The much-publicised Data Protection Act 2018 (DPA 2018) came into force last week (25thMay 2018), alongside the General Data Protection Regulation (GDPR). I recently wrote a blog post explaining the aims of the new Act and busting some of the myths.
Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s consent. This part has to be read alongside the GDPR.
Much of the Act is the broadly the same as the Bill when it was introduced to Parliament e.g. children’s consent, automated decisions, Special Category Data etc. Read a summary of the Bill here.
Articles 6(3) and 23(1) of GDPR allow member states to introduce exemptions from various GDPR obligations e.g. transparency and individuals’ rights. All of the familiar exemptions from the old Data Protection Act 1998 (DPA 1998)(see S.29-35and Schedule 7) are set out in Schedules 2 – 4 of the new Act e.g.crime and taxation, legal proceedings, management forecasts, public functions, negotiations etc. There are some new exemptions and others have been changed.
Immigration: Paragraph 4 of Schedule 2 of the Act introduces a new exemption for personal data processed for the purposes of effective immigration control. This removes most of the Data Subjects’ rights (incl. subject access) where they would prejudice such matters. Campaigners have argued that this exemption means thatimmigrants, including the 3 million EU citizens in the EU, (and those affected by the Windrush scandal) will not have access to data and information regarding how the Government decides on their fate, including their potential deportation. This makes any defence and legal action against unlawful deportation by the Government extremely difficult. Open Rights Group and campaigners for EU citizens’ rights (the3million) are preparing to challenge this exemption in court. (More here.)
References: The DPA 1998 contained an exemption from the right of subject access for confidential references about a Data Subject given by, amongst others, an employer. However no such exemption applied to a request made for the same reference to a prospective employer. Thus employees could still see what their employer had written about them and challenge it.
Paragraph 24 of Schedule 2 of the new Act has undergone a fundamental change since the Bill stage. It now allows confidential references to be kept secret in all circumstances not just in the hands of the employer/giver of the reference. It also gives an exemption from the right to be informed under Article 13 and 14 of GDPR i.e. the need to mention it in a privacy notice.
This new blanket exemption (which now incudes volunteering) takes away important rights of employees and volunteers. It should concern everyone, not just the unions, especially as it was passed without any debate or discussion.
Legal Professional Privilege: Paragraph 19 of Schedule 2 of the Act contains an exemption for personal data that consists of legally privileged information (LPP). It is similar to the one contained in the DPA 1998 but slightly broader in that it also covers personal data which is subject to a duty of confidentially owed by a professional legal adviser not just that information covered by LPP. The latter will apply to a much narrower range of information than the former. This exemption allows lawyers to refuse subject access requests and disregard the duty to inform (Article 13 and 14 of GDPR).
Barristers have warned that the Act could hand ‘big brother powers’ to the Information Commissioner’s Office (ICO) by granting it access to privileged material without client consent and subsequently disclosing it. However Section 132 of the Act (Confidentiality of Information) seems to guard against this.
Freedom of Information
Part 1 of Schedule 19 of the Act amends the personal data exemption/exception under section 40 of the Freedom of Information Act 2000(FOI) and Regulation 13 of the Environmental Information Regulations 2004 (as well as the equivalent Scottish legislation). These are consequential amendments designed to ensure that the correct provisions of the GDPR and the new Act are referenced instead of the now repealed DPA 1998. They will not fundamentally impact when personal data can, and cannot, be disclosed in response to an FOI or EIR request.
GDPR mentions public authorities in a number of places e.g. when stipulating who needs to appoint a Data Protection Officer in Article 37. Furthermore the ‘legitimate interests’ condition (Article 6(1)(f)) cannot be relied upon to justify data processing by public authorities in the performance of their public tasks. Section 7 of the Act defines ‘public authority’ as any organisation that is covered by FOI (or its equivalent in Scotland) as well as bodies specified by the Secretary of State. Certain bodies, pursuant to section 7(3), despite being subject to FOI, will not be deemed public authorities for GDPR purposes. Most notably this includes parish councils. Consequently parish councils do not need to appoint a DPO and can rely on the legitimate interests condition without restriction.
The Act creates two new criminal offences. Clause 171 makes it an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Data Controller responsible for de-identifying the personal data. Offenders will be liable on summary conviction or on conviction on indictment, to a fine.
Clause 173 makes it an offence for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive. Offenders will be liable on summary conviction to a fine. This is similar to the offence under S.77 of the Freedom of Information Act (FOI).
The offence under section 55 of the DPA 1998 is now to be found in Section 170 of the new Act; obtaining or disclosing personal data without the consent of the Data Controller and procuring a disclosure to another person. It is extended to include retaining personal data after obtaining data it, without the consent of the Data Controller.
Section 165 sets out what individuals can expect if they submit a complaint to the ICO about the way their personal data has been procesed under GDPR. Clause 166 sets out a mechanism for a complaint to the Tribunal if the ICO fails to address it adequately.The ICO is currently consulting on its Draft Regulatory Action Policy.
Article 82 of GDPR states that any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the Data Controller or Data Processor for the damage suffered. Section 169 of the Act explains that damage includes financial loss and damage not involving financial loss, such as distress. This is in marked contrast to the DPA 1998 which only allowed compensation for distress where it was linked to damage; although the Court of Appeal decision in Vidal-Hall v Google  EWCA Civ 311 allowed claims for distress alone.
Notification and Fees
Under the DPA 1998 most Data Controllers had an obligation to register with the ICO (known as Notification). There is no such requirement in GDPR. However, as predicted on this blog last year, the Government has introduced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 also came into force on 25thMay 2018 and imposes different levels of fees depending the size of the Data Controller. Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.
The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) The ICO website has more details to help Data Controllers work out what fee is payable (See also our blog post here.)
Section 137 of the new Act goes further in that it allows regulations to be made which require Data Controllers to pay further charges regardless of whether the Commissioner has provided, or proposes to provide, a service to Controllers.
“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”
Our ever popular GDPR Practitioner Certificate has availability in Leeds starting on 9th July. Book now.