The draft Data Protection Bill will implement the European General Data Protection Regulation (GDPR) in domestic law. The Bill, once enacted, will replace the current Data Protection Act 1998 and is aimed at increasing individual rights under data laws.

Data processing

Under the GDPR, increased requirements have to be met to process special categories of personal data, previously known as sensitive personal data, which covers information relating to race, political opinion, religion, trade unions, health, sexual life and convictions. The most important condition for employers to meet is the requirement to have specific and informed consent from individuals for the processing of this data.

The Data Protection Bill, however, contains specific exemptions to the requirement for consent. It states that companies can process special categories of personal data without consent to meet their obligations under employment law so long as there is a policy document in place regarding this processing. In addition, processing data on criminal convictions to meet legal obligations, e.g. through having background checks on candidates, can be carried out without consent where a policy document is in place. These policy documents are likely to require information on how the organisation will protect this data when processing it.

Changes to subject access requests

The GDPR makes specific amendments to the way subject access requests (SARs) operate currently. The Regulations remove the maximum £10 fee employers can charge to process the request, although a reasonable fee can be charged where the request is manifestly unfounded or excessive. The time limit for complying with an individual’s SAR is also reduced from 40 days to one month from receipt.

The Bill repeats the current exemptions contained in the Data Protection Act 1998 to restrict the information which has to be disclosed under SARs. This means companies will still not be required to disclose information, or include information in any privacy notices, that is:

  • subject to legal professional privilege;
  • used for business planning purposes;
  • prepared for negotiations with the individual;
  • a confidential reference given by the organisation about the individual.

New offences

Alongside the new maximum fine of €20,000,000 or 4% of the organisation’s annual turnover introduced by GDPR for data breaches, the Bill creates two new offences for employers.
An offence will be committed where an organisation alters, destroys or conceals information that they are legally required to disclose to an individual under a subject access request. In addition, any intentional or reckless breach of the anonymity of an individual from anonymised data will also be classed as an offence under the Data Protection Bill.

There are still outstanding consultation processes awaited from the Information Commissioner’s office on the practical application of the Bill.