DP BILL: DIFFERENCES AND DEROGATIONS

Slides:



Advertisements
Similar presentations
Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Advertisements

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
Protection of Personal Data, Historical context In 1982, Iceland signed the Council of Europe Convention nr. 108 from 1981 for the Protection.
Data Protection Information Management / Jody McKenzie.
A European View of Privacy Protection John Woulds Director of Operations UK Data Protection Commissioner National Conference on Privacy, Technology & Criminal.
Data Protection Overview
The ICO and the DPA Ken Macdonald Assistant Commissioner Information Commissioner’s Office ScotStat Public Sector Analysts Network 30 th September 2010.
1 OVERVIEW PRESENTATION FREEDOM OF INFORMATION (SCOTLAND) ACT 2002.
Data Protection for Church of Scotland Congregations
Regulation of Personal Information Daniel Pettitt, Leon Sewell and Matthew Pallot.
Data Protection and You Your Rights & The Law Registration Basics Other Activities Disclaimer: This presentation only provides an introductory info. Please.
Public rights of access to information Grisilda Ponniah, Corporate Information Governance Manager Mary Elliott, FOI Officer Legal & Democratic Services.
Data Protection Act & Freedom of Information Simon Mansell Corporate Governance and Information Team.
The Framework for Privacy Policies in the UK: Is telling people what information is gathered about them part of the framework? Does it need to be? Emma.
© University of Reading Lee Shailer 06 June 2016 Data Protection the basics.
The EU General Data Protection Regulation Frank Rankin.
Data protection—training materials [Name and details of speaker]
Practical implications of the Data Protection Bill By John Robinson Data Protection Co-Ordinator South Bucks NHS Trust.
Agencija za zaštitu ličnih/osobnih podataka u Bosni i Hercegovini Агенција за заштиту личних података у Босни и Херцеговини Personal Data Protection Agency.
Data Protection Laws in the European Union John Armstrong CMS Cameron McKenna.
General Data Protection Regulation (EU 2016/679)
Handling Tricky Requests for Pupil Information
Preparing for the GDPR Helping us to help you.
HIPSSA Project PRESENTATION ON SADC DATA PROTECTION MODEL LAW
The future of data protection: General Data Protection Regulation
Effective implementation: from Principles to Realities
Overview General Data Protection Regulation (GDPR)
Data protection headaches: GDPR, brexit AND perimeter risk
Session on Cross Border Information
General Data Protection Regulation
The law enforcement provisions of the Data Protection Bill
Museums + Heritage webinar, 30 November 2017
Data Protection Update – GDPR or bust
GDPR Overview GDPR - General Data Protection Regulations
The European Union General Data Protection Regulation (GDPR)
Data Protection & Freedom of Information- An Introduction
Data Protection and GDPR
The Information Commissioner’s Office
Bob Siegel President Privacy Ref, Inc.
General Data Protection Regulations
General Data Protection Regulation
Introduction to GDPR 09/11/2018.
DP BILL: GROUNDS FOR PROCESSING
Introducing the General Data Protection Regulation 2016
Article 10 – Freedom of expression
Data protection reform – update from the ICO
State of the privacy union
Privacy: a work in progress
Appropriate Data Sharing in Health and Social Care
The GDPR and research data
General Data Protection Regulation
The National Working Group
Report on data protection legislation Case of Romania
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
GDPR How does it apply to me?.
COMP3357 Managing Cyber Risk
Data transfers to non-EU countries under the new GDPR
The EDPS: competences and processing of personal data in EU funds
Data Protection in Law Enforcement Area Chapter 9a of the draft law
Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.
DATA PROTECTION AND THE IMPACT OF BREXIT   29 NOVEMBER 2016   Robin White Old Square Chambers
Data Protection for SDS Employers Alison Johnston Lead Policy Officer (Scotland) Information Commissioner’s Office.
Data Protection What you need to know
Dr Elizabeth Lomas The General Data Protection Regulation (GDPR): Changing the data protection landscape Dr Elizabeth Lomas
Session 4: Data Mapping and Data Subject Rights
Session 4: Data Mapping and Data Subject Rights
Data protection & FOIA considerations
GDPR Workshop – Partnerships for Jewish Schools
Data Privacy and GDPR Jane Shvets
A. Šidlauskas Mykolas Romeris University (LITHUANIA)
Presentation transcript:

DP BILL: DIFFERENCES AND DEROGATIONS LGA GDPR/DP Regional Conferences: London (January 2018) chris.pounder@amberhawk.com Go through the courseware; identify action plan for controllers – parking rights for the moment

