On the 25th May 2018 the new Data Protection Act 2018, which is based on the General Data Protection Regulations (GDPR) replaces the Data Protection Act 1998 in its entirety. It replaces the existing Data Protection Laws to make them fit for the digital age in which ever increasing personal data is being processed. The Act sets new standards for protecting personal data. Gives people more control over the use of their data and assists in the preparation for a future outside of the EU.
There are 4 main matters provided for, these are:
- General Data Processing
- Law Enforcement Data processing
- Data Processing for National Security Purposes
All of the above need to be set in the context of international, national and local data processing systems which are increasingly dependent upon internet usage for exchange and transit of data. The UK must lock into international data protection arrangements, systems and processes and this Act updates and reinforces the mechanism to enable this to take place.
Given the size of the legislation and some of the media hype surrounding its introduction this policy is written in 2 Sections.
Section 1 Overview of the Act.
Section 2 The Policy and templates
Overview of the Act.
The Act is structured in 7 parts, each of which covers specific areas. These are:
Part 1: Preliminary
This sets out the parameters of the Act, gives an overview, explains that most processing of personal data is subject to the Act and gives the terms relating to the processing of personal data.
Part 2: General Processing
This supplements the GDPR and sets out a broadly equivalent regime to certain types of processing to which the GDPR does not apply.
Part 3: Law Enforcement Processing
- “competent authority”
- meaning of “controller” and “processor”
- data protection principles
- safeguards in regard to archiving and sensitive processing
- rights and access of the data subject, including erasure
- implements the law enforcement directive
- controller and processor duties and obligations
- co-operation with the ICO commissioner
- personal data breaches
- the remedy of such breaches
- position of the data protection officer and their tasks
- transfer of data internationally to particular recipients
- national security considerations
- special processing restrictions and reporting of infringements.
Part 4: Intelligence Services Processing
This covers only data handled by the above e.g. MI5 and MI6 and includes rights of access, automated decisions, rectification and erasure, obligations relating to security and data breaches.
Part 5: The Information Commissioner
- general functions including publication of Codes of Practice and guidance
- their International role
- their responsibilities in relation to specific Codes of Practice
- consensual audits
- information to be provided to the Commissioner
- confidentiality and privileged communication
- fees for services
- charges payable to the commission
- Notices from the Commissioner
- reporting to parliament.
Part 6: Enforcement
This covers the new enforcement regime in relation to all forms of Notice issued by the Commissioner
- powers of entry and inspection
- penalty amounts
- remedies in the court
- special purpose proceedings.
Part 7: Supplementary and Final Provision.
This covers legal changes which the new Act alters in relation to other legal matters, e.g. Tribunal Procedure rules, definitions, changes to the Data Protection Convention etc. and List of Schedule(s).
As you can see, this Act is a huge piece of legislation, the majority of which is outside the remit of service providers working within the Adult Health and Social Care Sector. The I.C.O. confirms that many concepts and principles are much the same and businesses already complying with the current law are likely to be already meeting many of the key requirements of the GDPR and the new Act.
The Information Commissioner says the new Act represents a “step change” from previous laws. “It means a change of culture of the organisation. That is not an easy thing to do, and its certainly true that accountability cannot be bolted on: it needs to be a part of the organisations overall systems approach to how it manages and processes personal data”. It’s a change of mindset in regard to data handling, collection and retention.
We need to stop taking personal data for granted, its not a commodity we own: its only ever on loan. Individuals have been given control and we have been given fiduciary duty of care over it!
As an organisation handling personal data on a day to day basis, this policy sets out the requirements of the new Act and how we, as an organisation will meet our legal obligations. Staff awareness and understanding of their responsibilities in regard to the handling, collection and retention of data will be core to the successful embedding of this policy.
Preparation: (The 12 Steps)
In order to comply with the requirements of the Act preparation should include the completion of the 12 steps
- Information we hold
- Communicating privacy information
- Individuals rights
- Subject access requests
- Lawful bases for processing
- Data Breaches
- Data Protection by Design and Data Protection Impact Assessments
- Data Protection Officers
- International Data
Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now. Read here >
The ICO has issued this guidance as the start of the preparation. They have also made clear that they are aware that for small companies in particular time can be a factor in this preparation, but it is important to remember that you must start the 12 steps in order that you can show compliance
As an organisation we are preparing for this new Act by completing these 12 steps.
The GDPR applies to “Controllers”, “Processors” and “Data Protection Officer” and to certain types of information, specifically, “Personal Data” and “Sensitive Personal Data” referred to in the Act as Special Categories of Personal Data”.
This role determines, on behalf of the organisation, the purposes and means of processing personal data.
This role is responsible for processing personal data on behalf of a controller. The Act places specific legal obligations on you, e.g. you are required to keep and maintain records of personal data and processing activities. This role has legal liabilities if they are responsible for any breach.
Data Protection Officer.
This role is a must only in certain circumstances if you are:
- A public authority (except for courts)
- Carry out large scale systematic monitoring of individuals e.g. online behaviour tracking, or
- Carry out large scale processing of special categories of data, or data relating to criminal convictions and offences e.g. Police, DBS Bodies, Prison Service etc. P33