What is the Data Protection Act 2018?
Hot on the heels of the General Data Protection Regulation 2016 ("GDPR") coming into effect on 25 May 2018, the UK passed the Data Protection Act 2018 ("DPA") on 23 May 2018. The GDPR is directly effective, so needs no further UK legislation, so why has the government passed more legislation?
- Brexit preparations. The DPA states that GDPR will apply in the UK. So, post Brexit, this will allow for continued application of GDPR standards in the UK's domestic law and there will be no question about any divergence in rules over processing personal data.
- Derogations. The GDPR allows Member States to derogate from the GDPR in two areas. Firstly in areas where the European Commission does not typically look to assert its authority such as national security, healthcare, balancing the right to privacy with freedom of speech. Secondly to create exemptions from some of the data subject rights (e.g. exemptions to disclosing information under subject access requests which are the same as in the now repealed Data Protection Act 1998) or to create additional grounds for processing of special categories of data or profiling.
- Law enforcement. Most of the DPA relates to the processing of personal data by law enforcement agencies or national intelligence agencies. Parts 3 and 4 of the DPA transpose the EU Data Protection Directive 2016/680 (known as the Law Enforcement Directive) into domestic law.
Do I need to change my contracts?
Most contracts include a definition relating to data protection laws in the UK. This will need to include the Data Protection Act 2018 as well as the GDPR given the important derogations and additional offences in the DPA.
Otherwise, the new law does not affect the mandatory clauses that Article 28 of the GDPR requires that contracts must contain.
The DPA also does not amend the GDPR in any way but it does contain exemptions and derogation as permitted by the GDPR.
What are the key derogations and other new detail in the DPA?
- Children's consent in relation to information society services (i.e. online services)
- Article 8 GDPR states that in the absence of national derogation, the default position is 16 years old.
- Section 9 DPA confirms that a child may give a valid consent to legitimise the processing of personal data if aged 13.
- Processing of criminal conviction and offence data
- Article 10 GDPR prohibits the processing of criminal offence data other than as permitted by national laws.
- Schedule 1 of the DPA sets out narrow instances in which criminal offence data may be processed and requires controllers to have an 'appropriate policy document' to explain the controller's procedures to ensure compliance with Article 5 GDPR (Principles relating to processing personal data).
- Processing of special categories of personal data
- Article 9(2) sets out grounds for processing special categories of personal data which contain phrases such as "social security", "substantial public interest" and "public health".
- Sections 10 and11 and Parts 1 and 2 of Schedule 1 clarify and define these terms. Specific examples include processing for occupational medicine, provision/management of health care, equal opportunities, preventing or detecting unlawful acts and preventing fraud. However, note that additional detailed criteria apply to many of these grounds so controllers must review the legislation carefully to ensure that processing falls within it.
- Data Subject Rights
- GDPR does not contain any exemptions permitting controllers to withhold personal data requested under a subject access request.
- Schedule 2 contains these exemptions which are largely the same as used to be contained in the Data Protection Act 1998.
- Data Protection Fee
- The "notification" regime and the register of controllers under Data Protection Act 1998 have been removed.
- Instead, the DPA introduces an annual data protection fee. This fee is between £40 and £2,900, depending on the size of the organisation. Failure to pay, or paying the incorrect fee, can result in a fine of up to £4,350.
- New offences
- Section 171 DPA - knowing or recklessly re-identifying information that was previously de-identified.
- Section 173 DPA - deliberately altering or concealing information which should be provided in response to a data subject access request.