Global menu

Our global pages

Close

Education HR Briefing - Edging closer to a UK Draft Data Protection Bill for GDPR Implementation

  • United Kingdom
  • Education - Briefings

10-08-2017

The Department for Digital, Culture, Media and Sport has this week published a “Statement of Intent” on the Data Protection Bill. This follows a ''call for views'' exercise which ran from 12 April until 10 May 2017. 7.1% of the organisations who responded were from the education sector.

For those hoping to see the draft Bill itself, sadly we will have to wait still after the Summer. It isn’t the draft bill, but simply a statement of what the Government plans to do to keep in line with EU laws. so we are still left waiting to see the detailed wording of implementation. Once you read through the document you quickly realise that it is largely restating provisions which are already known to be found within the General Data Protection Regulation which will come into force on 25 May 2018 and the Data Protection Law Enforcement Directive. There are nonetheless a few interesting points to note about the approach which the Government is proposing to take:

•there is a general theme of adopting the current DPA 1998 approach where the drafting of the GDPR permits derogations and/or clarification is required. To smooth the transition. Some examples being in relation to the lawful processing of sensitive or “special” category data, where the intent is to implement derogations to enable processing of that data in line with the current Schedule 3 permissions, and likewise to carry across the exemptions to notice and exercise of rights contained within the DPA. It is hoped for example this might apply in the context of subject access requests. Similarly clarification of what is public interest may be taken from paragraph 5 of Schedule 2 DPA (which includes for example where required to perform a duty conferred by law).

•Age of Consent - As expected, the UK Government will place the age at which parent or guardian approval is required for consent at 13.

•Right of erasure – the statements on the so called “right to be forgotten” largely mirror the right of erasure in the GDPR, including references to some limitations in its application, but there continues to be commentary about giving people a right to require social media platforms to delete information they posted. The example given is that a post made as a child would normally be deleted upon request, subject to very narrow exemptions.

•Criminal background checks – the public interest in organisations being able to access criminal records in some circumstances is still recognised and so the derogation in the GDPR to enable this will be relied upon to sustain the current system and approaches under the DPA, for example for insurance and so that background checks can be conducted by employers where there is access to vulnerable persons. More broadly, the lawful basis for use of criminal records will mirror that of sensitive personal data under Article 9(2).

•there will be a recognition that automated decision making or profiling is permissible as legitimate processing in some contexts. This ties in with the limitation on the right to object to automated decision-making in some contexts.

•on transfers the Government will introduce clarity on the ability for international transfers to take place in a variety of circumstances, so critical data sharing can take place.

•In relation to research, the Government states that it will ensure that research organisations do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purpose.

Perhaps the most eye catching statements however are in respect of new criminal sanctions. Hitherto the UK data protection law has had some, albeit limited, criminal sanctions. Under the new proposals there will be some more added:

•widening the existing offence of unlawfully obtaining data to capture people who retain data against the wishes of the controller (even if they initially obtained with consent). This is potentially very significant for data sharing arrangements – particularly for the data processors who are already struggling to come to terms with the new direct impacts of the GDPR. There have been recent data security breaches which have revealed retention far longer than customers had expected from their service providers. Specific drafting and controls should be considered to address this.

•Creating a new offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data – with unlimited fine.

•Creating a new offence of altering records with intent to prevent disclosure following a subject access request – with unlimited fine (level 5 fine in Scotland).

Overall – the message is one that GDPR is coming and there is no appetite to weaken the protection. The need to continue to offer equivalent strong protection to data being recognised as important to the digital economy post Brexit.

For more information contact

David O'Hara, Principal Associate

< Go back

Print FriendlyTwitterLinkedInEmailShare
Subscribe to e-briefings