Policy background
- Data protection is needed to protect "personal data" which comprises data which relates to a living individual who can be identified from that data. The previous law on data protection was found in the Data Protection Act 1998 ("the 1998 Act"), which regulated the processing of personal data. The 1998 Act protected the rights of individuals to whom the data related.
- The new Act replaces the 1998 Act to provide a comprehensive legal framework for data protection in the UK, in accordance with the General Data Protection Regulation ((EU) 2016/679) ("GDPR"). It updates the rights provided for in the 1998 Act to make them easier to exercise and to ensure they continue to be relevant with the advent of more advanced data processing methods.
- The Act implements commitments to update data protection laws made in the 2017 Conservative Manifesto and modernises data protection laws in the UK to meet the needs of our increasingly digital economy and society.
- Personal data is increasingly stored, processed and exchanged on the internet and as such often exists in an international environment. It is therefore necessary for data protection standards to be consistent at an international level. The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ("Convention 108") was signed by the UK on 14 May 1981. The Convention is open for all countries to sign, including states that are not members of the Council of Europe. On 1 November 2017, Tunisia became the 51st Party to the Convention. The Committee of Ministers of the Council of Europe adopted a modernised Convention for the Protection of Individuals with Regard to the Processing of Personal Data ("modernised Convention 108") on 18 May 2018. The modernised treaty will be opened for signature on 25 June 2018. The Act has been designed so as to be consistent with the modernised Convention 108.
- The UK’s data protection laws, therefore, need to interlock with international data protection arrangements. In addition to Convention 108, the 1998 Act implemented the European Data Protection Directive (Directive 95/46/EC) ("the 1995 Directive"). On 25 May 2018 the Directive will be replaced when the GDPR begins to apply.
- While the UK remains a member of the EU, all the rights and obligations of EU membership remain in force. When the UK leaves the EU, the GDPR will be incorporated into the UK’s domestic law under the European Union (Withdrawal) Bill, currently before Parliament.
- On 24 August 2017 the Government published ‘The exchange and protection of personal data – a future partnership paper’ setting out why the free flow of data is essential to the UK in future trading relationships.
- The Act is structured in seven parts. Part 1 contains preliminary matters. Part 2 must be read alongside the GDPR and sets out certain derogations from the GDPR. This Part also contains provision extending the GDPR standards to areas outside EU competence (the "applied GDPR" scheme), with the exception of law enforcement and processing by the intelligence services. Part 3 contains provision for law enforcement data processing and Part 4 provides likewise for data processing by the intelligence services. The remaining parts are concerned with the Information Commissioner (the "Commissioner"), enforcement and offences, and supplementary provision.
General Data Protection Regulation
- To fully understand the Government’s legislative intent as found in this Act, it may be necessary to have some wider background understanding of the GDPR.
Definitions and scope
- The GDPR changes some of the definitions that set the scope of data protection law. Like the 1998 Act before it, the GDPR applies to "personal data". The GDPR’s definition is more detailed and makes it clear that information such as an online identifier, for example a computer’s IP address, can be personal data. The more expansive definition expressly provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people. Personal data that has been pseudonymised, for example key-coded data, can fall within the scope of the GDPR if it is still possible to attribute the pseudonym to a particular individual.
- The 1998 Act provided additional safeguards for "sensitive personal data" which included personal data relating to race, political opinion, trade union membership, health, sex life and criminal records. The GDPR refers to sensitive personal data as "special categories of personal data". This extends the additional safeguards to specifically include genetic data, and biometric data, where processed to uniquely identify an individual. Personal data relating to criminal convictions etc. is not included, but processing of this data outside of the control of official authority must be authorised by domestic law, which provides for safeguards.
Data protection principles
- The 1998 Act sets out eight data protection principles and these are largely carried over to the GDPR as set out in the table below. The GDPR also provides a new accountability principle.
The former Data Protection Act 1998 principles The new General Data Protection Regulation principles Lawfulness i. Personal data shall be processed fairly and lawfully and according to conditions. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject. Purpose ii. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. Data minimisation iii. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Accuracy iv. Personal data shall be accurate and, where necessary, kept up to date. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. Storage v. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Access vi. Personal data shall be processed in accordance with the rights of data subjects. The GDPR does not have an equivalent principle.
Instead access rights are found separately in Chapter III of GDPR.
Security vii. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Overseas transfer viii. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data The GDPR does not have an equivalent principle.
Instead overseas transfers of personal data are addressed separately in Chapter V.
Accountability The 1998 Act does not have an equivalent principle. The controller shall be responsible for, and be able to demonstrate, compliance with the principles.
