Policy background
3 Data protection is needed to protect "personal data" which comprises data which relates to a living individual who can be identified from that data. The current law on data protection is found in the Data Protection Act 1998 ("the 1998 Act"), which regulates the processing of personal data. The 1998 Act protects the rights of individuals whom the data is about. The Bill updates these rights to make them easier to exercise and to ensure they continue to be relevant with the advent of more advanced data processing than today’s technology is capable of.
4 The Data Protection Bill ("the Bill") will replace the 1998 Act to provide a comprehensive legal framework for data protection in the UK, supplemented by the GDPR until the UK leaves the EU.
5 The Bill was announced in the Queen’s speech on 21 June 2017. It will implement commitments to update data protection laws made in the 2017 Conservative Manifesto. The Bill modernises data protection laws in the UK to meet the needs of our increasingly digital economy and society. On the 24 August 2017 the Government published ''The exchange and protection of personal data – a future partnership paper setting out why the free flow of data is essential to the UK in future trading relationships.
6 While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.
7 Personal data is increasingly stored, processed and exchanged on the internet and as such often exists in an international environment. It is therefore necessary for data protection standards to be consistent at an international level. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention 108") was signed by the UK on 14 May 1981. The Convention is open for all countries to sign, including states that are not members of the Council of Europe. On 1 November 2017, Tunisia will become the 51st Party to the Convention. The Council of Europe is in the process of preparing a modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data ("modernised Convention 108").
8 The UK’s data protection laws, therefore, need to interlock with international data protection arrangements. The 1998 Act implemented the European Data Protection Directive (Directive 95/46/EC). On 25 May 2018 the Directive will be replaced when the General Data Protection Regulation ((EU) 2016/679) ("the GDPR") applies.
9 The Bill is structured in seven parts. Part one contains preliminary matters. Part two contains provision extending the GDPR standards to areas outside EU competence (the "applied GDPR" scheme), with the exception of law enforcement and processing by the intelligence services. The Bill and the GDPR apply substantively the same standards to the majority of data processing in the UK, in order to create a clear and coherent data protection regime. It also sets out certain derogations that provide exemptions from the GDPR. Part three contains provision for law enforcement data processing and Part four provides likewise for data processing by the intelligence services. The remaining parts provide for the continuance of the Information Commissioner (the "Commissioner"), enforcement and offences, and supplementary provision.
General Data Protection Regulation
10 To fully understand the Government’s legislative intent as found in this Bill, it may be necessary to have some wider background understanding of the GDPR.
Definitions and scope
11 The GDPR changes some of the definitions that set the scope of data protection law. Like the 1998 Act, the GDPR applies to "personal data". The GDPR’s definition is more detailed and makes it clear that information such as an online identifier, for example a computer’s IP address, can be personal data. The more expansive definition expressly provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. Also, personal data that has been pseudonymised, for example key-coded data, can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
12 The 1998 Act provides additional safeguards for "sensitive personal data" which includes personal data relating to race, political opinion, trade union membership, health, sex life and criminal records. The GDPR refers to sensitive personal data as "special categories of personal data". This extends the additional safeguards to specifically include genetic data, and biometric data where processed to uniquely identify an individual. Personal data relating to criminal convictions etc. is not included, but processing of this data outside of the control of official authority must be authorised by domestic law, which provides for safeguards.
Data protection principles
13 The 1998 Act sets out eight data protection principles and these are largely carried over to the GDPR as set out in the table below. The GDPR also provides a new accountability principle.
|
Data Protection Act principles |
General Data Protection Regulation principles |
|
|
Lawfulness |
i. Personal data shall be processed fairly and lawfully and according to conditions. |
Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. |
|
Purpose |
ii. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. |
Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. |
|
Data minimisation |
iii. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. |
Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
|
Accuracy |
iv. Personal data shall be accurate and, where necessary, kept up to date. |
Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. |
|
Storage |
v. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes |
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. |
|
Access |
vi. Personal data shall be processed in accordance with the rights of data subjects. |
The GDPR does not have an equivalent principle. Instead access rights are found separately in Chapter III of GDPR. |
|
Security |
vii. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data |
Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. |
|
Overseas transfer |
viii. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data |
The GDPR does not have an equivalent principle. Instead overseas transfers of personal data are addressed separately in Chapter V. |
|
Accountability |
The 1998 Act does not have an equivalent principle. |
The controller shall be responsible for, and be able to demonstrate, compliance with the principles. |
Lawfulness of processing
14 The primary means of acquiring a lawful basis to process personal data under the GDPR is to obtain the consent of the individual to whom the data relates. Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and it is also a requirement to provide simple ways for people to withdraw consent.
