Update on GDPR: the Data Protection Bill
On 13 September the Government published the Data Protection Bill, announced in the Queen's Speech earlier this year, which will repeal the existing Data Protection Act 1998 (DPA).
The Bill is necessary because the current DPA will be rendered redundant by the General Data Protection Regulation (GDPR) which takes effect from 25 May 2018, and the Bill also seeks to maintain where possible the exemptions and derogations (permitted under the GDPR) that the Government believes work well under the existing regime in the DPA in order to support UK businesses and organisations. The derogations set out in the Bill reflect existing derogations in the DPA but also address concerns raised by various industry sectors where the GDPR on its own would effectively prevent them from carrying out normal day to day activities. For further information on how the GDPR affects employers, please see our previous article on this topic.
The Bill itself clarifies additional information for general data processing under the GDPR and adds in provisions regarding law enforcement processing, national security processing and the powers of the Information Commissioner (ICO) in relation to regulation and enforcement. (It also implements a broadly equivalent regime to the GDPR for areas of processing that do not currently fall under the ambit of the GDPR because such processing lies outside of the areas of competence of the EU.)
The Bill requires data controllers who, in an employment context or on grounds of public interest, process "special categories" of data, or information about criminal convictions, the commission/alleged commission of criminal offences, or criminal proceedings (what we know as "sensitive personal data" under the DPA) to produce and implement an "appropriate policy document". This is in addition to the existing requirements for employers under the GDPR.
All employers will be involved in the processing of special categories of data, and potentially information about criminal matters, and therefore will need to have a policy document of this kind. Under the Bill, the policy will need to:
- Explain the employer's procedures for complying with the data protection principles under the GDPR. This includes being able to demonstrate the lawfulness of processing the data, being transparent with individuals, keeping data which is relevant and limited to what is necessary, ensuring accuracy and keeping data up to date, implementing appropriate retention periods and explaining what security measures are in place to prevent unlawful processing and accidental loss of the data;
- Explain the employer's policies on how long they are likely to retain special categories of data;
- Be updated and reviewed regularly;
- Be made available to the ICO if so requested without charge.
Employers will also have to record, for special categories of data:
- That they are relying on this specific condition in the Data Protection Bill which relates to the field of employment law;
- How the processing satisfies one of the lawful grounds for processing data under the GDPR; and
- Explain any reasons for not following the retention periods and erasure procedures specified in their "appropriate policy document".
This document will need to be in addition to privacy notices given to job applicants, staff and leavers and the other business-wide documentation required to demonstrate compliance with the GDPR.
The Bill also:
- Introduces additional protections where a decision is required or authorised by law and is made by automated means, so that individuals will have 21 days to request reconsideration of it or a fresh decision to be made with some non-automated input;
- Specifies that "public authorities" and "public bodies" are those bodies that are defined as public authorities under the Freedom of Information Act 2000 or the Freedom of Information (Scotland) Act 2002, unless the Government produces regulations which take particular bodies outside the scope of that. This is relevant because public authorities are subject to particular restrictions in the GDPR e.g. they have to appoint a Data Protection Officer and they may be unable to rely on the "legitimate interests" ground for processing data. This could be of concern to certain sectors such as universities or academy trusts which operate in a grey public / private sector capacity.
- Introduces how the ICO will be funded. Although there will no longer be a requirement to register with the ICO, the ICO will continue to be part-funded by requiring data controllers to pay fees. How much those fees will be remains unclear for the time being.
- Gives the ICO powers to charge a reasonable fee to a data subject or data protection officer in dealing with a request from them where the request is manifestly unfounded or excessive. This may reduce the likelihood of data subjects using referrals to the ICO as leverage in disputes with employers.
For further information about how the GDPR relates to Pensions Trustees and employers' pension schemes please see our recent article by the Pensions law team.
Blake Morgan's employment GDPR specialists can help you with:
- Drafting/amending privacy notices for job applicants, employees and leavers.
- Discussing and making changes to your contracts of employment and other documentation.
- Drafting a bespoke "appropriate policy document" for special categories of data
- Advising on the impact of the GDPR in relation to day-to-day HR issues including recruitment, monitoring and social media.
- Training HR teams and staff on the changes.
In addition, in tandem with our data protection specialists across the firm, we can help your organisation-wide compliance by:
- Outlining and discussing the key requirements.
- Carrying out a data protection audit.
- Drawing up plans for your GDPR compliance.
- Drafting, reviewing and amending your existing contracts and privacy notices. with customers, suppliers and those who process data on your organisation's behalf.
- Drafting data protection policies and procedures.
- Training those affected at all levels of your organisation.
To download our free GDPR guide click here.