Lawfulness of processing
- Article 6 of the GDPR sets out the different legal bases under which personal data can be lawfully processed. A common way of acquiring a lawful basis to process personal data under the GDPR is to obtain the consent of the individual to whom the data relates. Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action. Consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and it is also a requirement to provide simple ways for people to withdraw consent.
- Persons giving consent need to have a certain level of understanding of what they are being asked which is why the GDPR specifies that parents or guardians must give consent to personal data processing on behalf of young children using information society services. "Information society services" generally include commercial websites. The term is defined as any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services (see Article 1(1)(b) of EU Directive 2015/1535).
- Consent is not the only way to enable processing of personal data. As an alternative to consent, there may be a contractual or other legal obligation that allows data to be processed. Data may also be processed without consent where necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- As with the 1998 Act, data may also be processed where there is a "legitimate interest", although this can no longer be relied upon by public authorities when performing their public tasks. A legitimate interest may include processing for direct marketing purposes or preventing fraud; transmission of personal data within a group of undertakings for internal administrative purposes, including client and employee data processing for the purposes of ensuring network and information security and reporting possible criminal acts or threats to public security to a competent authority.
- Where explicit consent is not obtained, there are additional limitations on when data can be lawfully processed for special categories of personal data and personal data relating to criminal convictions etc.
Individuals’ rights
- The rights that individuals had over their data in the 1998 Act are carried over to the GDPR, but in some cases these are strengthened and have been added to as set out in the table below.
Former Data Protection Act 1998 rights The new General Data Protection Regulation rights The right to be informed The 1998 Act provided the right to ‘fair processing information’, typically given through a privacy notice. The information had to include:
·the identity of the data controller,
·if the controller has nominated a representative, the identity of that representative,
·the purpose or purposes for which the data are intended to be processed, and
·any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
The GDPR sets out the information that should be supplied and when individuals should be informed. The GDPR specifies additional information than that under the 1998 Act that should be supplied at Articles 13 and 14. The right of access The 1998 Act provided that an individual who makes a written request and pays a fee is entitled to be: told within 40 days whether any personal data is being processed; given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people; given a copy of the information comprising the data; and given details of the source of the data. The GDPR provides a similar right but the information must be provided for free although a ‘reasonable fee’ may be applied when a request is manifestly unfounded or excessive, particularly if it is repetitive. The time limit to respond is one month, or three months in complex cases. The right to rectification Where the personal data held about them was inaccurate, the individual concerned had a right to apply to the court for an order to rectify, block, erase or destroy the inaccurate information. Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. It must be done within one month, or three months in complex cases. Where no action is taken individuals have the right to be informed of how to seek a judicial remedy. The right to erasure The 1998 Act did not provide the right to erasure, but an individual could apply to a court for an order for erasure of inaccurate personal data. Individuals have a right to have personal data erased in specific circumstances:
·where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed;
·when the individual withdraws consent;
·when the individual objects to the processing and there is no overriding legitimate interest for continuing the processing;
·when the personal data was unlawfully processed;
·when the personal data has to be erased in order to comply with a legal obligation; or
·when the personal data is processed in relation to the offer of information society services to a child.
The right to restrict processing The 1998 Act allowed individuals to apply to a court for an order to block or suppress processing of personal data where it is inaccurate. When processing was restricted, it was permissible to store the personal data, but not further process it. Where it is claimed that data is inaccurate individuals can require the controller to restrict processing until verification checks have been completed. Individuals may also require controllers to restrict processing where the controller no longer needs to (other than for legal claims). The right to data portability Not applicable The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services where processing is based on consent or performance of a contract.
It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
The personal data must be provided in a structured, commonly used and machine readable form. The information must be provided free of charge.
The right to object The 1998 Act provided individuals with the right to object to the processing of personal data for direct marketing. In addition to being able to object to direct marketing, individuals have the right to object to processing (including profiling) based on legitimate interests or the performance of a task in the public interest/exercise of official authority, and processing for purposes of scientific/historical research and statistics. Rights in relation to automated decision making and profiling The 1998 Act allowed an individual access to information about the reasoning behind any decisions taken by automated means. An individual could give written notice requiring that automated decisions are not made using their personal data. Individuals could ask for a decision taken by automated means to be reconsidered. The GDPR provides similar rights and additionally defines profiling as any form of automated processing intended to evaluate certain personal aspects of an individual.
General processing
- Chapter 2 of Part 2 of the Act exercises a number of available derogations within the GDPR. On 12 April 2017 the Government published ‘Call for views on the General Data Protection Regulation derogations’ and on 7 August 2017 the responses received were published, together with a Statement of Intent.
