Download presentation
Presentation is loading. Please wait.
1
DP BILL: DIFFERENCES AND DEROGATIONS
LGA GDPR/DP Regional Conferences: London (January 2018) Go through the courseware; identify action plan for controllers – parking rights for the moment
2
Regulation in force 25 May 2016
TIME WAITS FOR NO-ONE Regulation in force 25 May 2016 Data Protection Bill published 14 September Out of the Lords Mid January 2018 Royal Assent late March/April 2018 Commencement 25 May 2018 BREXIT PLANNED TO BE MARCH 29, 2019?? GDPR being adopted to get adequacy determination for Brexit UK to adopt GDPR but the “Great Repeal Bill” might be used to modify the UK’s implementation of the GDPR later on
3
DP BILL FOR MOST LOCAL GOVERNMENT
PART 1. Preliminary (Clauses 1-2) Introduces the Act and provides interpretational guidance on defined terms. PART 2. General Processing (Clauses 3-26): applies the GDPR to the processing of personal data taking place in the U.K. and sets out derogations and exemptions from the GDPR. Schedule 1 (More conditions for Special Personal Data) Schedules 2-4 (A.23 exemptions implemented) Keeling Schedule - (e.g. Article 6 & 9) PART 3. Law Enforcement Processing (Clauses 27-79) Implements the LED for law enforcement data processing Schedule 7 (List of competent authorities covered by LED) Schedule 8 (Conditions for sensitive processing) If something is missing, is it an oversight or deliberate choice – contact DCMS
4
MAIN DIFFERENCES FROM DPA
Personal data Filing System Consent Public task and balance of interests Transparency and more rights for data subjects Accountability Principle and Personal data Asset Register Data Processor relationship Data Protection Officer Data Protection by Design Transfers to Third Countries and Brexit Penalties for transgression
5
HARMONISATION? Member State law flexibility applies in 50+ Articles: 4(7), 4(9), 6(2), 6(3)(b), 6(4), 8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4), 10, 14(5)(b), 14(5)(c), 14(5)(d), 17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b), 23(1)(e), 26(1), 28(3), 28(3)(a), 28(3)(g), 28(3)(h), 28(4), 29, 32(4), 35(10), 36(5), 37(4), 38(5), 49(1)(g), 49(4), 49(5), 53(1), 53(3), 54(1), 54(2), 58(1)(f), 58(2), 58(3), 58(4), 58(5), 59, 61(4)(b), 62(3), 80, 83(5)(d), 83(7), 83(8), 85, 86, 87, 88, 89, 90) R3-R13 describes flexibility (R10: “margin of manoeuvre”); large scale “manoeuvring” jeopardises any adequacy determination Margin of appreciation in Human Rights terms UK Government says it will have legislation in early 2018 (possibly after a consultation exercise) Maximum flexibility on the agenda
6
DEROGATIONS IN THE BILL
Article 4 Definition of Controller Article 8 Age of consent of a child web-sites (13) Article 9 Special Personal Data (more grounds for health). Article 10 Processing of criminal convictions and offences. Article 5, 17 Right to erasure & Principles for research. Article 22 Automated individual decision making/profiling. Article 23(1)(e) Exemption for reasons of “important objectives of general public interests …of a Member State” (e.g. Monitoring officer) Article 29 Processor can disclose personal data under member state law.
7
DEROGATIONS IN THE BILL
Article 54-61 How supervisory authority powers work in practice Article 80 Representation of data subjects. Member State law can allow NGOs to take action independently (or not!) Article 83 Conditions for imposing administrative fines. Member States can legislate that the public sector is not fined. Articles 85, 89, 90 Article 85: Processing and freedom of expression and information (e.g. DP/FOI interface) – Schedule 18 Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest or scientific or historical research purposes or statistical purposes – see Schedule 2 of Bill Article 90: Obligations of secrecy imposed on ICO
8
DP BILL EXEMPTIONS The equivalent of Section 7(4) to 7(6) and Section 8(7) of the DPA is in Schedule 2, Part 3, paragraph 14 Schedule 2, Part 3, Paragraph 15: presumption that it is reasonable to identify health professionals, teachers and social workers unless it is unreasonable (e.g. threat of violence) The equivalent of S.29(1) exemption for crime and taxation is at Clause 43(4) in Law Enforcement The equivalent of S.29(3) exemption (e.g. voluntary disclosures to the police) should also consider Schedule 2, paragraph 2(1) as “disclosure” is a “processing” operation. SAR includes to Information that relates to another individual
9
OTHER EXEMPTIONS (Where’s Wally?)
Disclosures required by law: Schedule 2, paragraph 5(2) Disclosures necessary for legal proceedings: Schedule 2, paragraph 5(3) Processing with respect to personal data made public by law: Schedule 2, paragraph 5(1) Domestic purposes: effect of Section 36 is in Clause 19(3) Management forecasting: Schedule 2, paragraph 20 Negotiations with the data: Schedule 2, paragraph 21 Confidential references: Schedule 2, paragraph 22 Prejudice Health & Social Work & harm to the data subject’s mental or physical health or child abuse: Schedule 2, Parts 2-5 FIND OUT WHERE THE EXEMPTIONS YOU USE ARE
10
FINAL COMMENTS Everything in the DPA can be found the DP Bill (Find out what you use in the former and where it is in the latter) Look at DPIA software/documentation on the CNIL website Follow WP29 documents and the ICO documents Security: Local Public sector data handling guidelines Do not rely on an adequacy determination for the UK There will be no mega-fines for at least a year
11
THE END Q U E S T I O N S More on the GDPR and LED in all Amberhawk DP courses …. and on HAWKTALK (wholly balanced blog) ©Chris Slane
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.