15 Persons giving consent need to have a certain level of understanding of what they are being asked which is why the GDPR specifies that parents or guardians must give consent to personal data processing on behalf of young children using information society services. "Information society services" generally include commercial websites. The term is defined as any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services (see Article 1(1)(b) of EU Directive 2015/1535).
16 Consent is not the only way to enable processing of data. There may also be a contractual or other legal obligation that allows data to be processed without explicit consent. Data may be processed without consent where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
17 As with the 1998 Act, data may also be processed where there is a "legitimate interest", although this can no longer be relied upon by public authorities. A legitimate interest may include processing for direct marketing purposes or preventing fraud; transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data processing for the purposes of ensuring network and information security and reporting possible criminal acts or threats to public security to a competent authority.
18 Where explicit consent is not obtained, there are even more restrictive limitations on when data can be lawfully processed for special categories of personal data and criminal data.
Individuals’ rights
19 The rights that individuals have over their data in the 1998 Act are carried over to the GDPR, but in some cases these are strengthened and have been added to as set out in the table below.
|
Data Protection Act rights |
General Data Protection Regulation rights |
|
|
The right to be informed |
The Act provides the right to ‘fair processing information’, typically given through a privacy notice. The information must include: • the identity of the data controller, • if the controller has nominated a representative, the identity of that representative, • the purpose or purposes for which the data are intended to be processed, and • any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair. |
The GDPR sets out the information that should be supplied and when individuals should be informed. The GDPR specifies additional information than that under the 1998 Act that should be supplied at Articles 13 and 14. |
|
The right of access |
The Act provides that an individual who makes a written request and pays a fee is entitled to be: told within 40 days whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data. |
The GDPR provides a similar right but the information must be provided for free although a ‘reasonable fee’ may be applied when a request is manifestly unfounded or excessive, particularly if it is repetitive. The time limit to respond is one month, or three months in complex cases. |
|
The right to rectification |
Where it is inaccurate, the individual concerned has a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. |
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. It must be done within one month, or three months in complex cases. Where no action is taken individuals have the right to be informed of how to seek a judicial remedy. |
|
The right to erasure |
The Act does not provide the right to erasure, but an individual can apply to a court for an order for erasure of inaccurate personal data. |
Individuals have a right to have personal data erased in specific circumstances: • where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed; • when the individual withdraws consent; • when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing; • when the personal data was unlawfully processed; • when the personal data has to be erased in order to comply with a legal obligation; or • when the personal data is processed in relation to the offer of information society services to a child. |
|
The right to restrict processing |
The Act allows and individuals to apply to a court for an order to block or suppress processing of personal data where it is inaccurate. When processing is restricted, it is permissible to store the personal data, but not further process it. |
Where it is claimed that data is inaccurate or the right to erasure has been exercised individuals can require the controller to restrict processing until verification checks have been completed. Individuals may also require controllers to restrict processing where there is no legal basis it is only needed for legal claims, |
|
The right to data portability |
Not applicable |
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability. The personal data must be provided in a structured, commonly used and machine readable form. The information must be provided free of charge. |
|
The right to object |
The Act provides individuals with the right to object to the processing of personal data for direct marketing. |
In addition to direct marketing, individuals have the right to object to processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), and processing for purposes of scientific/historical research and statistics. |
|
Rights in relation to automated decision making and profiling |
The Act allows an individual access to information about the reasoning behind any decisions taken by automated means. An individual can give written notice requiring that automated decisions are not made using their personal data. Individuals can ask for a decision taken by automated means to be reconsidered. |
The GDPR provides similar rights and additionally defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual. |
General processing
20 Chapter 2 of Part 2 of the Bill exercises a number of available derogations within the GDPR. On 12 April 2017 the Government published ‘Call for views on the General Data Protection Regulation derogations and on 7 August 2017 the responses received were published, together with a Statement of Intent.
Definitions
21 The key terms used in the GDPR are largely consistent with the 1998 Act but the Bill makes use of derogations where it is possible to achieve further consistency. Article 4(7) of the GDPR defines what is meant by a ‘controller’ as the legal or natural person that determines the purposes and means of the processing of personal data. This is similar to the 1998 Act, but section 1(4) of the 1998 Act goes further by clarifying who is the controller when processing is required under an enactment. The Bill ensures that the clarity in section 1(4) is preserved.
22 The term ‘public authority’ is not defined in the GDPR. For clarity and legal certainty the Bill adopts the definitions in the Freedom of Information Act 2000 ("the 2000 Act") and the Freedom of Information (Scotland) Act 2002.
