Data Protection Law – Where are We Now?
Data protection law exists to protect the privacy and personal data rights of individuals.
This area is primarily governed in the UK by the Data Protection Act 2018. The Act was passed to provide enhanced legal rights and responsibilities in respect of how data should be handled by organisations, businesses and the government than was previously provided under the Data Protection Act 1998.
Importantly, the 2018 Act also brought the European Union’s General Data Protection Regulations (GDPR) into force in the UK.
The GDPR are regulations designed to control how personal data is processed throughout the European Union. It sets out the rules that those who are processing individuals’ data must follow in order to be compliant, and the rights individuals have in relation to the handling of their personal data.
The GDPR also introduced a stricter definition of consent and requirements on data controllers who process personal data to ensure that when it is processed, individuals know what it is being processed for, how it is being processed and what that means for them. The regulations serve to ensure there is greater transparency with regards to the use of personal data by businesses and organisations.
The Data Protection Act 2018
There are three categories that current UK data protection law applies to:
- The data subjectwhose personal data is being processed
- The data controllerwho both processes data, and chooses how that data is processed.
- The data processor who processes data for the controller, but cannot choose how it is processed.
What is personal data?
Personal data is any data from which a person can be directly or indirectly identified. This includes identifying data such as a name, but can also refer to data such as IP addresses and location data from which a person can be indirectly identified.
Section 10 of the Act also makes provision for special categories of sensitive personal data, which, as per Article 9 of the GDPR, includes, race, ethnic background, genetics, religion, biometrics, health, sexual orientation, political opinions and trade union membership. The Act also covers data in relation to criminal convictions and offences.
This sensitive personal data has stronger legal protection under the new Act than previously. Under the GDPR, the requirements for processing special category data is twofold. You must first have a lawful basis under Article 6, and you will secondly have to satisfy specific conditions under Article 9. The Data Protection Act 2018 has added additional safeguards to complement this. For example, if you are relying on employment or health and research as a specific condition, you must also have to have an appropriate policy document to comply as per Schedule 1, Part 1 Section 1(b) of the Data Protection Act 2018.
Data subjects’ rights
The GDPR and Data Protection Act 2018 confer strengthened rights for the individual whose data is being processed. These rights are:
- To be informed
- To have access
- To rectification
- To be forgotten
- To restrict processing
- To data portability
- To object
- Rights regarding automated decision making and profiling
The right to be informed
As per Articles 13 and 14 of the GDPR, data subjects must be clearly informed about what personal data is being collected, the purposes for its collection, how long that data is being held for and who it may be shared with.
This information must be provided at the time data is collected, and it must be clear and easy to understand.
The right to access
As per Article 15, data subjects have the right to access their personal data, and the data controller has one calendar month to respond to a request and cannot charge for the service.
The right to rectification
Individuals have the right to have any inaccurate or incomplete data rectified. This can be made verbally or in writing and must be responded to within one calendar month.
The request may be refused in certain circumstances, such as if it is repeated or excessive and in the interests of law enforcement or national security as per Article 23(1) of the GDPR.
The right to erasure
The right to erasure, or ‘to be forgotten’ is not an absolute right, and only applies in certain circumstances. It applies where:
- it is no longer necessary for processing;
- where consent is withdrawn (where consent is the lawful basis);
- where there is no legitimate interest for processing the data (where legitimate interest is used as a lawful basis);
- where the individual objects to its processing for direct marketing purposes;
- unlawful processing;
- to comply with legal obligations; and
- where you have offered information society services to a child
The right to restrict processing
As per Article 18, individuals have the right to restrict the processing of their data where;
- The accuracy of the data is being verified
- The data has been unlawfully processed
- Where it is kept on behalf of the individual for a legal claim
- Whether there are any overriding legitimate interests as a lawful basis for processing
The right to data portability
This right ensures individuals can relocate their data and can transfer to another controller should they wish to. This right only applies to information that the individual has given to the controller and must be given to the individual in a commonly used format (such as a CSV file) that can be read on different services.
The right to object
In certain circumstances, individuals may be able to object to certain types of processing; however if the data processor can give a compelling reason, they may be able to override this right and continue with their processing. In all cases, individuals have the absolute right to object to their data being used for direct marketing.
