On 25th May 2018 when the GDPR came into force, the European regulation attracted all the headlines. However, another price of regulation also came into law which acted differed from the EU GDPR.
The Data Protection Act of 2018 is strewn with references to the GDPR and can appear intimidating, but we have read it for you and here are the main points that the DPA delivers.
- repeals and replaces the Data Protection Act 1998 (DPA 1998), modernising its provisions in line with the 21st century and upping the ante on sanctions for non-compliance;
- helps supplement, and expand on the GDPR by making detailed provision for member state derogations, e.g. in the matter of child consent;
- extends the reach of GDPR standards to processing previously outside of the GDPR’s scope; for instance, processing of unstructured manual files (e.g. handwritten notes used by public authorities subject to the Freedom of Information (FOI) regime);
- introduces two new criminal offences; and
- crucially, in tandem with the European Union Withdrawal Bill, makes the GDPR Brexit-proof by ensuring that data flows between the UK and EU remain fluid and undisrupted.
Article 6(1)(e) of the GDPR and Section (7)(1) of the DPA allow processing where necessary for the performance of ‘a task carried out in the public interest or in the exercise of official authority vested in the controller’. The DPA clarifies that ‘public authority’ in this context is a public authority for FOI purposes or one designated as such by the Secretary of State. Much hay has been made of the fact that Article 6(1)(f) of the GDPR no longer permits public authorities to rely on their own legitimate interests to justify their processing of personal data. However, public sector clients should rest assured that this new ground is an equally good one on which to rely. It is also worth noting that the DPA states that this new processing ground only catches a public authority or body if it is doing something in the public interest or exercising its official authority. Thus, as an employer or a commercial contractor (e.g. for cleaning services), it can still rely on legitimate interests and consent as it would have done previously.
Data subject access requests
Data protection law has historically treated confidential references in the realms of education, training and employment as exempt from disclosure as part of Data Subject Access Requests (DSARs). Paragraph 24 of Schedule 2 of the DPA now also extends the exemption to cover references given in confidence to employees and volunteers by former employers.
Third-party personal data
Section 17 of the DPA creates presumptions in favour of disclosing information that identifies a third party, other than the data subject, in response to DSARs in specific healthcare, social care and education contexts. In practice, this means that the rights of a healthcare professional or a member of teaching staff who do not wish their personal information to be disclosed as part of a DSAR relating to a pupil or patient may find that the pupil or patient’s right of access to the data trumps their privacy rights. Broadly speaking, however, the law remains the same as under the DPA 1998. Generally, when a data subject’s information is mixed up with that of a third party, it is exempt from disclosure unless the third party has given consent, or it is reasonable to disclose the data without consent on balancing the competing interests of the objector and the requestor.
Special category data
Substantial public interest
Sensitive ‘special category’ data can only be processed in a handful of circumstances, one of which is for reasons of ‘substantial public interest’. Although the DPA does not furnish us with an exhaustive definition of what this might be, it does set out several pragmatic conditions in Schedule 1 Part 2 that satisfy this test. These include, amongst others, the safeguarding of children and individuals at risk (paragraph 18). This paragraph makes it clear that information relating to children or vulnerable adults can be processed and released without their consent in cases where safeguards, such as an appropriate policy document are in place, their consent cannot be reasonably obtained, and it is in the substantial public interest that it be released. Practically, this assists care providers by giving them precise but flexible parameters when making routine judgement calls, i.e. a justification to share sensitive information about a vulnerable adult with their Depravation of Liberties Safeguards “DoLS” representative, appointee or other relevant next of kin where no red flags are present (such as a history of parental abuse or refusal of deputyship).
‘Appropriate policy document’
As above, under the DPA, employers and other controllers nearly always need an appropriate policy document to justify the processing of special category data. Boiled down to its essence, an appropriate policy document should:
- contain information generally found in comprehensive, up-to-date data protection policies, fair processing notices and retention schedules;
- be retained for six months after the relevant processing ceases; and
- be made available to the ICO on request, without charge.
Similar additional safeguards also required for this kind of processing can be found in paragraphs 38-41 of Schedule 1 to the DPA. Arguably, compliant employers and data controllers will need to do very little else to fulfil these criteria.
Profiling and automated decision making
To the extent that controllers are permitted to make automated decisions based on profiling under Article 22 of the GDPR, the following safeguards (Section 14 of the DPA) must apply:
- the controller must notify the data subject, as soon as reasonably practicable, that there has been a decision based solely on automated processing;
- the data subject has within one month from receipt of the notification to request the controller to either reconsider the decision or to not base it solely on automated processing; and
- from receipt of such a request, the controller must within one month, comply with the request and notify the data subject in writing of the steps taken to comply with the request and the outcome of complying.
It is worth noting that the above time limits can be extended in a similar manner to those in respect of DSAR’s. Rather like with DSAR’s, those clients who directly or indirectly use profiling to meet their contractual or legal obligations should try and adopt a protocol to ensure that these time limits are met, and that staff are aware of them.
The DPA brings in two new criminal offences: (i) knowingly or recklessly re-identifying information that was previously de-identified (Section 171) and; (ii) deliberately altering or concealing information that should be provided in response to a DSAR (Section 173). The existing offence of unlawfully obtaining personal data under the DPA 1998 has also now been tweaked to include unlawful retention without the controller’s consent, even if the data were obtained legally.
Other things to look out for
- The ICO is retaining annual fees and registrations as well as increasing them for controllers with a turnover exceeding £36million or 250+ employees. Annual fees for these organisations now amount to £2,900 and failure to pay will result in an organisation being assessed at this higher rate even if it does not otherwise fulfil the higher-tier specifications.
- In a heavily publicised and highly controversial move, consent from children – regarding ‘information society services’ – has been laid down as 13 years by the act. This is in line with industry practice. However, it is significantly lower than the default age of 16 years under the GDPR.
- A new exemption for personal data processed for effective immigration control has been introduced by the DPA, which curtails most data subject rights’ (including data subject access) where they would prejudice such matters. Campaigners have argued that this exemption means that immigrants, including those of the Windrush generation, will be disproportionately impacted as they will not be able to access information regarding their deportation, for example.
Important Points to consider
- Ensure that staff training, relevant policies and template agreements are reviewed and updated to include safeguards, exemptions, and offences under the DPA. You should keep a training register of training.
- Organisations and not-for-profits processing special category data in the education, healthcare, and social care sectors, should familiarise themselves with the provisions relevant to them in the DPA. This will put them in the best possible position to proactively manage their data protection compliance burden and take advantage where possible, of the DPA’s pragmatic approach.
- Employers and those controllers that are required to do so, should ensure that an appropriate policy document is in place in line with the DPA when dealing with special category data.
- Those relying on automated decisions based on profiling should consider having a protocol to respond to potential objections within the prescribed time limits.
- Remember that public authorities can still use legitimate interest and, less usefully, consent, where they are not acting in the public interest or exercising their official authority.
- Children’s consent at 13 is only a bright line test for information society services. Generally, where children are concerned, consent is a thorny matter and often depends on maturity and circumstance. Ultimately, it will be assessed on a case-by-case basis.
- Look out for forthcoming DPA-related guidance from the Information Commissioner’s Office (ICO) on its website. Alternatively, remember that the ICO is contactable via its helpline: 0303 123 1113.
If you would like to have a chat about what these changes mean for your organisation, or if you need training on any aspect of data protection legislation, please call us on 03333 22 1011.