| Stage of legislative progress |
|---|
| Eg. pre-consultation, in consultation |
Royal Assent given (23.05.18) to Data Protection Act 2018.
| Approach to implementation |
|---|
| Eg. amendments to existing law, total repeal of old laws |
Repeals Data Protection Act 1998
Further Statutory Instruments are anticipated
The Act contains additional provisions to implement the Law Enforcement Directive; cover processing of personal data by intelligence services; and cover other processing of personal data which is out of scope of EU law.
| Timescale for implementation |
|---|
| Eg. pre-consultation, in consultation |
25 May 2018.
Areas where Member States must have local laws:
| Personal data and freedom of expression |
|---|
The Act contains a number of specific provisions and exemptions dealing with processing for "special purposes", which covers journalism, academic, artistic and literary purposes.
Special Categories of Data- Lawful basis for processing:
Schedule 1 (para 13) permits the disclosure of special categories of personal data (sensitive data) and criminal convictions data for "special purposes", provided it is in the substantial public interest and carried out with a view to the publication of the personal data by any person and the controller reasonably believes the publication would be in the public interest. It must also be carried out in connection with (i) the commission of an unlawful act (ii) dishonesty, malpractice or other seriously improper conduct (iii) unfitness or incompetence of a personal (iv) mismanagement in the administration of a body/association or (v) a failure in services provided by a body/association. This would seem to permit in limited circumstance the disclosure of data to investigative journalists.
Exemptions based on Art 85 (2):
Schedule 2 (Part 5): Where personal data are processed for special purposes, with a view to publication by a person of journalistic, academic artistic or literary material and the controller reasonably believes that the publication would be in the public interest, then the "listed GDPR" provisions will not apply to the extent that the controller reasonably believes that the application of those provisions is incompatible with the special purposes. Controllers must have regard to the ‘special importance of the public interest in the freedom of expression and information’ and to relevant codes of practice such as the OFCOM Broadcasting Code.
| Penalties |
|---|
Criminal offences:
(i)To knowingly or recklessly (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained or (d) to sell data if obtained in circumstances in which an offence has been committed under (a)-(c) (S170);
(ii) To knowingly or recklessly re-identify information that is de-identified personal data without the consent of the responsible controller (S171);
(iii) To alter, deface, block, erase, destroy or conceal information with the intention of preventing its disclosure pursuant to a subject access or portability request (S173);
(iv) Destroying or falsifying documents – or permitting the destruction or falsifying – of documents with the intention of obstructing the commissioner after an information or assessment notice has been given.
(V): obstructing the exercise of a warrant by the Commissioner.
Director's Liability: If an offence has been committed by an organisation and it is proved to have been done with the consent or connivance or neglect of a director, manager, secretary or other officer, they can also be guilty of the office (s196).
Areas where Member States may have local laws:
| Professional secrecy |
|---|
Exemptions
Paragraph 19 of Schedule 2, controllers are exempted from rights under Articles 13, 14, 15 and the first three principles of the Act (lawfulness and fairness, purpose limitation and data minimisation) where the data are subject to legal professional privilege (or confidentiality of communications in legal proceedings, as this is known in Scotland).
Certain other exemptions apply to maintain secrecy in (typically public sector) records, including in certain health, education and child abuse records disclosed in court proceedings, and records where disclosure is prohibited under law. This can be found in the latter parts of Schedule 2.
Privilege during enforcement activity
Controllers and processors are not required to divulge communications subject to legal advice privilege or litigation privilege. This is specifically included in the sections on information and assessment notices, both of which allow access to documents and premises in certain circumstances, and to Schedule 15 on powers of entry and inspection.
| Scientific, historical or statistical purposes |
|---|
Sched.1, part 1, §4 Processing of special category data and criminal offence data for archiving purposes, scientific or historical research purposes, or statistical purposes permitted if:
- in accordance with GDPR (Art.81) (use of t.o.m.s and data minimisation; anonymise if possible; pseudonymise if possible); and
- must not be likely to cause damage or distress; must not be used for measures or decisions with respect to a particular data subject unless is approved medical research (s.19); and
- is in the public interest.
