Why do we need another Data Protection Act?
The Data Protection Act 1998 was 20 years old and needed updating to reflect the different ways in which data is now processed, in an increasingly digital and connected world. It was also necessary to amend our legal framework for data protection to align with GDPR and implement the flexibilities that were available through permitted derogations and exemptions.
What does the new Act do?
The Act does several different things:
- It repeals the Data Protection Act 1998
- It sets out the derogations and exemptions to GDPR that will apply in the UK. Many of the exemptions are similar to those contained within the 1998 Act
- It extends a GDPR-like regime to areas of processing not covered by GDPR such as the processing of manual unstructured data by public authorities
- Implements the EU's Law Enforcement Directive which provides a framework for the lawful processing of personal data by law enforcement
- Implements international standards of data protection for the intelligence services based on the Council of Europe's Personal Data Protection Convention known as Convention 108
As an EU Regulation, GDPR has direct effect in all Member States and therefore did not need implementing into UK law whilst we remain in the EU. Therefore, the Act does not ‘implement’ GDPR in the UK, although following Brexit, together with the provisions of the EU Withdrawal Bill, the Act does effectively make GDPR ‘Brexit proof’.
Structure of the Act
The Act is a significant piece of legislation, spanning 353 pages, 206 sections, 20 schedules and in parts it is complex. However, Parts 1 & 2 and Schedules 1-4 are the main areas of interest for the majority of general processing and this is certainly true insofar as the insurance industry is concerned. Looked at in this way, the Act is more easily digestible.
A good starting point in understanding the Act is appreciating that GDPR is where the majority of the substantive law is found and its provisions are not copied into the Act. It is therefore necessary to cross reference the exemptions and derogations in the Act against the text of GDPR itself.
Key areas for insurance
Special category data
'Sensitive data' gets a rebrand as 'special category data' under both GDPR and the Act. The default position with regard to processing such data, which includes data concerning race, health, religion, ethnicity, political views, genetic and biometric data is that processing is prohibited. Article 9(2) of GDPR does however provide a range of exemptions for example where an individual has given explicit consent or where the processing is necessary for the establishment, exercise or defence of legal claims. In addition to this, Schedule 1 of the Act provides a large number of ‘substantial public interest’ conditions under which processing of data may be authorised. These include:
Para 14 – Preventing fraud
Para 20 – Insurance
The preventing fraud condition may apply where it is necessary to process special category data, including disclosures, for the purposes of preventing fraud, such as by a member of an anti-fraud organisation examples of which are the IFB and IFIG.
Paragraph 20 may apply where processing of special category data is ‘necessary for an insurance purpose’ which may potentially include underwriting and claims handling activities.
An important point to highlight, which applies to processing of special category data generally where a condition within Schedule 1 is relied upon, is that Part 4 of Schedule 1 places an obligation on the Data Controller to have in place an ‘appropriate policy document and additional safeguards’ that in turn document and explain the procedures and policies in place for handling special category data.
GDPR restricts the ability to process criminal records data to only those who are authorised by Member State law. Schedule 1 of the Act sets out the circumstances in which criminal records data can be processed including where the substantial public interest conditions mentioned above are met or where consent has been obtained from the data subject or when processing is necessary in connection with legal proceedings (or prospective proceedings).
Schedule 2, Part 1, Para 2 (1) of the Act specifies an exemption from many GDPR obligations if the processing is for the purposes of the prevention or detection of crime. The exemption extends to most of the data subject rights including access and erasure. However, the exemption is not on all fours with its predecessor and extra care is required, particularly in relation to disclosures and the requirements for data minimisation, accuracy and retention. Like its predecessor, this exemption only applies to the minimum extent necessary to avoid prejudice.
Another exemption from the Data Protection Act 1998 that was commonly used within insurance was Section 35 relating to processing in connection with legal proceedings. Schedule 2, Part 1, Para 5 of the new Act provides an equivalent exemption covering information required to be disclosed by law or in connection with legal proceedings (including prospective proceedings).
Automated decision making / Profiling
Article 22 of GDPR places restrictions on automatic decision making including profiling which produces legal effects. Section 14 of the Act sets out the safeguards that must be in place if significant decisions are being made solely on the basis of automated processing. These safeguards include notifying individuals and providing them with a period of 21 days in which to have such decisions reviewed.
Section 164 of the Act essentially confirms the (Article 82) right to claim compensation for material or non-material damage, including distress, for contraventions of GDPR. This right is extended by Section 165 of the Act, by also applying it to contraventions of other data protection legislation. Section 165 also deals with the question of liability between Data Controllers, Joint Controllers and Data Processors.
Sections 166 – 169 of the Act set out a range of criminal offences, some of which replicate offences that existed under the Data Protection Act 1998 such as unlawfully obtaining personal data, and some of which are new such as the re-identification of de-identified data. There is also a new offence of altering data to prevent disclosure, to deter the employees of data controllers from altering, erasing or otherwise interfering with data in the context of subject access requests.
Section 189 provides for the potential personal criminal liability of Directors and Officers of data processing businesses for offences committed with their consent, neglect or connivance.
The Act assists with the adoption of GDPR into UK law and whereas the Data Protection Act 1998 was largely self-contained, the new Act needs to be read together with GDPR.
Part 2 and Schedules 1 and 2 are likely to be the main areas of interest for most of the insurance industry as these are the parts of the Act that deal with general processing, special category data and the bulk of the exemptions and derogations for each. All of the exemptions within the Data Protection Act 1998 that were commonly used by the insurance industry are essentially replicated by similar provisions within the new Act, albeit now set against the context of GDPR data processing standards, rights and obligations.
Our earlier note on GDPR and insurance can be found here.
For more information please contact Jamie Taylor.