A new Data Protection Act 2018 replaced the old Data Protection Act 1998, to implement the provisions of the General Data Protection Regulation (GDPR) - the European legislation which came into force in May 2018. This changes the rules which the University (and everyone else) must follow, when processing personal data.
The Government has commented:
Digital technology has transformed almost every aspect of our lives since the Data Protection Act 1998 was passed.
The Data Protection Act 2018:
- Makes our data protection laws fit for the digital age in which an ever increasing amount of data is being processed.
- Empowers people to take control of their data.
- Supports UK businesses and organisations through the change.
- Ensures that the UK is prepared for the future after we have left the EU.
Issues around personal data (where they are held and how they are used) are becoming ever more important; the GDPR and the Data Protection Act strengthen the rights of individuals to be informed about how their personal data are processed, to restrict the processing that is allowed and to require correction or deletion of personal data in certain circumstances.
As well as increased fines for data breaches (the maximum fine increased to €20 million or 4% of an organisation's global turnover, if greater), organisations are to be held more accountable for how they process and protect the personal data they hold. The GDPR requires the maintenance of detailed internal records of personal data processing, the preparation of data protection impact assessments for riskier processes and clearer privacy notices informing individuals about how their data will be used. Consent notices will have to be reviewed and revised to ensure that consent has been obtained in accordance with the new rules.
The main changes to the old regulations are:
- Transparency - more detailed and informative privacy notices are required; the purpose of, and legal basis for, processing must be explained.
- Consent - must be freely given, specific, informed and unambiguous; consent must be provided by clear affirmative action.
- Accountability - new requirements for demonstrating compliance; Privacy Impact Assessments required for new processing activities; data protection by design and default is expected.
- Children - new rules for consent to processing children's data
- Sensitive personal data - called 'special categories of data' - extended to cover genetic and biometric data.
- Pseudonymisation - use of data in this form is encouraged, e.g. where data is used for statistical, historical or research purposes.
- Subject access requests - no charge for these; response required within one month rather than 40 days.
- Breach - stricter time limits for notification.
- Right to be forgotten - data subjects can request deletion of data.
- Portability - data subjects can request that data is made available in a portable format (a structured, commonly used and machine-readable form).
- Data processors - now have direct statutory obligations, as well as data controllers.
- International transfers - new rules for transfer outside the EEA.
- Fines for breach - maximum increased from £500,000 to £17 million (€20 million), or 4% of an organisation's global turnover, if greater.
For an information sheet and a record of processing template, email firstname.lastname@example.org.