Lawfulness of processing
23 The Bill is drafted to ensure that existing data processing can continue, subject to the enhanced rights provided by the GDPR.
24 Persons giving consent to the processing of personal data need to have a certain level of understanding of what they are being asked which is why the GDPR specifies that parents or guardians must give consent to personal data processing on behalf of young children using information society services. The GDPR allows the UK to set the threshold for the minimum age at which a child can consent to such data processing to any age between 13 years and 16 years. The 1998 Act is silent on this matter but the Commissioner’s guidance suggests, "Some form of parental consent would normally be required before collecting personal data from children under 12". As drafted, the Bill allows a child aged 13 years or older to consent to his or her personal data being processed by providers of information society services.
25 Processing of special categories of personal data (data concerning race, political opinions, health, etc. as described above) is generally prohibited unless explicit consent is obtained. However, the GDPR allows processing to take place in certain circumstances without consent and enables domestic law to stipulate the conditions and safeguards around this processing in certain cases. The processing of special categories of data and criminal conviction and offences data must be undertaken with adequate and appropriate safeguards to ensure the absolute protection of individuals’ most sensitive personal data. There are many circumstances where this sort of data is legitimately used including the pricing of risk in financial services and the operation of anti-doping programmes in sport. The Bill replicates the current provisions in the 1998 Act that allow the processing of this sort of data. The Bill provides equivalent provision as far as possible to allow for continued processing for ‘substantial public interest’ purposes, to ensure that organisations are able to continue lawfully processing data whilst also achieving a balance between individuals’ rights. The Bill aims to largely preserve the effect of paragraph 5 of Schedule 2 and of Schedule 3 to the 1998 Act as well as the Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417).
26 It is not possible to predict what future circumstances may arise which justify the processing of these particularly sensitive categories of data without explicit consent of the individual. For example, in 2009 the then Home Secretary established the Hillsborough Independent Panel to investigate the disaster which occurred on 15 April 1989. Some of the information held by public bodies within the scope of the Hillsborough disclosure exercise included sensitive personal data so the Secretary of State made the Data Protection (Processing of Sensitive Personal Data) Order 2012 (SI 2012/1978) to ensure that there was no room for doubt that it may be possible in an appropriate case for an individual or body to disclose such data. The Bill provides the Secretary of State with the necessary power to manage unforeseeable situations of this sort.
27 The GDPR gives individuals the right to object to decisions made about them solely on the basis of automated processing, where those decisions have legal or other significant effects. This includes processing where there is no human intervention, for example, when data is collected about an individual’s personal finances, which is then processed to calculate creditworthiness. The GDPR allows additional safeguards to protect consumers from inaccurate processing to be provided for in domestic legislation. The Bill replicates the additional safeguards provided within section 12(2) of the 1998 Act should continue to apply and the Bill makes appropriate provision.
Individuals’ rights
28 There are some limited circumstances where it is appropriate to create exemptions to the usual rights that individuals have over personal data that relates to themselves. In the context of health, social work and education, there is sometimes information that is recorded about a person that is only given on the condition that it is not disclosed to the person. If all information was disclosable the information would not be given and this could result in safeguarding concerns. The 1998 Act and various orders made under powers in the Act provide exemptions to individuals’ rights. For example, the Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413) applies to personal data consisting of information as to the physical or mental health or condition of the individual. It covers Court proceedings, essentially preserving the confidentiality of certain reports provided to the Court in proceedings concerned with the care of children. The Bill ensures that exemptions of this sort continue to apply.
29 The 1998 Act also contains exemptions to disapply individual rights in relation to personal data held by regulatory bodies such as watchdogs performing functions concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, or concerning health and safety; charities; or fair competition in business. Without appropriate exemptions a corrupt official might be able to find out how his or her corruption is being exposed. Similarly the Government believes that exemptions should continue to exist to ensure that the judiciary have a ‘safe space’ in which to conduct their work, where they are free to make such records as they see fit whilst reaching their judgment, without fear that such records (such as annotations, recorded discussions) may be investigated or challenged by parties to proceedings. The Bill ensures that exemptions of this sort are available.
30 In some cases, there are also public policy reasons to limit individual rights where there are on-going investigations into their conduct. While investigations by law enforcement agencies are not covered by GDPR and the Bill will make separate provision (see below), there are instances where other investigations may benefit from exemptions from the requirement to apply individual rights. For example, section 29(1) of the 1998 Act enables Her Majesty’s Revenue and Customs ("HMRC") to withhold certain personal data on a case by case basis from an individual customer who submits a subject access request if providing that particular personal data would be likely to prejudice specified crime and taxation purposes. It also means that HMRC is not obliged to send a specific privacy notice to an individual customer when they obtain personal data from a third party if it would tip the customer off about an ongoing investigation into their tax affairs. The Bill makes equivalent provision.