Definitions
- The key terms used in the GDPR are largely consistent with the 1998 Act but the new Act makes use of derogations where it is possible to achieve further consistency. Article 4(7) of the GDPR defines what is meant by a ‘controller’ as the legal or natural person that determines the purposes and means of the processing of personal data. This is similar to the 1998 Act, but section 1(4) of the 1998 Act goes further by clarifying who is the controller when processing is required under an enactment. The new Act ensures that the clarity in section 1(4) is preserved.
- The term ‘public authority’ is not defined in the GDPR. For clarity and legal certainty the Act adopts the definitions in the Freedom of Information Act 2000 ("the 2000 Act") and the Freedom of Information (Scotland) Act 2002, subject to two qualifications. First, public authorities are only to be treated as public authorities for the purposes of the GDPR when they are carrying out a task in the public interest or in the exercise of official authority vested in it. Second, the Act specifically excludes parish councils, community councils and similar bodies from the definition because in the government’s view these bodies are very small in terms of personnel, budget and the volume of personal data processed such that the additional safeguards that public authorities normally have to apply would be disproportionate in these instances.
Lawfulness of processing
- The Act is drafted to ensure that existing data processing can continue, subject to the enhanced rights provided by the GDPR.
- Persons giving consent to the processing of personal data need to have a certain level of understanding of what they are being asked which is why the GDPR specifies that parents or guardians must give consent to personal data processing on behalf of young children using information society services. The GDPR allows the UK to set the threshold for the minimum age at which a child can consent to such data processing to any age between 13 years and 16 years. The 1998 Act was silent on this matter but the Commissioner’s guidance suggested that some form of parental consent would normally be required before collecting personal data from children under 12. The new Act allows a child aged 13 years or older to consent to his or her personal data being processed by providers of information society services.
- Processing of special categories of personal data (data concerning race, political opinions, health, etc. as described above) is generally prohibited unless explicit consent is obtained. However, the GDPR allows processing to take place in certain circumstances without explicit consent and enables domestic law to stipulate the conditions and safeguards around this processing in certain cases. The processing of special categories of data and criminal conviction and offences data must be undertaken with adequate and appropriate safeguards to ensure the absolute protection of individuals’ most sensitive personal data. There are many circumstances where this sort of data is legitimately used including the pricing of risk in financial services and the operation of anti-doping programmes in sport. The Act replicates the former provisions in the 1998 Act that allowed the processing of this sort of data. The new Act provides equivalent provision as far as possible to allow for continued processing for ‘substantial public interest’ purposes, to ensure that organisations are able to continue lawfully processing data whilst also achieving a balance between individuals’ rights, while also making some new provision. The Act aims to largely preserve the effect of paragraph 5 of Schedule 2 and of Schedule 3 to the 1998 Act as well as the Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417).
- It is not possible to predict what future circumstances may arise which justify the processing of these particularly sensitive categories of data without explicit consent of the individual. For example, in 2009 the then Home Secretary established the Hillsborough Independent Panel to investigate the disaster which occurred on 15 April 1989. Some of the information held by public bodies within the scope of the Hillsborough disclosure exercise included sensitive personal data so the Secretary of State made the Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978) to ensure that there was no room for doubt that it may be possible in an appropriate case for an individual or body to disclose such data. The Act provides the Secretary of State with the necessary power to manage unforeseeable situations of this sort.
- The GDPR gives individuals the right to not be subject to a decision based solely on automated processing, including profiling, which have legal or other significant effects for him or her, unless that decision is necessary for contractual purposes, authorised by law and appropriate safeguards are in place, or based on consent. Automated processing is processing where there is no human intervention, for example, when data is collected about an individual’s personal finances, which is then processed according to an algorithm to decide creditworthiness. In those cases in which automated decision making is allowed, the GDPR requires additional safeguards to be put in place to protect individuals from inaccurate processing. The Act substantively replicates the additional safeguards provided within section 12(2) of the 1998 Act and ensures they are consistent with relevant provisions of the GDPR itself.
Individuals’ rights
- There are some limited circumstances where it is appropriate to create exemptions to the usual rights that individuals have over their personal data. The Act ensures that exemptions in the 1998 Act continue to apply, as well as introducing a number of new restrictions.
