UK

Overview

Stage of legislative progress 
Eg. pre-consultation, in consultation

Royal Assent given (23.05.18) to 25 May 2018.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Repeals Data Protection Act 1998

Further Statutory Instruments are anticipated

In addition to implementing GDPR related provisions, the Act contains additional provisions to:

(i)address the gaps left by repeal of 1998 Act and to apply a broadly equivalent regime to certain types of processing which GDPR does not cover;
(ii)implement the Law Enforcement Directive; and
(iii) cover processing of personal data by intelligence services.

Timescale for implementation 
Eg. pre-consultation, in consultation

25 May 2018.


Areas where Member States must have local laws:

Personal data and freedom of expression 

The Act contains a number of specific provisions and exemptions dealing with processing for "special purposes", which covers journalism, academic, artistic and literary purposes.

Special Categories of Data- Lawful basis for processing:
Schedule 1 (para 13) permits the disclosure of special categories of personal data and criminal convictions data for "special purposes", provided it is in the substantial public interest and carried out with a view to the publication of the personal data by any person and the controller reasonably believes the publication would be in the public interest. It must also be carried out in connection with (i) the commission of an unlawful act (ii) dishonesty, malpractice or other seriously improper conduct (iii) unfitness or incompetence of a personal (iv) mismanagement in the administration of a body/association or (v) a failure in services provided by a body/association.

Exemptions based on Art 85 (2):
Schedule 2 (Part 5): Where personal data are processed for special purposes, with a view to publication by a person of journalistic, academic or literary material and the controller reasonably believes that the publication would be in the public interest, then the "listed GDPR" provisions will not apply to the extent that the controller reasonably believes that the application of those provisions is incompatible with the special purposes.

These are numerous and set out in Section 26 (9) of Part 5 and include principles of processing (except for security), lawful grounds of processing, conditions for consent, transparency requirements, the data subject rights (in Arts 15-21 GDPR), breach notification requirements and data transfer restrictions.

Under S174-176, the ICO can make a written determination that the data is not being processed for special purposes or is not being processed with a view to publication. An individual who is a party to legal proceedings which relate to data being processed for special purposes (whether in respect of a request for a compliance order or compensation), can apply to the ICO for assistance in the proceedings.

There are also restrictions on the ICO's power to issue notices and penalties for data processed for special purposes.

There are also additional provisions requiring the ICO to produce a code of practice for processing data for journalistic purposes (S124) and guidance for individuals about how to seek redress against media companies who are in breach of data protection legislation (S177), a review to be undertaken by the ICO to check the extent to which the processing of personal data for journalistic purposes complied with the data protection legislation (S178 and Schedule 17). The Lords were not successful in their late bid to require the Secretary of State to establish a new inquiry to look into data protection breaches committed by media organisations (ie Leveson Part II).

Penalties

The Data Protection Act includes the following criminal offences:

(i)To knowingly or recklessly (a) to obtain or disclose personal data without the consent of the controller; (b) to procure the disclosure of personal data to another person without the consent of the controller; or (c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained or (d) to sell data if obtained in circumstances in which an offence has been committed under (a)-(c) (S170);
(ii) To knowingly or recklessly re-identify information that is de-identified personal data without the consent of the responsible controller (S171);
(iii) To alter, deface, block, erase, destroy or conceal information with the intention of preventing its disclosure pursuant to a subject access request (S173);
(iv) Destroying or falsifying documents – or permitting the destruction or falsifying – of documents with the intention of obstructing the commissioner after an information or assessment notice has been given.

Director's Liability: If an offence has been committed by an organisation and it is proved to have been done with the consent or connivance or neglect of a director, manager, secretary or other officer, they can also be guilty of the office (s196).


 

Areas where Member States may have local laws:

Professional secrecy 

Conditions for processing sensitive data
The Data Protection Act 2018 includes two provisions in Schedule 1 that specifically implement Article 9(2)(h) and Article 9(2)(i). Both of these permit processing for purposes that broadly mirror the wording of the relevant articles, and do not establish clear additional restrictions on the use of data.
Health purposes: a list of health purposes is carried over from the GDPR. The safeguard in relation to professional secrecy is contained in Section 11(1), which states that article 9(h) will be available where it is carried out:
"by or under the responsibility of a health professional or a social work professional, or … by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law."
Both "health professional" and "social work professional" are specifically defined in Section 195. Both definitions call out to professionals under registration.
Public Health: the purpose must be "necessary for reasons of public interest in the area of public health" but not further examples are given. The safeguard for professional secrecy simply repeats the formulation in Section 11(1) (i.e. that processing must be under the responsibility of a health or social work professional or another person who owes a duty of confidentiality).
Exemptions
In Paragraph 19 of Schedule 2, controllers are exempted from rights under Articles 13, 14, 15 and the first three principles of the Act (lawfulness and fairness, purpose limitation and data minimisation) where the data are subject to legal professional privilege (or confidentiality of communications in legal proceedings, as this is known in Scotland).
Certain other exemptions apply to maintain secrecy in (typically public sector) records, including in certain health, education and child abuse records disclosed in court proceedings, and records where disclosure is prohibited under law. This can be found in the latter parts of Schedule 2.
Secrecy of communications to the ICO
Sections 131 and 132 of the Data Protection Act 2018 address secrecy of communications with the ICO. Section 131 requires the ICO to have consent, necessary public interest or other duty to disclose the data under its functions or under law. The ICO is particularly required to propose guidance on how it will handle privileged communications that are shared with it under its functions.
Privilege during enforcement activity
Controllers and processors are not required to divulge communications subject to legal advice privilege or litigation privilege. This is specifically included in the sections on information and assessment notices, both of which allow access to documents and premises in certain circumstances, and to Schedule 15 on powers of entry and inspection.