31 The 1998 Act provides that personal data processed only for research, historical or statistical purposes is exempt from subject access requests. The Bill exercises all of the derogations in Article 89(2) and (3) of the GDPR to ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Further, the Bill contains provision to exercise derogations so that research organisations do not have to comply with an individual’s rights to rectify, restrict further processing and object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure. In effect, these derogations maintain the status quo.
32 As it is difficult to predict what matters may in future be considered important objectives of general public interest deserving protection, it is also difficult to predict what rights and obligations may need to be restricted in order to safeguard those objectives. The Bill therefore provides the Secretary of State with the power to make further exemptions in future.
Other general processing
33 Article 2(2) of the GDPR states that the Regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law. To avoid data controllers being compelled to do an assessment of whether the activity they are engaged in falls inside or outside the scope of Union law, the Bill contains provision to extend the GDPR standards to data processing, other than processing caught by Part 3 (law enforcement) or Part 4 (intelligence services), to create a simple framework under which data controllers and processors can apply a single standard.
34 The Bill achieves this by applying the relevant Articles of the GDPR to general data outside the scope of Union law as set out in Schedule 6 (the applied GDPR scheme). In applying the Articles of the GDPR, the Bill simultaneously makes some modifications to the Articles to make them relevant to a context where Union law does not apply. While it is appropriate to apply the limitations and safeguards on data processing as well as the associated rights, references to Member States and EU institutions cannot be relevant and are removed.
35 When the UK leaves the EU there will no longer be a distinction between general data inside and outside the scope of Union law. The Government’s intention is that GDPR standards will continue to apply to data processing within the scope of Part 2. When the GDPR is brought within the UK’s domestic law, using the powers in the European Union (Withdrawal) Bill the Government expects to make provision to enable a single domestic legal basis to apply the GDPR data processing standards.
36 The GDPR does not apply to national security data processing and the Bill provides national security exemptions for data processing outside the scope of Union law.
Law enforcement processing
37 National security is outside the scope of EU law. As a result, the processing of personal data in connection with national security activities and processing by agencies or units dealing with national security issues is not within scope of the GDPR or the Law Enforcement Directive. Domestic processing of personal data for law enforcement purposes is currently governed by the 1998 Act. The transmitting of personal data for law enforcement purposes between Member States of the European Economic Area ("EEA") is governed by the provisions of Part 4 of the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (SI 2014/3141) ("the 2014 Regulations") which transposed into UK law Council Framework Decision 2008/977/JHA 1 of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters. Part 4 of the 2014 Regulations established a legal framework which applies to competent authorities in EEA States when transmitting or making available personal data to competent authorities in other EEA States for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. In such cases, Part 4 of the 2014 Regulations applies instead of the 1998 Act, except as provided for by that Part.
38 The GDPR does not apply to the processing of personal data by competent authorities (broadly the police and other criminal justice agencies) "for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security" (see Article 2(2)(d)). Instead, alongside of the GDPR, the European Parliament and Council adopted the Law Enforcement Directive (EU) 2016/680 2 "on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA".
39 Unlike the GDPR, this Law Enforcement Directive ("LED") is not directly applicable EU law; accordingly Part 3 of the Bill (together with provisions in Parts 5 to 7 which apply across the GDPR, LED and intelligence services regimes) transposes the provisions of the LED into UK law.
40 The scope of the LED is provided for in Article 1 and concerns the processing of personal data by competent authorities for law enforcement purposes. A competent authority is any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Further, a competent authority may also be any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This definition covers not only all police forces, prosecutors and other criminal justice agencies in the UK, but also other organisations with law enforcement functions, such as Her Majesty’s Revenue and Customs, the Health and Safety Executive and the Office of the Information Commissioner.
41 While the LED only applies in relation to the cross-border processing of personal data for law enforcement purposes (see paragraph 57 below), Part 3 of the Bill also applies to the domestic processing of personal data for such purposes. This will ensure that there is a single domestic and trans-national regime for the processing of personal data for law enforcement purposes across the whole of the law enforcement sector. The provisions of the GDPR, together with the derogations in Chapter 2 of Part 2 of the Bill, will apply to the processing of personal data by law enforcement agencies for purposes other than law enforcement purposes, for example for internal personnel management/ human resources purposes.