- The 1998 Act contained exemptions to disapply individual rights in relation to personal data held by regulatory bodies performing functions concerned with protecting the public from incompetence, malpractice, dishonesty or seriously improper conduct, or concerning health and safety; charities; or ensuring fair competition in business. For example, without appropriate exemptions a corrupt official might be able to find out how his or her corruption is being exposed. Similarly exemptions exist to ensure that the judiciary have a ‘safe space’ in which to conduct their work, where they are free to make such records in the course of reaching their judgment, without fear that such records (such as annotations, recorded discussions) may be investigated or challenged by parties to proceedings. The Act ensures that exemptions of this sort continue to be available.
- In some cases, there are also public policy reasons to limit individual rights where there are on-going investigations into their conduct. While investigations by law enforcement agencies are not covered by GDPR and provided for separately in the Act, there are instances where other investigations may benefit from exemptions from the requirement to apply individual rights. For example, section 29(1) of the 1998 Act enabled Her Majesty’s Revenue and Customs ("HMRC") to withhold certain personal data on a case by case basis from an individual customer who submitted a subject access request if providing that personal data would be likely to prejudice specified crime and taxation purposes. It also meant that HMRC was not obliged to send a privacy notice to an individual when obtaining personal data from a third party if it would tip them off about an ongoing investigation into their tax affairs. The Act makes equivalent provision.
- In the context of health, social work and education, there is sometimes information that is recorded about a person that is given on the condition that it is not disclosed to the person. If such information was disclosable the information would not be given. This could, for example, result in safeguarding concerns or limit a Court’s ability to properly assess the best interests of the child in proceedings concerned with the care of children. Disclosure of personal data could also result in serious harm to the data subject or another individual. The 1998 Act and various orders made under powers in the Act provided exemptions to in respect of health, social work and education data. For example, the Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413) applied to personal data consisting of information as to the physical or mental health or condition of the data subject. The Act ensures that exemptions of this sort continue to apply.
- The 1998 Act provided that personal data processed only for research, historical or statistical purposes could be exempted from subject access requests, subject to its being processed in compliance with certain conditions. The new Act exercises all of the derogations in Article 89(2) and (3) of the GDPR, and retains the relevant conditions, to ensure that research organisations and archiving services do not have to respond to subject access requests when this would seriously impair or prevent them from fulfilling their purposes. Further, the Act contains provision to exercise derogations so that research organisations do not have to comply with an individual’s rights to rectify, restrict further processing and object to processing where this would seriously impede their ability to complete their work, and providing that appropriate organisational safeguards are in place to keep the data secure.
- As it is difficult to predict what matters may in future be considered important objectives of general public interest deserving protection, it is also difficult to predict what rights and obligations may need to be restricted in order to safeguard those objectives. The Act therefore provides the Secretary of State with the power to make further exemptions in future.
Other general processing
- Article 2(2) of the GDPR states that the Regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law. To avoid data controllers being compelled to do an assessment of whether the activity they are engaged in falls inside or outside the scope of Union law, the Act contains provision to extend GDPR standards to data processing, other than processing falling within Part 3 (law enforcement processing) or Part 4 (intelligence services processing), to create a simple framework under which data controllers and processors can apply a single standard.
- The Act achieves this by applying the Articles of the GDPR to general data outside the scope of Union law. For the applied GDPR, Schedule 6 modifies those Articles to make them relevant to a context where Union law does not apply (creating "the applied GDPR"). While it is appropriate to apply the limitations and safeguards on data processing as well as the associated rights, references to Member States and EU institutions are not relevant and are removed or amended.
Law enforcement processing
- The GDPR does not apply to the processing of personal data by competent authorities (broadly the police and other criminal justice agencies) "for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security" (see Article 2(2)(d)). Instead, alongside the GDPR, the European Parliament and Council adopted the Law Enforcement Directive (EU) 2016/6801 "on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA" ("LED").
- Unlike the GDPR, the LED is not directly applicable EU law; accordingly Part 3 of the Act (together with provisions in Parts 5 to 7 which apply across the GDPR, LED and intelligence services regimes) transposes the provisions of the LED into UK law.
- The scope of the LED is provided for in Article 1 and concerns the processing of personal data by competent authorities for law enforcement purposes. A competent authority is any public authority competent for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Further, a competent authority may also be any other body or entity entrusted by Member State law to exercise public authority and public powers for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This definition covers not only all police forces, prosecutors and other criminal justice agencies in the UK, but also other organisations with incidental law enforcement functions, such as Her Majesty’s Revenue and Customs, the Health and Safety Executive and the Office of the Information Commissioner.
- While the LED only applies in relation to the cross-border processing of personal data for law enforcement purposes (see below), Part 3 of the Act also applies to the domestic law enforcement processing. This will ensure that there is a single domestic and trans-national regime for all law enforcement processing. The provisions of the GDPR, together with the derogations in Chapter 2 of Part 2 of the Act, will apply to the processing of personal data by law enforcement agencies for purposes other than law enforcement purposes, for example where the controller determines that the processing is for internal personnel management/ human resources purposes.