Exemptions from data subject rights (access; rectification; restriction; portability; right to object) where processing meets conditions set out in Art.89 (1) & s.19 DP Act; and
- compliance would prejudice the ability to achieve the purposes of the research/ statistics/ archiving; and
- for research/ statistics: the results must not be made available in identifiable form.
| Employment context |
|---|
Employment, social security and social protection
For processing necessary to perform or exercise obligations or rights of the controller or of the data subject under employment, social security or social protection law, the Data Protection Act 2018 introduces a requirement on the controller to put into place an ""appropriate policy document""
(Paragraph 1 of Schedule 1 to the Data Protection Act 2018).
An appropriate policy document must:
• explain the controller's procedures for complying with the data protection principles laid out in Article 5 of the GDPR;
• explain the controller's policies as regards the retention and erasure of personal data, including providing an indication of how long the personal data are likely to be retained; and
• be retained for as long as the processing takes place (and then for six months when the relevant processing ceases), review it from time to time (if appropriate), and make the policy document available to the ICO without charge (if requested).
The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):
• includes details on the controller's processing of personal data in the context of employment, social security and social protection;
• describes how the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
• includes details on whether the personal data are retained and erased in accordance with the controller's policies.
(Paragraphs 38 – 41 of Schedule 1 to the Data Protection Act 2018)
Employment references
The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)
Enforced subject access
The Data Protection Act 2018 maintains the offence of requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)
Equal opportunity and treatment
The Data Protection Act 2018 allows employers, with certain restrictions, to consider ""specified"" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)
| Personal data of deceased persons |
|---|
No provisions
| Children online (in relation to the offering of information society services) |
|---|
13 years
Section 123(1): Information Commissioner must prepare a code of practice on standards of age-appropriate design of relevant information society services which are likely to be accessed by children.
| Special rules for special categories of data |
|---|
The Data Protection Act 2018 contains provisions about the processing of special categories of personal data and criminal offence data.
The processing meets the requirement in Article 9(2)(b), (h), (i) or (j) GDPR for authorisation by, or a basis in, the UK law only if it meets a condition in Part 1 of Schedule 1 of the Act.
The processing meets the requirement in Article 9(2)(g) of the GDPR for a basis in UK law only if it meets a condition in Part 2 of Schedule 1 of the Act.
The processing meets the requirement in Article 10 GDPR for authorisation by UK law only if it meets a condition in Part 1, 2 or 3 of Schedule 1 of the Act.
Except in limited cases, an 'appropriate policy document' in place which sets out how the controller will comply with principles at Article 5 GDPR and retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request. Record of processing must specify the lawful basis for processing under Articles 9 & 6 GDPR and whether processing meets the policy documents described above. (Schedule 1, Part 4)
| Genetic, biometric or health data |
|---|
Art. 9(2)(h) provided for by Schedule 1, Part 1, § 2.
Art. 9(2)(i) provided for by Schedule 1, Part 1, § 3.
*Processing of data concerning health, racial or ethnic origin, genetic or biometric data, sexual life or orientation by not for profit bodies providing support to those with a disability or medical condition permitted - must be necessary for reasons of substantial public interest; condition not available if organisation is aware the data subject withholds consent - Schedule 1, Part 2, § 16.
*Schedule 1, Part 2, § 20 - processing personal data relating to racial/ ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or health data - permitted for insurance purposes (where there is no impact on the actual data subject).
*Schedule 1, Part 1, § 21 - processing of health data about relatives of members of occupational pension schemes - where no impact on the data subject.
* must also have an appropriate policy document in place which sets out how the controller will comply with principles at Art 5 GDPR; retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request. Record of processing must specify lawful basis for processing under Arts. 9 & 6 GDPR; whether processing meets the policy documents described above. (Schedule 1, Part 4)
| Designation of a Data Protection Officer |
|---|
n/a
| National identification numbers/any other identifier of general application |
|---|
n/a
| Any other areas under discussion |
|---|
