17 March 2016
Reading the text of the General Data Protection Regulation has given me the chance to remember how useful it is to go back to reading the basic legal text and background material to legislation, specifically the UK Data Protection Act 1998 and the European Directive as well as the shiny new Regulation.
The latest page on our GDPR Updates microsite lists some of the significant definitions contained in the Data Protection Act 1998 and compares them to the definitions in the GDPR.
There are some changes to note:
- Online identifiers about the individual are specified as ‘personal data’ under the GDPR
- Genetic data is classed as a special category of data or sensitive personal data
- Consent must now be explicit and consist of an affirmative action in relation to both personal and sensitive personal data
- A ‘child’ is defined along the lined of the UN Convention on the Child although under the GDPR there are different provisions relating to children under the age of 16 relative to the use of social media
- The Article 29 Working Party will become the European Data Protection Board but the EDPB will have a broader remit
The significance of these differences and others where there are more subtle changes, will become more apparent as we see Guidance from the EDPB and the ICO over the next couple of years. The first ICO Guidance was published this week (www.dpreform.org.uk) but it does not provide a great deal of clarity yet. We do know that the EDPB will issue guidance in relation to the following four areas this year:
- The new Portability Right
- The notion of high risk data and Data Privacy Impact Assessments
- Data Protection Officers
We will provides updates in relation to these Guidance documents when they are available.
The UK Supreme Court also went back to data protection basics last week as it considered a challenge to a piece of Scottish legislation – the Children and Young Persons (Scotland) Act 2014 (“the 2014 Act”). This contains data sharing provisions which are broad and far ranging, providing various parties with the power to share data and obliging certain parties to share data, in some circumstances in breach of a duty of confidentiality.
In brief, the 2014 Act provides that from August 2016 there will be a Named Person for every child in Scotland. The Named Person’s function is to promote, support or safeguard the wellbeing of the child or young person. Wellbeing is defined using the catchy acronym SHANARRI which stands for:
Safe; Healthy; Achieving; Nurtured; Active; Respected; Responsible; Included
These are the characteristics which are to be assessed in order to establish the child’s wellbeing.
In order to do that, section 26 of the 2014 Act states that the Named Person, and other service providers, must share information with each other if it is likely to be relevant to the functions of the Named Person, i.e. information likely to be relevant to the wellbeing of the child. It is not necessary to obtain the consent of the child, or parent if relevant, although there is a requirement to have regard to the views of the child depending on maturity. And the person sharing the information must weigh up the benefit and adverse effect to the child’s wellbeing when sharing the information.
The 2014 Act also provides a discretionary power to share such information under other circumstances.
Finally section 26(11) of the 2014 Act states:
“ … this section does not permit or require the provision of information in breach of a prohibition or restriction on the disclosure of information arising by virtue of an enactment or rule of law.”
The Guidance issued by the Government indicates that this subsection refers to compliance with the Data Protection Act 1998 and Convention law. Therefore in order for the obligation to share information to be within the law the Named Person and other service providers must comply with the Data Protection Act 1998. In order to share personal information, one of the schedule 2 processing conditions must apply and in order for sensitive personal data to be shared, one of the schedule 3 processing conditions must apply. And the eight processing principles must also be complied with.
I understand that before the Supreme Court the Lord Advocate submitted that the following processing conditions were relevant to sharing data:
Schedule 2 Processing Condition
The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.
The processing is necessary …
(b) for the exercise of any functions conferred on any person by or under any enactment …
Schedule 3 Processing Condition
(1) The processing is necessary …
(b) for the exercise of any functions conferred on any person by or under an enactment …
In relation to personal data the two processing conditions set our above could allow the sharing envisaged under the 2014 Act. The condition under paragraph 3 is generally understood to allow processing when there is an obligation to share under the legislation. By contrast the condition under paragraph 5 allows processing where there is a discretion about sharing data. Otherwise, logically, there would be no need for both conditions to exist. I do not think that this was discussed before the Supreme Court.
However in relation to the processing of sensitive data I understand that the Lord Advocate submitted that the processing condition at paragraph 7 of schedule 3 allows the sharing as set out in section 26 of the 2014 Act. I am not sure that it does, specifically in relation to the obligation set out in section 26. I hope that the Supreme Court clarifies this.
It was, however, noted by the Supreme Court that paragraph 7 of schedule 3 is not set out in Article 8 of the Directive and of course the Scottish Government has an obligation to ensure that its legislation complies with EU law and therefore must comply with the Directive.
Article 7 of the Directive sets out the processing conditions for personal data and is transposed neatly into the DPA.
Article 8(2) sets out the exemptions which provide when sensitive personal data can be processed but does not include the provision set out in paragraph 7 of Schedule 3 – that the processing is necessary for the exercise of any functions conferred on any person by or under an enactment. However it does include a provision in Article 8(4) which allows Members States to provide for additional processing conditions, subject to the provision of suitable safeguards, if there is a substantial public interest. Article 8(6) then provides that any such derogation should be notified to the Commission.
It was noted by the Supreme Court that section 26 of the 2014 Act was not notified to the Commission and it was also submitted by those challenging the legislation that the 2014 Act did not provide the appropriate safeguards. There was also discussion in the Supreme Court about data protection and the Directive being a matter reserved to the UK Government and there was discussion about whose responsibility it was to report to the Commission – the Scottish Government’s or the UK Government’s?
I do not intend to answer these questions as the Supreme Court is rather more qualified than me to do so. Whatever the outcome of the legal challenge (The Christian Institute and others v The Lord Advocate (Scotland)) I have enjoyed looking at the text of the DPA and the Directive in detail again.
See more about what BTO’s Data Protection Defence Team we can do for you here.