Last month we reported on the EU's General Data Protection Regulation ("GDPR"). The government has now released the draft Data Protection Bill ("Bill") which is our first glimpse of what will eventually evolve into the Data Protection Act 2018. The Bill had its first reading in the House of Lords on 13 September 2017 and will come into force in the UK at the same time as the GDPR, on 25 May 2018.
The Bill does not contain major surprises from an employer's perspective but, consistent with the themes from the GDPR, there is increasing emphasis on the importance of policy documents and record-keeping. The Bill retains the eye-watering maximum fines for non-compliance of up to EUR 20 million or 4% of annual worldwide turnover.
We summarise below the highlights of the Bill for employers.
Purposes and structure of the Bill
The GDPR left room for member states to introduce their own laws in certain areas (known as "derogations") including, notably, in relation to employment law. The Bill fills in these gaps. Crucially, the Bill also confirms that the provisions of the GDPR will remain in force once the UK has left the EU, as the GDPR will no longer be directly applicable at that point. This will ensure that, post-Brexit, the UK and EU approaches to data protection are broadly aligned.
The Bill does not make for easy reading, not least because it only gives a partial picture of the new data protection regime. To fully understand the new laws, it is necessary to read the Bill alongside a copy of the GDPR - including the GDPR's lengthy recitals and the Bill's explanatory notes!
The Bill has 7 parts and 18 schedules. However, the vast majority of the Bill is not relevant for day to day processing of employee personal data. Part 1 (Overview and Definitions), Part 2 (General Processing) and Schedules 1 to 4 (Derogations from the GDPR) have most relevance to employers.
Processing special categories of data (currently known as sensitive personal data)
The Bill introduces a number of gateways for processing special categories of personal data. These include fulfilling employment law obligations and equal opportunities monitoring, which reflects the current law in the Data Protection Act 1998 ("DPA 1998").
However, there is a novel requirement for the processing of these categories of data to be accompanied by an "appropriate policy document". This document needs to explain how the controller complies with the fair processing principles, their retention and erasure procedures and how long the data is likely to be retained. For the duration of the processing and an additional six months, the policy document must be retained, kept up-to-date and made available to the ICO on request. In practice, an employer who introduces and maintains GDPR-compliant data privacy notices is likely to be able to satisfy these requirements.
Processing criminal history data
In a change from the current law, the GDPR confirmed that criminal history data will not be a special category of personal data. This led to a concern that it will not be possible for employers to process this data as part of their routine employment background checks unless specifically mandated by law (for example, for regulated roles in financial services or certain roles in the health industry).
The Bill extends the GDPR to provide for circumstances in which data relating to criminal convictions can be processed, and achieves the same end result as the current law. However, again, the processing must be accompanied by an "appropriate policy document" as explained above.
Data subject rights
As covered in our previous alert, data subject rights are considerably expanding under the GDPR.
The Bill does not take us much further on the scope of the new rights, for example, in respect of the exception for "manifestly unfounded and excessive" requests. This exception is important because, if it applies, the data controller can charge a fee to the data subject for complying with the request or even refuse to respond altogether. The explanatory notes to the Bill give an, unhelpful, example that a manifestly unfounded and excessive request is one that repeats the substance of previous requests. The Bill also confirms that the Secretary of State has the power to specify limits on the fees a controller can charge in these circumstances; we will have to wait and see if this power is exercised.
There is currently no express right to delay compliance where a controller reasonably requires further information to locate the information the data subject is seeking as part of a subject access request (this is currently provided for in section 7(3) DPA 1998). While we expect this to continue to be the accepted practice, legislative provision would be welcome.
The Bill introduces exemptions disapplying data subject rights in certain circumstances. These are largely familiar from the DPA 1998. Exemptions include information covered by legal professional privilege, information used for management planning, information about the employer's intentions during negotiations with the employee and confidential references given by the employer.
The Bill creates a number of new offences, including an offence of altering, destroying or concealing information to be provided to an individual through a subject access request. There is a defence available if the person charged can prove they acted in the reasonable belief that the individual making the request was not entitled to receive the information which was withheld.
We will keep you updated as the Bill moves closer to the statute books.