Scientific, historical or statistical purposes 

Sched.1, part 1, §4 Processing of special category data and criminal offence data for archiving purposes, scientific or historical research purposes, or statistical purposes permitted if:
- in accordance with GDPR (Art.81) (use of t.o.m.s and data minimisation; anonymise if possible; pseudonymise if possible); and
- must not be likely to cause damage or distress; must not be used for measures or decisions with respect to a particular data subject unless is approved medical research (s.19); and
- is in the public interest.

Exemptions from data subject rights (access; rectification; restriction; portability; right to object) where processing meets conditions set out in Art.89 (1) & s.19 DP Act; and
- compliance would prejudice the ability to achieve the purposes of the research/ statistics/ archiving; and
- for research/ statistics: the results must not be made available in identifiable form.

Employment context 

Employment, social security and social protection
For processing necessary to perform or exercise obligations or rights of the controller or of the data subject under employment, social security or social protection law, the Data Protection Act 2018 introduces a requirement on the controller to put into place an "appropriate policy document"
(Paragraph 1 of Schedule 1 to the Data Protection Act 2018).
An appropriate policy document must:
• explain the controller's procedures for complying with the data protection principles laid out in Article 5 of the GDPR;
• explain the controller's policies as regards the retention and erasure of personal data, including providing an indication of how long the personal data are likely to be retained; and
• be retained for as long as the processing takes place (and then for six months when the relevant processing ceases), review it from time to time (if appropriate), and make the policy document available to the ICO without charge (if requested).
The controller must additionally ensure that its records of processing activities (under Article 30 of the GDPR):
• includes details on the controller's processing of personal data in the context of employment, social security and social protection;
• describes how the processing satisfies Article 6 of the GDPR (lawfulness of processing); and
• includes details on whether the personal data are retained and erased in accordance with the controller's policies.
(Paragraphs 38 – 41 of Schedule 1 to the Data Protection Act 2018)

Employment references
The Data Protection Act 2018 restricts certain data subject rights, including subject access, with regard to employment references. For more information see 'Any other areas under discussion'.
(Paragraph 24 of Schedule 2 to the Data Protection Act 2018)

Enforced subject access
The Data Protection Act 2018 maintains the offence for requiring an individual to exercise their subject access rights to obtain a relevant record (largely relating to health, convictions and cautions, and statutory functions) as part of the recruitment or continued employment of that individual. For more information see 'Any other areas under discussion'.
(Section 177 of the Data Protection Act 2018)

Equal opportunity and treatment
The Data Protection Act 2018 allows employers, with certain restrictions, to consider "specified" categories of personal data (personal data revealing racial or ethnic origin, and religious or philosophical beliefs or personal data concerning health or an individual's sexual orientation) as part of equality of opportunity or treatment. Employers may also process data regarding racial and ethnic origin to promote and maintain diversity at senior levels of the organisation. For more information see 'Special rules for special categories of data'.
(Paragraphs 8 and 9 of Schedule 1 to the Data Protection Act 2018)

Personal data of deceased persons 

n/a

Children online (in relation to the offering of information society services)

13

Special rules for special categories of data

Current additional conditions (ie secondary legislation under Schedule 3 DPA) to be re-enacted. UK approach of permitting processing of criminal offence data where a condition for processing sensitive personal data can be met to be re-enacted.

Genetic, biometric or health data

Art. 9(2)(h) provided for by Schedule 1, Part 1, § 2.
Art. 9(2)(i) provided for by Schedule 1, Part 1, § 3.
*Processing of data concerning health, racial or ethnic origin, genetic or biometric data, sexual life or orientation by not for profit bodies providing support to those with a disability or medical condition permitted - must be necessary for reasons of substantial public interest; condition not available if organisation is aware the data subject witholds consent - Schedule 1, Part 2, § 16.

*Schedule 1, Part 2, § 20 - processing personal data relating to racial/ ethnic origin; religious or philosophical beliefs; trade union membership; genetic data or health data - permitted for insurance purposes (where there is no impact on the actual data subject).

*Schedule 1, Part 1, § 21 - processing of health data about relatives of membrs of occupational pension schemes - where no impact on the data subject.

* must also have an appropriate policy document in place which sets out how the controller will comply with principles at Art 5 GDPR; retention and erasure (including indicating retention periods). Policy document must be reviewed and be available to the Information Commissioner on request. Record of processing myst specify lawful basis for processing under Arts. 9 & 6 GDPR; whether processing meets the policy documents described above. (Schedule 1, Part 4)

Designation of a Data Protection Officer

The Data Protection Act 2018 does not introduce derogations to the GDPR regarding the designation of a data protection officer.

National identification numbers/any other identifier of general application

n/a

 


 

Other:

Any other areas under discussion
Derogation for automated decision taking to be implemented (examples given are financial services related).
Controllers must include additional information in their record of processing activity, including indication of lawful basis and details of profiling where applicable (Art.61).

The ICO is retaining annual fees and registrations, and is substantially upping these (controllers with turnover over £36million or 250+ employees face annual fees of £2900) - this power is contained in the Digital Economy Act 2017.