Data Protection Act 2018

Last updated

Data Protection Act 2018
Act of Parliament
Royal Coat of Arms of the United Kingdom (variant 1, 1952-2022).svg
Parliament of the United Kingdom
Long title An Act to make provision for the regulation of the processing of information relating to individuals; to make provision in connection with the Information Commissioner’s functions under certain regulations relating to information; to make provision for a direct marketing code of practice; and for connected purposes.
Citation 2018 c. 12
Introduced by Matt Hancock (Commons)
Henry Ashton, 4th Baron Ashton of Hyde (Lords)
Territorial extent  United Kingdom of Great Britain and Northern Ireland
Dates
Royal assent 23 May 2018
Commencement May 2018
Other legislation
Repeals/revokes Data Protection Act 1998
Amended byPublic Services Ombudsman (Wales) Act 2019
Sentencing Act 2020
Armed Forces Act 2021
Advanced Research and Invention Agency Act 2022
Health and Social Care Act 2022
Relates to General Data Protection Regulation, Data Protection Act 1998
Status: Current legislation
History of passage through Parliament
Text of statute as originally enacted
Revised text of statute as amended

The Data Protection Act 2018 (c. 12) is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

Contents

The Act is due to be significantly amended by the Data Protection and Digital Information Bill, which is currently at Committee Stage in the House of Lords.

Background

The Data Protection Bill was introduced to the House of Lords by Lord Ashton of Hyde, Parliamentary Under-Secretary of State at the Department for Digital, Culture, Media and Sport on 13 September 2017. [1]

The Data Protection Act 2018 received royal assent on 23 May 2018. The Act came into effect on 25 May 2018. It was amended on 1 January 2021 by regulations under the European Union (Withdrawal) Act 2018, to reflect the UK's status outside the EU. It replaces the Data Protection Act 1998. [2]

The Act applies the data protection standards set out in the GDPR and, where the GDPR allows EU member states to make different choices for its implementation in their country, defines those choices for the UK. [3]

Contents

The Act has seven parts. These are outlined in Section 1: [4]

  1. This Act makes provision about the processing of personal data.
  2. Most processing of personal data is subject to GDPR.
  3. Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
  4. Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
  5. Part 4 makes provision about the processing of personal data by the intelligence services.
  6. Part 5 makes provision about the Information Commissioner.
  7. Part 6 makes provision about the enforcement of the data protection legislation.
  8. Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

The Act introduces new offences that include knowingly or recklessly obtaining or disclosing personal data without the consent-giving of the data controller, procuring such disclosure, or retaining the data obtained without consent. Selling, or offering to sell, personal data knowingly or recklessly obtained or disclosed would also be an offence. [5]

Essentially, the Act implements the EU Law Enforcement Directive, [6] it implements those parts of the GDPR which "are to be determined by Member State law" and it creates a framework similar to the GDPR for the processing of personal data which is outside the scope of the GDPR. This includes intelligence services processing, immigration services processing and the processing of personal data held in unstructured form by public authorities.

Under section 3 of the European Union (Withdrawal) Act 2018, [7] the GDPR will be incorporated directly into domestic law immediately after the UK exits the European Union.

The enforcement of the Act by the Information Commissioner's Office is supported by a data protection charge on UK data controllers under the Data Protection (Charges and Information) Regulations 2018. Exemptions from the charge were left broadly the same as for 1998 Act: largely some businesses and non-profits internal core purposes (staff or members, marketing and accounting), household affairs, some public purposes, and non-automated processing. [8] [9] Under the 2018 Act, the enforcement regime for registration changed from criminal to civil monetary penalties. [10]

The Act introduces a new public interest test applicable to the research processing of personal health data. [11]

The Act gave people the right to apply to courts and tribunals for different orders, including: in the tribunal by ordering the Information Commissioner to conduct an investigation (section 166); in the court for compliance orders against the Commissioner or controllers or processors (section 167); in the tribunal against penalty notices and other enforcement decisions (section 162). The jurisdiction of these sections and their extent and limits have been the subject of a campaign of litigation arguing their different extent and limits, including as high as the Court of Appeal. [12] [13] [14] [15]

Additions

The Data Protection Act (2018) is a revision of the Data Protection Act (1998) which includes the importance of organizations to be more responsible with the information as well as improving the confidentiality. [16] The latter revision also works in tandem with the GDPR, which the Data Protection Act (1998) didn't do. [17]

From the Data Protection Act (1998) to the Data Protection Act (2018), the key additions are the following: [16]

The revision allowed the law makers to add the ability to erase any data if the individual chooses to and this is based on the premise of the basic right to privacy. [16]

The 2018 version allowed people to get a clear interpretation of the exemptions of the act, which was unclear in the 1998 version. [17]

When the Data Protection Act (1998) was being made, the GDPR did not exist, thus there was no law for the DPA to work with.[ clarification needed ] Eventually, with the creation of the GDPR, the DPA was updated to work in tandem. [18]

Related Research Articles

The Office of the Data Protection Commissioner (DPC), also known as Data Protection Commission, is the independent national authority responsible for upholding the EU fundamental right of individuals to data privacy through the enforcement and monitoring of compliance with data protection legislation in Ireland. It was established in 1989.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

<span class="mw-page-title-main">Freedom of Information Act 2000</span> Act of Parliament in the United Kingdom

The Freedom of Information Act 2000 is an Act of the Parliament of the United Kingdom that creates a public "right of access" to information held by public authorities. It is the implementation of freedom of information legislation in the United Kingdom on a national level. Its application is limited in Scotland to UK Government offices located in Scotland. The Act implements a manifesto commitment of the Labour Party in the 1997 general election, developed by David Clark as a 1997 White Paper. The final version of the Act was criticised by freedom of information campaigners as a diluted form of what had been proposed in the White Paper. The full provisions of the act came into force on 1 January 2005. The Act was the responsibility of the Lord Chancellor's Department. However, freedom of information policy is now the responsibility of the Cabinet Office. The Act led to the renaming of the Data Protection Commissioner, who is now known as the Information Commissioner. The Office of the Information Commissioner oversees the operation of the Act.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

The Register of data controllers was a United Kingdom database under the control of the UK Information Commissioner's Office mandated by section 19 of the Data Protection Act 1998.