Automated decision making and profiling
If automated decision-making has a significant impact on an individual, under Article 22, the processor must tell them how they can challenge a decision or request that there is human intervention. Automated decision making and profiling are only allowed under certain circumstances, such as if it is necessary for a contract, based on consent or permitted by law.
Rights can be asserted orally or in writing, and the controller must respond within one calendar month. Controllers cannot charge a fee for the request, except in particular circumstances, and they may ask for identification in order to process the request.
Rights of an individual are not always absolute therefore it is advisable to seek legal advice if you wish to invoke, or even to understand your rights fully in a given situation.
Data processing rights and responsibilities
Under the GDPR, the requirements for processing special category data is twofold. You must first have a lawful basis under Article 6, and you will secondly have to satisfy specific conditions under Article 9. The Data Protection Act 2018 has added additional safeguards to complement this. For example, if you are relying on employment or health and research as a specific condition, you must also have to have an appropriate policy document to comply as per Schedule 1, Part 1 Section 1(b) of the Data Protection Act 2018.
There are seven data protection principles under the GDPR. These are;
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity & Confidentiality
The principles require that all those who process personal data must do so:
- Fairly, lawfully and transparently
This means that any processor must be able to rely on one of 6 lawful bases for collecting and using personal data, and the processor must be clear, open and honest about how they intend to use that data.
The six lawful bases are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Alongside the lawful basis for processing under Article 6, if a processor wishes to process special category or criminal data, they must also have an additional specific and documented condition for processing under Article 9.
The GDPR has implemented stronger mechanisms to be able to rely on consent; therefore if a controller or processor is relying on this lawful basis for processing, it must be informed, freely given and be given via a positive action from the data subject.
For example, pre-ticked boxes are no longer considered valid consent, and the data subject must be clear on what they are consenting to and how giving that consent might affect them.
Contract can be relied upon where the processing is necessary to carry out contractual obligations; such as a contract for goods or services, or to carry out a pre-contractual act such as providing a quote.
Legal obligation can be relied on if the processing is necessary to fulfil a statutory or common law obligation (other than contractual obligations). This can be situations such as when an employer is legally obliged to disclose personal data relating to salary to HMRC.
The vital interests’ basis applies where the data is being processed to protect someone’s life. This basis will only apply if the data subject’s vital interests cannot be protected in a less intrusive way. Vital interests could be relied upon for example where it is necessary to disclose medical records in order to treat someone for a life-threatening illness or injury.
This refers to situations where it is necessary to process personal data as part of performing a public duty, such as with public authorities. This could include for example governmental departments exercising their official authority.
To rely on this basis, it must be shown that the interest is legitimate, that the processing is essential to achieve that interest, and that the individuals’ rights, interests and freedoms have been balanced against it.
- Only for clear, specific purposes
The purposes of use of the data must be stated clearly in easy to find, easy to understand privacy information, and within the processors’ internal documentation. If they wish to use the data in a different way, it must be compatible with the initial purpose. Otherwise, the processor will need to show a new lawful basis.
- Only use data that adequate, relevant and limited
The data that is being processed must be adequate for the purpose, relevant to the purpose, and limited only to that purpose. Processing data that is irrelevant or excessive is not permitted.
- Accurate and up-to-date data
The data processor must take all reasonable steps to ensure any personal data is accurate, up-to-date and not misleading. If the processor finds any data that is inaccurate, misleading or out of date, they must then take all reasonable steps necessary to amend or delete it. This places a higher level of responsibility on those processing data in line with the accountability principle.
- Kept for no longer than is essential
Personal data can only be retained for as long as is necessary. What is necessary is dependent on circumstances, but the processor must be able to justify the length of time that the personal data is retained. Once the data is no longer needed, it must be deleted or anonymised.
- Kept securely and confidentially
Data processors and controllers must make sure there are sufficient technical and organisational measures to ensure the security and integrity of the data. This means sufficient digital and manual safeguards, alongside internal processes.
- Process Accountably
Those who process personal data are required to take responsibility for their collection and use of personal data. This means that data controllers must have sufficient processes and documentation in place to ensure compliance. This includes having contracts with third party data processors, and comprehensive documentation on your processing activities.
How legal advice can help
Data protection law has changed significantly especially in regards to consent, special category data and the accountability of those who wish to process it. The rights and responsibilities of the new data protection law are yet to be fully tested in practice, therefore seeking the advice of a qualified solicitor can help you to understand your rights and responsibilities and what to do in the event of a breach.