UK derogations from the GDPR
As part of the United Kingdom’s move towards compliance with the European General Data Protection Regulation (GDPR) next year, the government have published a statement of intent, detailing some of the differences between the EU regulations and the announced Data Protection Bill. There are to be a number of significant areas where the new legislation will differ from the GDPR:
The right to be forgotten, although included and made clearer in the GDPR, will be extended under the Data Protection Bill to consider only children aged thirteen or older to be able to give consent to the processing of their personal data. Although in the UK there are currently no overall rules in place that specify children in the context of consent, to comply with the GDPR the defined age must be between thirteen and sixteen. The new bill will also include an individual’s right to request that data that was collected about them before the age of eighteen be deleted from social media.
Article 10 of the GDPR specifies that only official authoritative bodies have the right to process criminal conviction and offence data and that even then, justification under specific legislation would be required. The UK, in recognition of the number of industries that could be affected by this change, have proposed that domestic legislation extend this right to other organisations that process this data. At this stage, specific legislation regarding access to the different levels of criminality checks (for example basic disclosure checks) has not been released, however it is likely that the current UK rules will be transposed into the Data Protection Bill. Industry bodies will be liaising with Ministers to ensure that the current status quo is maintained and the extent of legislation scope extends wide enough to include all non-regulated industry sectors.
New criminal offences have been proposed for inclusion in the Bill. These include “Altering records with intent to prevent disclosure following a subject access request” which, although currently a part of the Freedom of Information Act 2000, would be extended to include not just public authorities but all data controllers and data processors. Furthermore, the act of “Intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data” would also be anoffence, designed to prevent the identification of individuals listed in otherwise anonymous date, typically by combining information from different sources. It will also become an offence to retain data against the wishes of the data controller – extending the current rules from obtaining or disclosing personal data to include retention.