The UK's new Data Protection Act 2018 (DPA), came into force on time on 25 May alongside the GDPR.
What's the issue?
The GDPR came into effect on 25 May 2018. Initially intended to be the last word in EU data protection law, agreement could not be reached on all provisions and it was eventually accepted that Member States would have scope to depart from the GDPR and introduce their own provisions in some areas.
Member States were also required to produce implementing legislation for the Law Enforcement Directive (which deals with the use of personal data by law enforcement agencies).
What's the development?
The UK has passed the Data Protection Act 2018.
The majority of provisions were brought into force under commencement regulations with other sections to come in on 23 July (including requirements for the ICO to publish codes of practice). There has been a knock on effect on the Digital Economy Act regarding notification requirements on data controllers.
Guidance from the DCMS on the ICO's role and enforcement, intelligence services processing and law enforcement processing, has been published together with an overview of the DPA, and general guidance on processing.
The DPA covers the use of personal data within the scope of the GDPR and beyond it, as well as for law enforcement and the intelligence services. It:
- Repeals and replaces the Data Protection Act 1998.
- Incorporates the GDPR into UK law and applies GDPR standards to areas not covered by EU data protection law.
- Lays the ground for free-flow of data between the UK and the EU after Brexit.
- Sets out permitted derogations under the GDPR.
- Implements the Law Enforcement Directive.
- Provides a framework for data protection for the Intelligence Services.
- Sets out the duties and powers of the UK's ICO.
- Sets out enforcement provisions.
What does this mean for you?
While the GDPR does harmonise the majority of data protection law in the EU, organisations need to be aware that laws will vary in certain areas between Member States. For example, the age of digital consent for children, can vary from 13-16 and there are exemptions around employment and journalism which may be relevant.
The DPA is a somewhat unapproachable piece of legislation – it's not exactly user friendly, but it is likely that only limited parts will be relevant for most organisations and we expect updated guidance from the ICO shortly.
Those operating in the UK need to familiarise themselves with the relevant GDPR derogations and those operating across EU borders may also need to look at local legislation.
We highlight some of the more widely applicable commercial aspects of the DPA, including derogations from the GDPR.
While definitions are those used by the GDPR where the GDPR applies, some modifications have been made to DPA definitions where the GDPR is not applicable.
Part 2 deals with the derogations providing exceptions to the GDPR.
Age of digital consent
Set at 13.
Meaning of "public interest"
This non-exhaustive list includes processing necessary for:
- the administration of justice
- the exercise of a function of either House of Parliament
- the exercise of a function conferred on a person by an enactment or rule of law
- the exercise of a function of the Crown, a Minister of the Crown or a government department
- an activity that supports or promotes democratic engagement.
Special categories of data and criminal convictions data
Derogations allow such processing where there is a justification, for example, to allow:
- employers to fulfil employment law obligations
- journalists to expose wrongdoing
- prevention and detection of unlawful acts and protecting the public from dishonesty and fraud
- financial services firms to act on suspicion of money laundering or terrorist financing
- identification or elimination of doping in professional sports.
Special categories of data may also be processed for the following purposes:
- employment, social security and social protection
- substantial public interest (must meet one of the conditions set out in Part 2 of Schedule 1 DPA)
- health and social care
- public health
- archiving, research and statistics
Processing of criminal convictions data not carried out by an official authority must meet one of the conditions in Parts 1, 2 or 3 of Schedule 1.
Anyone processing special category or criminal convictions data must establish and maintain an "appropriate policy document". This is in addition to maintaining a record of data processing under Article 30 GDPR. the appropriate policy document must:
- set out the procedures for securing compliance with the six principles of Article 5 GDPR
- set out the retention and erasure procedures for the data
- be maintained and regularly updated from the time processing begins until six months after it ends.
Credit reference agencies
Similar to the DPA98 provisions, section 13 contains provisions regulating access to personal data held by credit reference agencies.
Automated decision making authorised by law – additional safeguards
Where a significant decision is based on automated processing which is required or authorised by UK law, the following minimum additional safeguards must be put in place (there is scope for the Secretary of State to create additional ones):
- data controllers must inform data subjects in writing of any decision made as soon as reasonably practicable
- the data subject may ask for the decision to be reconsidered or reached without using automated processing within one month of notification
- the controller must consider and act on the request and notify the data subject of the outcome within one month from receipt of the data subject's request.
Data subject rights exemptions
Schedules 2, 3 and 4 contain permitted exemptions from some GDPR provisions for specified public interest reasons. The most relevant to businesses are contained in Schedule 2. There is some controversy around the immigration exemption under which there is no need to respond to a Subject Access Request where the data is being processed for the purposes of immigration control. There are concerns that this may lead the EU to withhold an adequacy decision from the UK. Similarly, the DPA does not include all the information required by Article 23(2) GDPR in relation to the exemptions. Broadly, there are exemptions for:
- crime prevention and taxation purposes
- effective immigration control
- disclosures required by law or made in connection with legal proceedings
- regulators where the exercise of the rights would prejudice their activities
- journalistic, academic, artistic and literary purposes (the "special purposes") where publication is believed by the data controller to be in the public interest
- research organisations and archiving services if their activities would be impaired or they would be prevented from achieving their core purpose.
The Secretary of State has the power to make further exemptions under certain conditions.
Proposed arrangements for accrediting certification bodies are outlined in section 17.
Data transfers to third countries
Section 18 allows the Secretary of State to stipulate when transfers may be considered to be necessary in the public interest and, conversely, to place limitations on third country transfers in the public interest.
Part 2, Chapter 3
This deals with processing which is outside the scope of the GDPR and other EU law, notably unstructured manual files by FOI public authorities (for example, hand written unfiled notes) although there are specific exemptions relating to this kind of processing.
Part 5 covers the duties and powers of the ICO. The ICO is required to advise Parliament, the government and other institutions, issue opinions, cooperate with international regulators, develop international cooperation mechanisms, and prepare a number of codes of practice, including on data sharing, direct marketing, age-appropriate design, and data protection and journalism.
The Secretary of State is empowered to make regulations requiring notification fees.
This covers enforcement including the powers to issue information, assessment and enforcement notices, powers of entry and inspection, the power to impose penalties, procedures around complaints, appeals and remedies, and the introduction of two new criminal offences:
- the re-identification of anonymised personal data without the consent of the data controller
- the alteration of personal data to prevent disclosure following a subject access request.