A Data Protection Bill - Fit For the Digital Age?
The Data Protection Bill (the Bill) was placed before the House of Lords on Wednesday (13th September). A copy of the Bill in its current form was published shortly afterwards and can be found here.
The Bill is intended to replace the Data Protection Act 1998 (DPA) and ensure that our data protection regime is fit for purpose in our ever more digital world as well as to prepare the UK for a life outside of the EU. During the period in which the UK remains a member of the EU, the Bill will supplement the EU's General Data Protection Regulation (the GDPR) which will come into force in the UK on 25th May 2018. Upon withdrawal from the EU, the Bill in conjunction with the "Great Repeal Bill" will replicate the GDPR in UK law in the form that the GDPR and accompanying case law are in as at the date of withdrawal. This results in the Bill being an unwieldly document to navigate and understand.
A key purpose of the Bill along with repealing the DPA (rendered redundant by the GDPR) is to, where possible, maintain the exemptions and derogations that the government believes work well under the existing regime, in order to support UK businesses and organisations. Such derogations are permitted under the GDPR also. Those that are currently set out in the Bill reflect existing derogations in the DPA, but also address concerns raised by various industry sectors, such as the insurance sector, that the restrictions in the GDPR would effectively prevent them from carrying out normal day-to-day activities.
The UK government recognises, nonetheless, that the international nature of data processing requires standards to be consistent at an international level and the intention is create a set of laws within the UK that interlock with international data protection arrangements. As such, our data protection laws are likely to remain very similar to those under EU law after the UK leaves, given that EU laws also reflect wider international standards on data processing.
The Bill itself is split into four main elements: general data processing, law enforcement processing, national security processing and powers of the Information Commissioner (ICO) in relation to regulation and enforcement. It also extends its reach to areas of processing that do not currently fall under the ambit of the GDPR because such processing lies outside of the areas of competence of the EU. For these areas of processing, the Bill implements a broadly equivalent regime to that set out in the GDPR.
Notable points of interest in the Bill include:
- Parental consent to online processing of personal data of children will only be required if the child is less than 13 years old. The GDPR provides for national governments to set this age limit to anywhere between 13 and 16 years.
- Data controllers who process special categories of data in an employment context or on grounds of public interest will be able to continue to do so, but will need to implement an "appropriate policy document" as an additional safeguard. This policy will need to be updated and reviewed regularly and be made available to the ICO if so requested. It will also explain how the controller complies with the data protection principles and how long they are likely to retain the data.
- Where a decision is required or authorised by law and is made by automated means, individuals will have 21 days to request either reconsideration of it or that a fresh decision is made with some non-automated input.
- "Public authorities" and "public bodies", which are subject to particular restrictions in the GDPR e.g. the inability to rely on the legitimate interests ground for processing, are defined as those bodies that are considered public authorities under the Freedom of Information Act 2000. This will not be of concern to certain public sector organisations, e.g. NHS Trusts, but will be more of concern to others such as universities or academy trusts which operate in a grey public / private capacity. The Bill allows for regulations to be made that will remove certain organisations from this definition so we will need to wait and see which bodies may be removed in due course.
- Data controllers are authorised to process criminal convictions and offences data, subject to certain conditions being met. One possible condition is where processing is carried out for employment, social security and social protection purposes, such as for employee screening. However, the condition will only be met if the organisation has an "appropriate policy document" in place as mentioned above in relation to processing special categories of data.
- The ICO will be part funded by requiring data controllers to pay fees to its office for services that the ICO is required or authorised to provide under the Bill. It may even request that these fees be paid regardless of whether the ICO has provided or proposes to provide any service to an individual controller.
- The ICO will have powers to charge a reasonable fee to a data subject or data protection officer in dealing with a request from them where the request is manifestly unfounded or excessive. This may reduce the likelihood of data subjects using referrals to the ICO as leverage in disputes with data controllers.
We will be providing further detailed analysis of the Bill over the coming months as it goes through the parliamentary process to become law. In the meantime, if you would like advice on data protection compliance or what action you should be taking now, please speak to Sheilah Mackie at Sheilah.Mackie@blakemorgan.co.uk or any other member of our Information Governance team.