The first draft of the UK’s Data Protection Bill was published last week. Its main purpose is to transpose the General Data Protection Regulation (GDPR) into UK law, which comes into force in the UK in May 2018.
There are a number of provisions within GDPR which EU member states are allowed to adapt, such as those relating to obtaining consent from minors, processing various categories of personal data in sector-specific circumstances, and conditions for processing health, genetic and biometric data. There will also be new offences for the misuse of personal data.
The Bill also gives an indication of the government’s plans to deal with direct marketing, data sharing, and new charging regimes for fees related to subject access requests and fines for breaches and non-compliance of the new data protection laws. These will be published by the ICO as codes of practice for direct marketing and data sharing activities, and guidance for fees and fines.
Here are some highlights of these UK-specific provisions:
• Children from age 13 can give consent to processing of their online personal data.
• Certain rights of data subjects (such as the so-called “right to be forgotten” and informing individuals about how their data will be processed) will be restricted when processing data for specified activities, including crime and taxation, protecting the public, charities, legal proceedings, fair competition in business, certain obligations of confidentiality, freedom of expression and information in journalistic, academic and artistic works, and health and children’s services.
• There are safeguarding requirements for processing sensitive personal data and data about criminal offences and convictions under specific situations. These situations include employment, “substantial public interest”, health or social care, public health, and processing for scientific or historical research, archiving and statistical work in the public interest.
• Two new offences will be created for the re-identification of de-identified personal data (such as encrypted or anonymised data), and altering personal data to prevent disclosure for a subject access request. Current offences under the DPA for unlawful misuse or selling of personal data will remain under the new Bill.
Impact on marketing activities
For businesses still awaiting guidance on how to process personal data lawfully for lead generation and marketing to potential customers, the lack of explicit provisions for direct marketing in the Bill is likely to disappoint. With the new rules around obtaining consent under the GDPR, it is a given that businesses will worry about how to obtain legally compliant consents for their marketing activities. For the time being, these businesses will continue facing the same challenges justifying their marketing activities under the “legitimate interests” basis without overriding the receiving individual’s interests, rights and freedoms.
Impact for employers
Obtaining consent to process an employee’s data continues to be problematic under the GDPR; it states that consent cannot be freely given when there is a “clear imbalance between the data subject and controller.” In order to process employees’ sensitive personal data and criminal offences and convictions as required under employment law, the employer must have a policy document in place setting out how it will comply with the data protection principles, how long the employee data will be retained, and when it will be deleted. The policy must be retained, reviewed and updated, and made available to the ICO upon request, from when processing first begins and 6 months from when the processing ends. In essence, employers must prepare or update their internal privacy policies to continue their obligations to process employee information containing sensitive personal data or criminal records.
Concerns for IT security research & testing
The risk of committing an offence for re-identifying data—albeit for legitimate purposes such as improving cybersecurity—is a particular concern for the IT security community. However, the Department for Digital, Culture, Media & Sport have confirmed that no offence will be committed if the re-identification performed by an IT security provider was carried out on behalf of the data controller who de-identified the data. In addition, the defences stated under this offence would permit re-identification research and testing that is necessary for law enforcement purposes, to comply with legal obligations (such as common law duties), or is justified in the public interest. Therefore, IT security firms engaged to perform this type of work should aim to protect their position by ensuring that the work is documented in their data processing agreements with their customers.
What happens next?
The second reading of the bill will take place in the House of Lords on 10 October. At the conclusion of further readings, debates, and proposed amendments by both Houses of Parliament, the bill will eventually be approved and become the new Data Protection Act, repealing the Data Protection Act 1998. For the time being, the Bill will operate alongside the GDPR until the UK leaves the EU, after which the UK will be governed by the new Data Protection Act and any related domestic data protection legislation.
Organisations will process personal data in order to run their business (even if it’s only receiving someone’s email address); it is in the interest of UK businesses to engage with the new data protection laws in a similar manner to the culture developed around health & safety in the workplace. As the Bill passes through Parliament, it will provide increasing clarity to any organisation required or compelled to process and safeguard personal data to the GDPR standard. Inevitably, this will include a significant number of businesses who want to continue trading with its UK counterparts after Brexit.
This commentary has been prepared for the purpose of an article only. It should not be regarded as a substitute for taking legal advice.