Navigating the Data Protection Act 2018
It is here (finally!) … navigating the Data Protection Act 2018
With two days to go the UK Government squeezed the Data Protection Act 2018 (the Act) through Parliament in time for the General Data Protection Regulation (GDPR) implementation date. Here we provide a brief overview of key things you need to know.
- Public authorities are defined by reference to the Freedom of Information Act 2000 (and the Scottish equivalent) (FOI). Therefore, if an organisation is a public authority for the purposes of FOI, they will also be a public body under GDPR. There is a helpful clarification in Section 7, which specifies that such organisations are only public bodies to the extent they are carrying out a task in the public interest or exercising an official function. This means that such bodies can rely on legitimate interests as a legal basis for processing when carrying out non-public activities.
- For the purpose of obtaining consent for processing children’s data in the online context, children are defined as individuals under the age of 13 (rather than the default age of 16 specified in GDPR).
- The prohibition on processing criminal conviction data is extended to cover allegations of the commission of criminal offences and information relating to criminal proceedings.
The main exemptions are set out in Schedule 2 of the Act and many will be familiar from the previous regime. Key exemptions include:
- Crime and taxation
- Disclosures required by law, in connection with legal proceedings or to establish, exercise or defend legal rights
- Functions designed to protect the public against dishonesty, malpractice or incompetence
- Disclosures that would involve the disclosure of third party personal data
- Information that is legally privileged
- Disclosure that would result in self-incrimination
- Corporate finance
- Management forecasts
- Journalistic, academic, literary and artistic exemptions
When relying on exemptions it is important to cross-check the scope of the exemption, both in terms of the GDPR provisions to which it applies and the extent of any “necessity” test that needs to be applied.
Conditions for processing special data and criminal conviction data
When processing criminal conviction data it is necessary to be able to rely on one of the conditions set out in Schedule 1 of the Act. Schedule 1 also sets out conditions that can be relied on for processing special categories of data in the public interest under UK law. Important conditions include the following:
- Processing of personal data is necessary to exercise rights or perform obligations imposed on the controller under employment law, social protection law or social health law. This is particularly useful in relation to processing of health data for employees
- Archiving, research and statistical activities in the public interest
- Equality of opportunity and treatment, which enables diversity monitoring
- Preventing and detecting unlawful acts
- Protecting the public against dishonesty in relation to certain protective functions
- Fraud prevention when sharing data with anti-fraud agencies
- Anti-terrorism and anti-money laundering
- Safeguarding of children
- Processing of personal data for insurance purposes
When relying on any of these conditions it is important to carry out a full analysis of why the condition can be relied upon and to document that assessment to demonstrate accountability requirements are being fulfilled.
Law enforcement activities
Part 3 of the Act sets out the rules for processing of personal data for law enforcement purposes. This is an entirely separate regime to GDPR, although many of the requirements are similar. Unfortunately for organisations that carry out law enforcement activities this means that they need to comply with Part 3 of the Act in relation to law enforcement matters,and the GDPR and/or the remainder of the Act in relation to all other data processing activities.
If you need support navigating your way through the Act please get in touch.