The Purpose and Scope of the Data Protection Act 2018

July 9, 2018

The implementation of the General Data Protection Regulation (GDPR) on 25 May 2018 has been well publicised. Businesses will be well aware of the headline grabbing increases in potential Information Commissioner’s Office (ICO) fines, the additional rights of data subjects and changes to what constitutes consent. Less publicity has been directed towards the repeal of the Data Protection Act 1998 (DPA 1998) and implementation of the Data Protection Act 2018 (DPA 2018) which received Royal Assent on 23 May 2018. This article explains the purpose of the DPA 2018.

GDPR is an EU Regulation designed to update the legal framework for data protection within the EU. Since the EU last dealt with this issue in the 1995 Data Protection Directive there have been massive changes in the way in which data is generated and used in a digital world. Scandals such as the misuse of data by Cambridge Analytica have brought the issue to public attention, but for some time it has been felt that the law has not kept up with technology. The fact that GDPR is a regulation means that it has a direct effect in UK law without the need for further legislation. This is different from an EU Directive which needs to be implemented by national legislation. Therefore, one might question why the DPA 2018 is necessary. The main reasons for it are summarised below:

  1. GDPR allows for flexibilities, clarifications and derogations that member states can take advantage of. The UK Government has stated that it wishes to minimise burdens of organisations while protecting individuals’ data, and the DPA 2018 is how it has attempted to do this.
  2. To maintain consistency in the law and avoid legal uncertainty it was necessary to repeal the DPA 1998.
  3. DPA 2018 confirms the position of UK law on data protection, irrespective of the effects of Brexit.
  4. DPA 2018 sets out specific provisions in terms of the powers and responsibilities of the ICO and a new fees and registration regime.
  5. GDPR does not apply to law enforcement processing. Instead a modified regime is set out in DPA 2018 which reflects the new Law Enforcement Directive 2016.
  6. GDPR does not apply to intelligence service processing as national security is outside of the scope of EU Law. Therefore, the DPA 2018 sets out the rules for this type of processing.

The main notable provisions contained in the DPA 2018 are summarised below:

  1. The definition of what constitutes a public body is given and this is based on the definition within the Freedom of Information Act 2000.
  2. GDPR allows for the age at which a child (rather than the child’s guardian) can provide consent to data processing to be set between the ages of 13 to 16. Unlike the Republic of Ireland which has set the age at 16, the UK has chosen the age of 13.
  3. Sensitive “special category” data can only be processed in a number of circumstances, one of which is for reasons of “substantial public interest”. The DPA 2018 sets out a number of areas which satisfy this test including, amongst others:
    1. Certain insurance and pension activities;
    2. Anti money laundering activities;
    3. Certain journalism activities;
    4. Safeguarding children or disabled adults; and
    5. Certain political activities.
  4. Under the DPA 2018 Sensitive “special category” data can be processed by an employer if the employer has an appropriate policy document.
  5. DPA 2018 widens the circumstances in which data relating to criminal convictions and offences can be processed.
  6. DPA 2018 includes the exemptions to complying with the rights of data subjects that were included in the DPA 1998. For example, legally privileged documents are still exempt from disclosure in a subject access request.
  7. The rights of individuals’ are curtailed in certain respects such as:
    1. Processing by immigration officials;
    2. Processing in connection with legal proceedings; and
    3. Processing in connection with crime and taxation.
  8. DPA 2018 also creates two new criminal offences:
    1. for a person to knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Data Controller responsible for de-identifying the personal data; and
    2. for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive.

Therefore, the result of this is that, to fully understand data protection law in the UK one must read DPA 2018 alongside GDPR. Other member states will have similar legislation and this will complicate an already complex area of law. There are a number of grey areas within the field of data protection and the consequences of getting it wrong are more serious than ever. Data controllers should take time to review their policies and procedures in the light of GDPR and the DPA 2018 and it is advisable to take legal advice in undertaking this exercise.

This article has been produced for general information purposes and further advice should be sought from a professional advisor.

Nathan Campbell, Solicitor, GDPR Team, Cleaver Fulton Rankin, Solicitors.