through the data's subsequent disclosure and eventual destruction.i Personal data
Personal data is that which relates to a living individual who can be identified from the data; or from the data and other information that is in the possession of, or is likely to come into the possession of, the data controller.ii Restrictions on processing and use
The processing of personal data must comply with seven key data protection principles as contained in the GDPR. These can be summarised as follows:
- personal data must be processed fairly and lawfully, and transparently;
- personal data must be collected only for specific, explicit and legitimate purposes;
- personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
- personal data must be accurate, and where necessary, kept up to date;
- personal data shall not be kept for longer than is necessary for those purposes;
- appropriate technical and organisational measures must be in place to protect against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
- organisations must take responsibility for complying with the data protection principles, and must have appropriate processes and records in place to demonstrate compliance.
The GDPR and DPA 2018 contain a number of exemptions from some or all of the data protection principles and other provisions, such as for processing concerning the detection of a crime or the assessment of taxation, or where information must be made public by law.iii Registration
Data controllers must generally notify the UK Information Commissioner's Office (ICO) by registering with it. The ICO then publishes its details in the register of data controllers, which is available online for inspection by the public. There are limited exceptions to the need to register including when the personal data is held for payroll purposes, for tax collection or for salary surveys. There is a fee involved with this registration of between £40 and £2,900, depending on the size of the business in terms of employee numbers and turnover.iv Cross-border data transfers
If personal data is transferred outside the UK, there are restrictions. Transfers may be made to any country or territory:
- in respect of which the EU Commission has made a positive finding of adequacy;
- if adequate safeguards are put in place in the form of model contractual clauses as approved by the EU Commission, binding corporate rules or other contractual arrangements; or
- if the transfer is covered by the EU–US Privacy Shield.
Until October 2015, another option was for the US recipient of the data to sign up to the US Department of Commerce Safe Harbour scheme. However, in the decision of the European Court of Justice (ECJ) in Maximillian Schrems v. Data Protection Commissioner, the EU–US Safe Harbour framework was found to be invalid. The replacement for Safe Harbour, the EU–US Privacy Shield, came into force on 1 August 2016. The EU Commission has stated that the 'new arrangement lives up to the requirements of [the ECJ in Schrems]'. It includes obligations on companies handling data, safeguards and transparency obligations on US government access, and protection of individual rights. However, it does not address all of the concerns raised by other notable interested parties, including the Article 29 Working Party (a group that contains representatives from each of the EU Member States' data protection authorities). Nevertheless, an Irish privacy advocacy group, Digital Rights Ireland, has already filed a legal challenge against the Privacy Shield, asserting that it provides inadequate protections.
In addition, in relation to the standard contractual clauses and binding corporate rules, there are pending ECJ decisions that may impact the validity of these methods of transfer. With regard to the standard contractual clauses, Max Schrems, who brought the case that ultimately brought down Safe Harbour, is now challenging the standard contractual clauses on a similar basis. There has been a reference made on this from the Irish Data Protection Commissioner to the ECJ.
While this uncertainty remains, there is still no risk-free method for data transfers to the United States. In addition, depending on the type of Brexit deal, there may be additional steps required to transfer data to EU countries from the UK, and from the UK to other third countries.v Special category personal data
Special category personal data (referred to under the prior legislation as sensitive personal data) is defined in the DPA 2018 as personal data consisting of information as to:
- racial or ethnic origin;
- political opinions;
- religious beliefs or beliefs of a similar nature;
- membership of a trade union;
- physical or mental health or condition;
- sexual life;
- the commission or alleged commission of any offence; or
- genetic and biometric data.
There are also additional protections for criminal offence data.
Special category personal data can only be processed (fairly and lawfully) if at least one of a number of additional conditions is satisfied, which include the following:
- the individual has given his or her explicit consent to the processing;
- the processing is necessary for the performance of the data controller's obligations under employment or social security law;
- the processing is necessary to protect the vital interests of the data subject (where consent cannot be given by the data subject or cannot reasonably be obtained by the data controller) or of another person (where consent by the data subject has been unreasonably withheld). This is interpreted as a life-or-death circumstance;
- the processing is necessary for the purpose of legal proceedings, obtaining legal advice, establishing or defending legal rights, or for the administration of justice or the exercise of functions of a public nature; and
- the processing is carried out by a health professional and is necessary for medical purposes.
Background checks and credit checks are permitted in the UK provided that the employer complies with the DPA 2018. An employer may ask a successful candidate for details of their criminal record but the candidate will only be required to provide the information in two scenarios, namely, if the conviction is unspent (i.e., if the statutory time since the conviction has occurred has not yet expired) or if the job falls within the Disclosure Barring Service's list of regulated professions. This list includes: medics, lawyers, accountants, vets, chemists and opticians; those employed to uphold the law (such as judges and officers of the court, the police, prison officers and traffic wardens); certain regulated occupations (in particular, financial services); those who work with children, provide care services to vulnerable adults or who provide health services; and those whose work means they could pose a risk to national security.