The Government has published the Data Protection Bill, which will supplement the General Data Protection Regulation (GDPR) in the UK.
More data protection resources
The Bill, which was announced in the Queen’s Speech in June this year, adds detail to the requirements under the GDPR.
It incorporates the highly publicised fine regime, under which organisations can be fined up to €20 million or 4% of total worldwide annual turnover.
However, the Bill makes a number of changes for employers to process special categories of personal data (such as health data and data on ethnic origin, political opinion, religious beliefs, union membership and sexual orientation) and data relating to criminal convictions.
To process special categories of personal data, also known as sensitive personal data, employers have to meet strict conditions under the GDPR, such as obtaining explicit consent.
Under the Bill, employers will be able to process special categories of personal data to fulfil obligations or exercise rights in employment law if it has a policy document in place that meets additional requirements.
Under the GDPR, employers can process data on criminal convictions only if this is specifically permitted by law.
The Bill will allow processing of criminal conviction data if it meets the same requirements as processing special categories of personal data.
This means that employers will be able to process criminal conviction data with consent, or to exercise rights or obligations provided that they have a policy in place that meets the additional requirements.
The Bill also reproduces certain exemptions from the Data Protection Act 1998 relating to subject access requests.
In particular, employers will not have to include information in their privacy notices or disclose information to employees in response to subject access requests for:
- information that is covered by legal professional privilege;
- information used for management planning by the employer;
- information about the employer’s intentions during negotiations with the employee; and
- confidential references given (but not those received) by the employer.
The Bill also creates a number of new offences, including an offence of altering, destroying or concealing information to be provided to an individual through a subject access request.
Culture secretary, Karen Bradley said: “The Data Protection Bill will give people more control over their data, support businesses in their use of data, and prepare Britain for Brexit.
“In the digital world strong cyber security and data protection go hand in hand. This Bill is a key component of our work to secure personal information online.”
The Bill will repeal the Data Protection Act 1998 when it comes into effect. In addition to implementing the GDPR, the Bill deals with personal data processed by law enforcement and national security.
The GDPR will come into effect directly in the EU, including in the UK, on 25 May 2018. When the UK leaves the EU, the GDPR will be incorporated into UK law by the European Union (Withdrawal) Bill.