08 August 2017
The Government published its Statement of Intent yesterday in relation to the new Data Protection Bill anticipated in September 2017. This had been mentioned by the Queen, no less, in her speech following the 2017 General Election. This was also published taking into account the views expressed by those responding to the consultation exercise which took place earlier this year identifying the areas where the UK Government can derogate from the provisions in the GDPR.
Whilst there was little clarification contained in this statement, we can now say that the following issues are clear/clearer.
There will be three new criminal offences:
- Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
- Altering records with a view to preventing disclosure following a subject access request; and
- Widening the offence of unlawfully obtaining data
In relation to sentencing, it appears that imprisonment will not be an option for offences under the new Data Protection Act and that fines will remain the only option in relation to sentencing.
The Government has clarified that children aged 13 and over can provide consent to their personal data being processed. This also means that they can make subject access requests on their own behalf and indeed, once a child has reached 13, parents should not be provided with their child’s personal data without their consent. One for schools to be aware of.
Processing of Criminal Conviction and Offence Data
There is an exemption in relation to this under the Data Protection Act 1998 which applies to all organisations and the Government has decided to keep that exemption in place. Under the GDPR the exemption only applies to those vested with official authority.
Automated Decision making
The Government will allow this to take place as long as there are suitable safeguards are put in place to ensure the rights, freedoms and legitimate interests of the individual. This includes the right to object to automated processing if it produces an outcome with legal or similar effects without human intervention.
There is no provision in relation to data processing for national security reasons in the GPDR as the EU does not have jurisdiction there. However the Government will provide a distinct data protection framework in the Bill in line with the Council of Europe’s Convention.
Cyber Security Breaches
The Government recognises that effective data protection in part relies on data security and refers to the National Cyber Security Centre and Cyber Essentials. It also notes that the new data breach reporting requirement will contribute to richer source of data on cybersecurity breaches. It will be interesting to see how this is implemented as the Scottish Government and Police Scotland will also be interested in sharing this data.
In my view, this statement provided very little certainty other than confirming that the age of consent will be 13 in the UK, which was expected anyway. The Bill expected after the summer recess will hopefully provide more.
For more info visit our GDPR updates page.