Data Protection Bill
The Government has published the Data Protection Bill. While it incorporates most provisions of the GDPR, it makes a number of changes for employers to process special categories of personal data (such as health data on ethnic origin, political opinion, religious beliefs, union membership and sexual orientation) and data relating to criminal convictions. Under the GDPR, to process sensitive personal data, employers have to meet strict conditions such as obtaining explicit consent. Under the Bill, employers will be able to process sensitive personal data to fulfil obligations or exercise rights in employment law if it has a policy document in place that meets additional requirements.
The Bill also creates a number of new offences, including the offence of altering, destroying or concealing information to be provided to an individuals through a subject access request.
The Bill states that fines for organisation in breach of the rules are to be paid in Sterling, and have been set at a maximum of £17m of 4% of global turnover.
Many of those reacting to the Bill have commented on how complex and confusing it is, although it is clear that there is no getting away from the GDPR after Brexit.
DCMS has also published a collection of guidance documents which you can find here.
DCMS Topical Questions
In the Commons Conservative MP Mims Davies asked how the Data Protection Bill will benefit people in terms of the data held about, particularly the use of children’s data and consent. Digital Minister Matt Hancock responded that the Bill is about giving citizens more power over their data and ensuring that data can be used innovatively and effectively. He said it also introduces new powers to protect minors and to allow people to request the deletion of their data on social media sites at the age of 18. Find it on Hansard here.
During his 2017 State of the Union Address, European Commission President Jean-Claude Juncker said that the Commission is proposing new tools, including a European Cyber Security Agency, to help defend from cyber-attacks, which he said can be more dangerous to the stability of democracies and economies than guns and tanks. Find the full speech here.
Who’s getting it wrong?
Your Money Rights Limited has been fined £350,000 by the ICO for making 146 million automated illegal calls about PPI. Firms can only mare automatic marketing calls to people if they have their specific consent. Read more here.
Cab Guru, the company behind a taxi booking app, has been fined £45,000 by the ICO for breaking the law on sending unsolicited text messages. Andy Curry, ICO Enforcement Group Manager, said just because a person’s mobile number is in an organisation’s records doesn’t mean it can call or text their marketing messages without their consent and that it doesn’t matter whether it happens on a single day of every day for a year. Read more here.
True Telecom Ltd, a telephone services company, has been fined £85,000 by the ICO for making illegal nuisance calls. The company had been calling people registered on the Telephone Preference Services for over two years. Read more here.
US credit rating firm Equifax suffered a massive cyber attack last Friday, during which it is feared 44 million British consumers’ data was stolen. The ICO is investigating how the hack has affected UK customers. Many of the 44 million people with data held by Equifax are not direct customers of Equifax and therefore may not be aware their data could be affected. Read more here. This provides us with a good example of having to ensure your third party processors are also compliant with regulations.
Information Commissioner Elizabeth Denham gave a speech at the CBI Cyber Security Conference. In her speech she talked about how data security and data privacy are inextricably links but although 61% of businesses now hold consumer data online, on 20% of consumers trust businesses with their data. She said growth in the digital economy is only sustainable if there is trust, which the GDPR and Data Protection Bill is designed to help build. She said businesses should view the regulation as an opportunity. Echoing conversations had during The Data Guardians meeting this week, she said the new regulations present an opportunity for organisation to present themselves on the basis of how they respect the privacy of individuals which over time may play a roll in consumer choice. Find the full speech here.
The ICO has opened a consultation on its draft guidance on contracts and liabilities between controllers and processors under the GDPR. The results will be published later this year. Portcullis will update you with the outcome when it is published. Read more here.
On 20 September, the Scottish and UK Information Commissioners will co-host the International Conference of Information Commissioners (ICIC) in Manchester. The conference will explore the future of transparency and access to information in the UK and worldwide, progressive information rights and trust. Find the event website here.