Regulation in force 25 May 2016 TIME WAITS FOR NO-ONE Regulation in force 25 May 2016 Data Protection Bill published 14 September Out of the Lords Mid January 2018 Royal Assent late March/April 2018 Commencement 25 May 2018 BREXIT PLANNED TO BE MARCH 29, 2019?? GDPR being adopted to get adequacy determination for Brexit UK to adopt GDPR but the “Great Repeal Bill” might be used to modify the UK’s implementation of the GDPR later on

DP BILL FOR MOST LOCAL GOVERNMENT PART 1. Preliminary (Clauses 1-2) Introduces the Act and provides interpretational guidance on defined terms. PART 2. General Processing (Clauses 3-26): applies the GDPR to the processing of personal data taking place in the U.K. and sets out derogations and exemptions from the GDPR. Schedule 1 (More conditions for Special Personal Data) Schedules 2-4 (A.23 exemptions implemented) Keeling Schedule - (e.g. Article 6 & 9) PART 3. Law Enforcement Processing (Clauses 27-79) Implements the LED for law enforcement data processing Schedule 7 (List of competent authorities covered by LED) Schedule 8 (Conditions for sensitive processing) If something is missing, is it an oversight or deliberate choice – contact DCMS

MAIN DIFFERENCES FROM DPA Personal data Filing System Consent Public task and balance of interests Transparency and more rights for data subjects Accountability Principle and Personal data Asset Register Data Processor relationship Data Protection Officer Data Protection by Design Transfers to Third Countries and Brexit Penalties for transgression

HARMONISATION? Member State law flexibility applies in 50+ Articles: 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, 90) R3-R13 describes flexibility (R10: “margin of manoeuvre”); large scale “manoeuvring” jeopardises any adequacy determination Margin of appreciation in Human Rights terms UK Government says it will have legislation in early 2018 (possibly after a consultation exercise) Maximum flexibility on the agenda

DEROGATIONS IN THE BILL Article 4 Definition of Controller Article 8 Age of consent of a child web-sites (13) Article 9 Special Personal Data (more grounds for health). Article 10 Processing of criminal convictions and offences. Article 5, 17 Right to erasure & Principles for research. Article 22 Automated individual decision making/profiling. Article 23(1)(e) Exemption for reasons of “important objectives of general public interests …of a Member State” (e.g. Monitoring officer) Article 29 Processor can disclose personal data under member state law.

DEROGATIONS IN THE BILL Article 54-61 How supervisory authority powers work in practice Article 80 Representation of data subjects. Member State law can allow NGOs to take action independently (or not!) Article 83 Conditions for imposing administrative fines. Member States can legislate that the public sector is not fined. Articles 85, 89, 90 Article 85: Processing and freedom of expression and information (e.g. DP/FOI interface) – Schedule 18 Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes – see Schedule 2 of Bill Article 90: Obligations of secrecy imposed on ICO

DP BILL EXEMPTIONS The equivalent of Section 7(4) to 7(6) and Section 8(7) of the DPA is in Schedule 2, Part 3, paragraph 14 Schedule 2, Part 3, Paragraph 15: presumption that it is reasonable to identify health professionals, teachers and social workers unless it is unreasonable (e.g. threat of violence) The equivalent of S.29(1) exemption for crime and taxation is at Clause 43(4) in Law Enforcement The equivalent of S.29(3) exemption (e.g. voluntary disclosures to the police) should also consider Schedule 2, paragraph 2(1) as “disclosure” is a “processing” operation. SAR includes to Information that relates to another individual

OTHER EXEMPTIONS (Where’s Wally?) Disclosures required by law: Schedule 2, paragraph 5(2) Disclosures necessary for legal proceedings: Schedule 2, paragraph 5(3) Processing with respect to personal data made public by law: Schedule 2, paragraph 5(1) Domestic purposes: effect of Section 36 is in Clause 19(3) Management forecasting: Schedule 2, paragraph 20 Negotiations with the data: Schedule 2, paragraph 21 Confidential references: Schedule 2, paragraph 22 Prejudice Health & Social Work & harm to the data subject’s mental or physical health or child abuse: Schedule 2, Parts 2-5 FIND OUT WHERE THE EXEMPTIONS YOU USE ARE

FINAL COMMENTS Everything in the DPA can be found the DP Bill (Find out what you use in the former and where it is in the latter) Look at DPIA software/documentation on the CNIL website Follow WP29 documents and the ICO documents Security: Local Public sector data handling guidelines Do not rely on an adequacy determination for the UK There will be no mega-fines for at least a year

THE END Q U E S T I O N S More on the GDPR and LED in all Amberhawk DP courses …. and on HAWKTALK (wholly balanced blog) ©Chris Slane