42 Member States are required to adopt laws giving effect to the LED by 6 May 2018.
Intelligence services processing
43 Domestic processing of personal data by the intelligence services, comprising the Security Service, the Secret Intelligence Service and the Government Communications Headquarters, is currently governed by the 1998 Act. National security is outside the scope of EU law by virtue of Article 4(2) of the Treaty on European Union, which states that national security is the sole responsibility of each Member State. Therefore the processing of personal data in connection with national security activities and processing by agencies or units dealing with national security issues is not within scope of the GDPR, as a result of which the provisions of the GDPR were not designed to be applicable to the unique nature of intelligence service processing. Part 4 of the Bill therefore provides a data protection regime for the processing of personal data by the intelligence services based on the Council of Europe modernised, but yet to be agreed, Convention 108.
44 The 1998 Act is consistent with the current Convention 108 standards. Part 4 of the Bill will build on the existing regime by seeking to adopt the standards of the modernised Convention 108 to ensure processing of personal data carried out by the intelligence services will be in-line with anticipated future international standards. It provides for rules on processing personal data in the national security context whilst ensuring that the UK intelligence community can tackle existing, new and emerging national security threats.
45 As is the case currently under the 1998 Act, and consistent with that Act, the regime in Part 4 of the Bill will provide for adequate and proportionate exemptions from processing which can only be applied when necessary to safeguard national security. Also consistent with the 1998 Act there is provision for a certificate signed by a Minister of the Crown certifying that exemption from a specified requirement is necessary for the purpose of safeguarding national security to be conclusive evidence of that fact.
46 The intelligence services already comply with data handling obligations. These are supported by physical, technical and procedural controls which are overseen by the Investigatory Powers Commissioner and which are also aligned to the Cabinet Office Transforming Government Security Review. They include vetting of personnel, handling restrictions based on classification of data, firewalling and air gapping of internal IT and access restrictions.
47 The regulatory structure applying to the intelligence services is found in other legislation and already imposes restrictions on their activities, including relating to their data handling practices. This includes the Security Services Act 1989, the Intelligence Services Act 1994, the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016 ("the 2016 Act"). For example, Part 7 of the 2016 Act provides for agency specific warrants which are relevant to how the agencies hold and use bulk personal datasets. The 2016 Act also creates a number of offences which are applicable if an individual in an agency wrongly uses or discloses data obtained using the powers in that Act.
The Information Commissioner, enforcement and offences
48 The Commissioner heads the UK data protection supervisory authority. The Commissioner was originally the Data Protection Registrar as provided for by the Data Protection Act 1984. In the 1998 Act the office was renamed the Data Protection Commissioner and the 2000 Act established the current title for the post of Commissioner. The Bill repeals the 1998 Act and while the GDPR makes provision for the continuing existence of the supervisory authority, there are some matters in the 1998 Act that need to be carried over and therefore the Bill contains relevant provision.
49 The powers of the Commissioner to investigate and sanction responsible persons have changed and grown over time as all types of data, including personal data, are capable of being accessed, analysed, transmitted, and stored in dramatically different ways to 30 years ago. Under the 1998 Act, as enacted, the Commissioner could only serve enforcement notices and her powers to impose fines only came in the Criminal Justice and Immigration Act 2008 which enabled the Commissioner to issue a civil monetary penalty notice of up to £500,000 in respect of the most serious breaches. The GDPR now extends this so that the Commissioner can in the most serious cases issue a maximum fine of £18 million (€20 million) or 4 per cent of turnover. The Bill ensures that the Commissioner’s powers to issue fines are subject to certain safeguards, including as to the form of notice that is given, a right of appeal and information provided about how to exercise appeal rights.
50 Data protection law in the UK has always been accompanied by certain criminal offences relating to failure to comply with information notices, obtaining, disclosing or selling personal data without the data controller’s consent and general offences relating to compliance with warrants and misconduct of the Commissioner’s own officers. Most prosecutions are brought under section 55 of the 1998 Act, where a person knowingly or recklessly obtains, or discloses or procures, personal data without the data controller’s consent. The maximum penalty is an unlimited fine. The Bill reproduces many of the criminal offences in the 1998 Act with modifications to account for changes to the legal framework brought by the GDPR and introduces some new offences to deal with emerging threats.
51
In June 2016, Dame Fiona Caldicott, the National Data Guardian for Health and Care published her Review of Data Security Consent and Opt-Outs
3
recommending that the Government should criminalise the deliberate re-identification of individuals whose personal data is contained in anonymised data. On 1 March 2017, the Government published the UK Digital Strategy
4
and committed to create a new offence along these lines. The Bill provides for such an offence.
1 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters
2 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
3 National Data Guardian for Health and Care – Review of Data Security, Consent and Opt-Outs. 6 July 2016
4 UK Digital Strategy, Policy paper. 1 March 2017