On the 7th of August the Department for Digital, Culture, Media and Sport (DCMS) published their statement of intent for the Data Protection Bill. The ‘lines to take’ from the PR surrounding the announcement focused on the public having more control over their personal data, including the ‘right to be forgotten’. Also, a new right to require social media platforms to delete personal information on request.
Anyone interested in privacy and data protection will know that is coming. Not only was it mentioned in the Queen’s speech, it has been long foreshadowed by the General Data Protection Regulation (GDPR) which comes in to force on 25th May 2018. GDPR is a regulation and has direct effect, but governments across the EU are actively legislating to prepare the ground and determine matters left in the hands of member states. For this reason, the new Data Protection Bill (DPB) is based heavily on the GDPR.
Areas covered by the Data Protection Act 1998 (DPA) but not by the GDPR are retained in the DPB. These include exemptions from compliance where personal data are processed for the purposes of journalism. Also, the existing approach to the processing of criminal conviction information s retained, meaning employers will remain able to undertake criminal record checks.
The Statement also highlights three key areas of derogation. These are:
- Allowing automated decision making for legitimate reasons, such as credit reference checking. Whereas GDPR states that a data subject has the right not to be subject to automatic decision making, the UK will allow it but with data subjects having the right to challenge decisions made as a result.
- The age where a child will need to obtain parental consent will be at 13 years old. This is parallel to regulations of social media sites in the US and down from the age of 16 in the GDPR (although the GDPR stated member states could reduce this age).
- Data subject rights will be more limited where personal data is being used for research purposes. Research organisations and archiving services will not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Research organisations will not have to comply with an individual’s rights to rectify, restrict further processing and, object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.
More interesting is the creation of new data protection reportable offences which can incur an unlimited fine, these include:
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data.
- Altering records with intent to prevent disclosure following a Subject Access Request (SAR).
- Extension of the blagging offence to include ‘capture people who retain data against the wishes of the controller’.
The statement of intent was accompanied by the following video, featuring the Minister of State for Digital, Matt Hancocks.
By reading the statement of intent and watching the video, you might think that the Government is making massive overhauls in the data protection landscape of its own choosing. However, what the Government has produced is effectively the GDPR with additional elements from the DPA retained. Information rights expert John Baines has blogged that the document is a less a statement of intent and a more a “statement of the bleeding obvious”.
The GDPR lays a foundation for a single harmonised data protection law in Europe. As we leave the EU, it is expected that we’ll be seeking an ‘adequacy ruling’ whereby the EU recognise our data protection laws as being at least adequate to those in force in member states. This will facilitate the flow of personal data between the UK and the EU. The Data Protection Bill clearly lays the groundwork for this as well as meeting our obligation to facilitate the enforcement of GDPR until we leave the Union.
This milestone in data privacy law for the UK still leaves questions unanswered. These include the question of the ICO’s relationship with the European Data Protection Board after we leave the EU. Also how we will balance the age-old debate between privacy and free speech. Hopefully we’ll start to see questions answered when the full Bill is published next month.
Author: Joe Gaunt
Joe is an information governance consultant with Cybercrowd. He specialises in data protection, GDPR readiness and information security.