The Government will pass a new Data Protection Act 2018, replacing the current Data Protection Act 1998. to implement the provisions of the General Data Protection Regulation (GDPR) - the European legislation which comes into force in May 2018. This will make changes to the rules which the University (and everyone else) must follow, when processing personal data.
The Government has commented: The Data Protection Bill will update data protection laws for the digital age and was introduced to the House of Lords on 13 September 2017.
Digital technology has transformed almost every aspect of our lives since the last Data Protection Act was passed.
The Data Protection Bill will:
- Make our data protection laws fit for the digital age in which an ever increasing amount of data is being processed.
- Empower people to take control of their data.
- Support UK businesses and organisations through the change.
- Ensure that the UK is prepared for the future after we have left the EU.
Issues around personal data (where they are held and how they are used) are becoming ever more important; the GDPR and the Data Protection Bill will strengthen the rights of individuals to be informed about how their personal data are processed, to restrict the processing that is allowed and to require correction or deletion of personal data in certain circumstances.
As well as increased fines for data breaches (the current maximum fine of £500,000 will be increased to €20 million), organisations are to be held more accountable for how they process and protect the personal data they hold. The GDPR will require the maintenance of detailed internal records of personal data processing, the preparation of data protection impact assessments for riskier processes and clearer privacy notices informing individuals about how their data will be used. Consent notices will have to be reviewed and revised to ensure that consent has been obtained in accordance with the new rules.
The main changes to the current regulations are:
- Transparency - more detailed and informative privacy notices are required; the purpose of, and legal basis for, processing must be explained.
- Consent - must be freely given, specific, informed and unambiguous; consent must be provided by clear affirmative action.
- Accountability - new requirements for demonstrating compliance; Privacy Impact Assessments required for new processing activities; data protection by design and default is expected.
- Children - new rules for consent to processing children's data
- Sensitive personal data - called 'special categories of data' - extended to cover genetic and biometric data.
- Pseudonymisation - use of data in this form is encouraged, e.g. where data is used for statistical, historical or research purposes.
- Subject access requests - no charge for these; response required within one month rather than 40 days.
- Breach - stricter time limits for notification.
- Right to be forgotten - data subjects can request deletion of data.
- Portability - data subjects can request that data is made available in a portable format (a structured, commonly used and machine-readable form).
- Data processors - now have direct statutory obligations, as well as data controllers.
- International transfers - new rules for transfer outside the EEA.
- Fines for breach - maximum increased from £500,000 to £17 million (€20 million), or 4% of an organisation's global turnover, if greater.
Further information will be issued as necessary on the preparations for, and progress towards, ensuirng that the University is ready for the new rules coming into force in May 2018.
For an information sheet and a record of processing template, click here.