Intelligence services processing
- National security is outside the scope of EU law by virtue of Article 4(2) of the Treaty on European Union, which states that national security is the sole responsibility of each Member State. Therefore the processing of personal data in connection with national security activities and processing by agencies or units dealing with national security issues is not within scope of the GDPR or LED.
- Domestic processing of personal data by the intelligence services, comprising the Security Service, the Secret Intelligence Service and the Government Communications Headquarters, is currently governed by the 1998 Act. Part 4 of the new Act builds on the existing regime by seeking to adopt the standards of the modernised Convention 108 (which does apply to national security data processing) to ensure processing of personal data carried out by the intelligence services will be in-line with future international standards. It provides for rules on processing personal data in the national security context whilst ensuring that the UK intelligence community can tackle existing, new and emerging national security threats.
- As was the case previously under the 1998 Act, the regime in Part 4 of the Act provides for exemptions from certain provisions in the Act where necessary to safeguard national security. Also consistent with the approach in the 1998 Act, there is provision for a certificate signed by a Minister of the Crown certifying that exemption from a specified requirement is necessary for the purpose of safeguarding national security to be conclusive evidence of that fact.
- The intelligence services already comply with data handling obligations. These are supported by physical, technical and procedural controls which are overseen by the Investigatory Powers Commissioner and which are also aligned to the Cabinet Office Transforming Government Security Review. They include vetting of personnel, handling restrictions based on classification of data, firewalling and air gapping of internal IT and access restrictions.
- The regulatory structure applying to the intelligence services is found in other legislation and already imposes restrictions on their activities, including relating to their data handling practices. This includes the Security Services Act 1989, the Intelligence Services Act 1994, the Regulation of Investigatory Powers Act 2000 and the Investigatory Powers Act 2016 ("the 2016 Act"). For example, Part 7 of the 2016 Act provides for agency specific warrants which are relevant to how the agencies hold and use bulk personal datasets. The 2016 Act also creates a number of offences which are applicable if an individual in an agency wrongly uses or discloses data obtained using the powers in that Act.
The Information Commissioner, enforcement and offences
- The Act provides for the Commissioner to continue as the supervisory authority in the UK in relation to the protection of personal data (see sections 115(1) and 116(1)).
- The powers of the Commissioner to investigate and sanction data protection breaches have changed and grown over time as all types of data, including personal data, are capable of being accessed, analysed, transmitted, and stored in dramatically different ways to 30 years ago. Under the 1998 Act, as originally enacted, the Commissioner could only serve enforcement notices and her powers to impose fines were only introduced under the Criminal Justice and Immigration Act 2008 which enabled the Commissioner to issue a civil monetary penalty notice of up to £500,000 in respect of the most serious breaches. The GDPR, and the Act, confer new powers on the Commissioner to impose a maximum fine of £17 million (€20 million) or 4 percent of turnover in the most serious cases. The GDPR and LED require fines to be effective, proportionate and dissuasive in each individual case. The Act ensures that the Commissioner’s powers to issue fines are subject to certain safeguards, including a requirement for the penalty notice to be preceded by a notice of intent, for the opportunity to make representations against a proposed fine, and for information to be given about the right of appeal under the Act in relation to any penalty notice subsequently issued or the amount specified in that notice.
- The 1998 Act included certain criminal offences relating to making a false statement in response to an information notice, obtaining or disclosing personal data without the data controller’s consent and general offences relating to compliance with warrants etc and misconduct of the Commissioner’s own officers. Most prosecutions were brought under section 55 of the 1998 Act, where a person knowingly or recklessly obtained, disclosed or procured the disclosure of, personal data without the data controller’s consent. The maximum penalty was an unlimited fine. The Act reproduces many of the criminal offences in the 1998 Act with modifications to account for changes to the legal framework brought by the GDPR and introduces a small number of new offences to deal with emerging threats.
- In June 2016, Dame Fiona Caldicott, the National Data Guardian for Health and Care published her Review of Data Security Consent and Opt-Outs2 recommending that the Government should criminalise the deliberate re-identification of individuals whose personal data is contained in anonymised data. On 1 March 2017, the Government published the UK Digital Strategy3 and committed to create a new offence along these lines. The Act provides for such an offence in section 171.
1 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA
2 National Data Guardian for Health and Care – Review of Data Security, Consent and Opt-Outs. 6 July 2016
3 UK Digital Strategy, Policy paper. 1 March 2017