Real-time bidding (RTB) is a means by which advertising inventory is bought and sold on a per-impression basis, via instantaneous programmatic auction, similar to financial markets. With real-time bidding, advertising buyers bid on an impression and, if the bid is won, the buyer's ad is instantly displayed on the publisher's site. Real-time bidding lets advertisers manage and optimize ads from multiple ad-networks, allowing them to create and launch advertising campaigns, prioritize networks, and allocate percentages of unsold inventory, known as backfill.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

The National Pupil Database (NPD) is a database controlled by the Department for Education in England, based on multiple data collections from individuals age 2-21 in state funded education and higher education. Data are matched using pupil names, dates of birth and other personal and school characteristics, including special educational needs, disability, and indicators for free school meals, a child in care, and families in the armed forces. Personal details are linked to pupils' attainment and exam results over a lifetime school attendance.

The ePrivacy Regulation (ePR) is a proposal for the regulation of various privacy-related topics, mostly in relation to electronic communications within the European Union. Its full name is "Regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC ." It would repeal the Privacy and Electronic Communications Directive 2002 and would be lex specialis to the General Data Protection Regulation. It would particularise and complement the latter in respect of privacy-related topics. Key fields of the proposed regulation are the confidentiality of communications, privacy controls through electronic consent and browsers, and cookies.

A data protection officer (DPO) ensures, in an independent manner, that an organization applies the laws protecting individuals' personal data. The designation, position and tasks of a DPO within an organization are described in Articles 37, 38 and 39 of the European Union (EU) General Data Protection Regulation (GDPR). Many other countries require the appointment of a DPO, and it is becoming more prevalent in privacy legislation.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

<span class="mw-page-title-main">General Personal Data Protection Law</span> Brazilian regulation on the processing of personal data

The General Personal Data Protection Law, is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data. The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.

Michael Veale is a technology policy academic who focuses on information technology and the law. He is currently associate professor in the Faculty of Laws at University College London (UCL).

<span class="mw-page-title-main">Personal Information Protection Law of the People's Republic of China</span> Chinese personal information rights law

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

References

  1. This article incorporates text published under the United Kingdom Open Parliament Licence : Brown, Thomas (5 October 2017). "Data Protection Bill [HL]: Briefing for Lords Stages". House of Lords Library .
  2. UKOpenGovernmentLicence.svg  This article incorporates text published under the British Open Government Licence : "About the DPA 2018". Information Commissioner's Office . 18 January 2022. Retrieved 30 January 2022.
  3. "Data Protection Act 2018 Factsheet – Overview" (PDF). Department for Digital, Culture, Media and Sport. 23 May 2018.
  4. "Data Protection Act 2018". UK Government. Retrieved 8 August 2018. UKOpenGovernmentLicence.svg This article contains quotations from this source, which is available under the Open Government Licence v3.0. © Crown copyright.
  5. "New Data Protection Act finalised in the UK". www.out-law.com. Retrieved 29 August 2018.
  6. Directive (EU) 2016/680 of the European Parliament and of the Council
  7. "European Union (Withdrawal) Act 2018". UK Government. Retrieved 8 August 2018.
  8. Review of exemptions from paying charges to the Information Commissioner's Office (PDF) (Report). Department for Digital, Culture, Media and Sport. November 2018. Retrieved 30 April 2020.
  9. "The Data Protection (Charges and Information) Regulations 2018 - Schedule Exempt Processing". legislation.gov.uk. Retrieved 30 April 2020.
  10. "ICO issues the first fines to organisations that have not paid the data protection fee". Information Commissioner’s Office. 28 November 2018. Archived from the original on 28 September 2020. Retrieved 1 May 2020.
  11. Taylor, Mark J.; Whitton, Jess (2020). "Public Interest, Health Research and Data Protection Law: Establishing a Legitimate Trade-Off between Individual Control and Research Access to Health Data". Laws. MDPI. 9 (1): 6. doi: 10.3390/laws9010006 . hdl: 11343/258554 . Creative Commons by small.svg  This article incorporates textfrom this source, which is available under the CC BY 4.0 license.
  12. James Killock and Michael Veale v ICO (Information rights - Freedom of Information - exceptions : practice and procedure) [2021] UKUT 299 (AAC), 24 November 2021, retrieved 24 February 2024
  13. "Our Adtech challenge: what we won, what we lost and what we do next". Open Rights Group. Retrieved 24 February 2024.
  14. Delo, R (On the Application Of) v Information Commissioner & Anor [2022] EWHC 3046 (Admin), 2 December 2022, retrieved 24 February 2024
  15. Delo, R (On the Application Of) v The Information Commissioner (Rev1) [2023] EWCA Civ 1141, 10 October 2023, retrieved 24 February 2024
  16. 1 2 3 Zaheer, Adnan. "Data Protection Act 1998 - Be Compliant | Seers". Seers | Articles. Retrieved 16 November 2020.
  17. 1 2 "About the DPA 2018". ico.org.uk. 28 September 2020. Retrieved 16 November 2020.
  18. "Data Protection Act 2018". ico.org.uk. 20 July 2020. Archived from the original on 7 August 2018. Retrieved 16 November 2020.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.