In all the hyperbole and misinformation surrounding the General Data Protection Regulation (GDPR) in recent weeks, it may have been easy to miss the UK passing its own updated data protection legislation – the imaginatively titled Data Protection Act 2018 (the Act), which helpfully also came into force on 25th May. This replaces the Data Protection Act 1998, which has been in force since 2000.
While the Act largely replicates the GDPR in UK law, it is important to note that GDPR still applies directly until the UK has left the EU and repealed any EU created legislation of its choosing. But GDPR allows individual states some flexibility to add their own detail in relation to specific areas (“derogations”) to fit with the national context and the Act fills in some of those gaps.
This article is intended to dissect it and pull out the key points you need to be aware of. We will follow up with a piece looking at the Act’s schedules, which provide additional conditions for specific types of processing activity and exemptions from certain requirements of the GDPR. The Act has various functions and is split into seven parts, with an overview of each section provided below.
Part 1 – Preliminary
This is a short section that sets out the scope and purpose of the legislation with section 1(2) helpfully reminding us that “Most processing of personal data is subject to the GDPR”.
Section 3 deals with the definitions of terms used within the Act – these largely mirror the definitions within GDPR. However, section 3(9) defines “data protection legislation” as:
- the GDPR
- the applied GDPR
- this Act
- regulations made under this Act
- regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
Add the EU ePrivacy Regulation into the mix (whenever that may land) and this shows that the legislation governing personal data is becoming more complex and wide-ranging – reading one piece of legislation in isolation is not sufficient.
Part 2 – General processing
Section 7 makes clear that where GDPR refers to “public authorities” or “public bodies” these are to be considered as:
- a public authority as defined by the Freedom of Information Act or Freedom of Information (Scotland) Act; or
- an authority or body specified or described by the Secretary of State in regulations
And section 7(3) then exempts some organisations from that definition, as below:
- a parish council in England
- a community council in Wales or Scotland
- a parish meeting constituted under section 13 of the Local Government Act 1972
- a community meeting constituted under section 27 of that Act
- charter trustees (in some circumstances)
One key difference from GDPR is at section 9(a) – where the GDPR references 16 years as the age at which children can legitimately give consent for the use of “information society services” (online services provided “at a distance” using personal data), the Act lowers this to 13 years old.
Fees for data subject rights
Section 12 sets out that the Secretary of State may by regulations set out the fees that can be charged when handling “manifestly unfounded or excessive requests” (GDPR wording). These regulations may also require controllers to publish guidance on the fees that may be charged in those circumstances. These regulations have not been passed at the time of writing.
Restrictions on data subject rights
Section 15 provides information about the exemptions that may apply to data subject rights in specific scenarios. These exemptions are detailed in the Act’s schedules and will be covered in detail in a follow up article shortly. The Secretary of State may also add further exemptions by way of regulations.
Archiving, research and statistics
Section 19 provides further detail around the provisions of Article 89 of the GDPR in relation to the use of personal data for archiving, research and statistical purposes. Section 19(4) helpfully gives a specific definition of “approved medical research” and “relevant NHS body”.
Scope of the Act
The scope of the Act is wider than that covered by GDPR and section 21(1)(a) brings within scope of the Act any processing that falls outside EU law, for example where it relates to immigration and “common foreign and security policy activities”.
Part 3 – Law enforcement processing
Part 3 of the Act implements the EU Law Enforcement Directive (Directive 2016/680) into UK law – as it sounds, this covers the processing of personal data for law enforcement purposes.
Section 31 defines law enforcement purposes as relating to the “prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.”
While we will not cover this part in detail here, it is worth being aware of even if the core purpose of your organisation does not relate to law enforcement. Some use of personal data could come within scope of this part if it relates to criminal offences (actual or suspected).
Part 4 – Intelligence services processing
Similarly, we will not go in to detail about this part as it covers the use of personal data for intelligence purposes and applies to “the Security Service, the Secret Intelligence Service and Government Communications Headquarters (GCHQ)”.
