• Find us on:

The Data Protection Act 2018 and GDPR


News

Morrisons Supermarkets are breathing a sigh of relief since the Supreme Court ruling that they are not vicariously liable for a deliberate data breach by a disgruntled ex-employee which exposed personal data of almost 100,000 of its employees.  Vicarious liability is when an employer is held responsible for something done by an employee in the course of their employment. In WM Morrison Supermarkets plc v Various Claimants [2020] the Supreme Court considered the circumstances in which an employer is vicariously liable for the conduct of its employees and whether the Data Protection Act 1998 (DPA 1998) excluded vicarious liability for such  claims…..Read more

Data Protection

The Data Protection Act 2018 (DPA 2018) works with the General Data Protection Regulation (GDPR) to protect your personal information (personal data).

DPA 2018 updates UK data protection laws for the digital age. It received Royal Assent on 23 May 2018. It works with the General Data Protection Regulation (GDPR) to protect your personal information. The Act provides a comprehensive and modern framework for data protection, with stronger sanctions for malpractice.


GDPR

GDPR introduced accountability, mandatory personal data breach notification, data portability and new obligations on processors. It gives you the following rights:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling.

What is the DPA 2018?

  • It has replaced the Data Protection Act 1998 (DPA 1998) and is now the law concerning the processing of personal data.
  • It makes the EU General Data Protection Regulations (GDPR) part of UK Law, so that most processing of personal data is also subject to the GDPR. Personal data must be processed lawfully and fairly, on the basis of the individuals consent or another specified basis. Individuals can obtain information about the processing of their personal data and ask for incorrect information about them to be rectified.
  • It makes Article 8 of the Charter of Fundamental Rights of the EU about the  right to the protection of personal data part of UK law.
  • It covers processing of unstructured manual files by public authorities. This is not covered by GDPR or EU Law.
  • Part 3 is about Law Enforcement Processing and brings the Data Protection Law Enforcement Directive which concerns the police and criminal justice sector into force.
  • Part 4 provides new data protection rules for the intelligence services, which is based on the Council of Europe Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108 ).
  • Part 5 gives the Information Commissioner new powers with responsibility for monitoring and enforcing its provisions.
  • Part 6 brings all the data protection enforcement powers together and increases maximum fines for breaches. It provides for maximum fines up to 20 million Euro or 4% of the undertaking’s total annual worldwide turnover.
  • Part 6 also introduces two new criminal offences. Section 171 makes it an offence to re-identify de-identified personal data and alter personal data to prevent disclosure and Section 173 makes it an offence to alter personal data to prevent disclosure following a subject access request.

Public Interest under DPA 2018

Article 6 of GDPR says that personal data can only be processed if there is a lawful basis for it, and Section 8 of DPA 2018 explains that a lawful basis means that processing must be in the public interest or in the exercise of official authority that is necessary for:

  • The administration of justice.
  • The exercise of a function of either House of Parliament.
  • The exercise of a function conferred on a person by an enactment or rule of law.
  • The exercise of a function of the Crown, a Minister of the Crown or a government department.
  • An activity that supports or promotes democratic engagement.

Your Rights under DPA 2018

Section 13 DPA 2018 regulates access to data held by credit reference agencies.

Section 14  sets out minimum safeguards that should be in place when a significant decision is based on automated processing which is required or authorised by UK law 

  • Data Controllers must inform data subjects when an automated decision has been made, as soon as reasonably practicable in writing.
Within one month of notification, the data subject may request that the controller reconsider the decision or take a new decision not based on automated processing.
The controller must consider the request within one month from receipt, comply with it and notify data subjects of steps taken to comply and the outcome of complying.

DPA 2018 Exemptions

GDPR and DPA 2018 contain exemptions to their application. Section 15 DPA 2018 provides direction to the exemptions in Schedules 2, 3 and 4 which disapplying some individual personal data rights.
The DPA 2018 includes exemptions for:
  • Crime prevention and taxation purposes.
  • Immigration control.
  • Disclosures required by law or made in connection with legal proceedings.
  • Regulators must not prejudice their activities.
  • Journalistic, academic, artistic and literary purposes which are collectively referred to as “the special purposes” provided the controller believes publication is in the public interest.
  • Research organisations and archiving services if they could be impaired or prevented from achieving their core purpose.

Updated: 07/04/2020

DISCLAIMER

The information and content on this website is provided for general information purposes only and is not intended to constitute legal or other professional advice. Legal information or content on this website relates only to the laws of England and Wales. You should not take any actions based on information found on this website without first seeking appropriate legal advice with respect to your specific matter. No representations or warranties are made about the suitability, currentness, comprehensiveness and/or accuracy of the information and other content contained on this website. It should be noted that legal information and content can rapidly become out of date and we give no undertaking to keep this website up to date. All liability for any loss or damage of any kind which may be suffered as a result of accessing and using the information and/or content of this website is hereby excluded to the full extent permitted by law.