Part 5 – The Information Commissioner
While much of the role of the Information Commissioner remains the same, a couple of key areas within this section are drawn out below:
ICO Codes of practice
Sections 121-128 of the Act set out specific codes of practice that the Information Commissioner must publish (for example, in relation to data sharing and direct marketing among others), so they will be worth looking out for. It is also states that, prior to drafting any such code, the Commissioner must consult with the Secretary of State and, where considered appropriate, “trade associations, data subjects and persons who appear to the Commissioner to represent the interests of data subjects”.
Data protection fees to the ICO
Section 137 provides information about the powers the Commissioner has to require data controllers to pay a fee to allow their processing of personal data. The Data Protection (Charges and Information) Regulations 2018 have already come into force and set out the various fee levels for data controllers. The ICO’s website has more information about what level of fee you should pay and how to pay it.
Part 6 – Enforcement
This section details the various powers the ICO have when investigating incidents or breaches that may occur involving personal data. These include a variety of types of notice that can be issued, depending on the circumstances.
The most notable will be the “Penalty Notice” where a financial penalty can be issued to a data controller. Section 157 of the Act has brought across the fine levels from GDPR, which can reach up to €10,000,000 (or 2% of global turnover) for certain breaches and €20,000,000 (or 4% of global turnover) for the most serious breaches.
Section 155(3) sets out the criteria that will be considered by the ICO when issuing a Penalty Notice:
- the nature, gravity and duration of the failure;
- the intentional or negligent character of the failure;
- any action taken by the controller or processor to mitigate the damage or distress suffered by data subjects;
- the degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented by the controller or processor
- any relevant previous failures by the controller or processor;
- the degree of co-operation with the Commissioner, in order to remedy the failure and mitigate the possible adverse effects of the failure;
- the categories of personal data affected by the failure;
- the manner in which the infringement became known to the Commissioner, including whether, and if so to what extent, the controller or processor notified the Commissioner of the failure;
- the extent to which the controller or processor has complied with previous enforcement notices or penalty notices;
- adherence to approved codes of conduct or certification mechanisms;
- any other aggravating or mitigating factor applicable to the case, including financial benefits gained, or losses avoided, as a result of the failure (whether directly or indirectly);
- whether the penalty would be effective, proportionate and dissuasive.
While the ICO has already explicitly said on numerous occasions that they will use their new enforcement powers proportionately, this sets out the issues they should take into consideration when taking any action.
ICO powers on entry and inspection
Schedule 15 of the Act also gives details of the powers of entry and inspection the ICO have to enter premises if there are grounds for suspecting that a controller has failed to comply with an Enforcement Notice or an offence under the Act has been or is being committed, and there are reasonable grounds for suspecting that evidence in relation is held on those premises. This would require a warrant to be issued by a judge.
Claims for compensation
Sections 168 and 169 bring across the right in GDPR of data subjects to make claims for compensation where they are affected by a breach of legislation. These sections explicitly refer to any “distress” caused by a breach as being within scope of such claims, following the path of recent case law on the issue (Vidal-Hall v Google).
Sections 170 replicates the old section 55 offence from the 1998 Act in relation to an individual unlawfully obtaining personal data without the consent of the data controller. Section 171 then creates a new offence where an individual “knowingly or recklessly re-identifies information that is de-identified personal data without the consent of the controller responsible for de-identifying the personal data”.
Section 173 also introduces a specific offence for individuals “altering, defacing, blocking, erasing, destroying or concealing information with the intention of preventing disclosure of information that a person would have been entitled to receive” once they have made a request in relation to their personal data. All offences are punishable by a summary conviction and fine for the individual concerned.
Part 7 – Supplementary and final
This section tidies up a number of miscellaneous issues and specific legislative requirements.
Of most interest here is section 187 relating to the ability of data subjects to bring a “group action” when making a complaint to the supervisory authority, to an effective judicial remedy and when making a claim for compensation.
Section 204 gives a detailed list of the types of role that fall within the definition of “health professional” and “social work professional”, which are referred to within the Act.
So while GDPR has dominated headlines of late, it is important to be aware of the implications of this Act. GDPR does underpin much of the Act but it goes further and adds detail in a number of specific areas. The two pieces of legislation must be read alongside each other (and other relevant legislation) to ensure that any decisions taken in relation to personal data are legally justifiable.
As noted earlier, we will publish a further article shortly covering the detail of the Act’s schedules.