What discretion can the UK exercise over the provisions of the EU General Data Protection Regulation (GDPR) when it comes into force on 25 May 2018?
In its recent 'Call for Views', the Department for Culture, Media and Sport was keen to invite feedback on the national derogations permitted by the GDPR, where Member States can introduce their own national laws.
The response by the Information Commissioner's Office (ICO) stated that the introduction of national derogations is a matter of key significance and it would expect substantive involvement in this process. Its general approach is to favour replicating existing arrangements under the Data Protection Act 1998 (DPA) where experience shows that that they work satisfactorily. New derogations should only be introduced where necessary for the effective functioning of the GDPR.
The ICO provides a response on each of the 14 themes raised by the DCMS. The key proposals are as follows:
Supervisory authority: The ICO is keen to maintain its supervisory authority role and current investigatory, corrective, authorisation and advisory powers under the DPA. It also seeks new powers to co-operate with both EU supervisory authorities and enforcement bodies outside the EU.
Sanctions: The ICO wishes to continue to be able to impose administrative fines itself, rather than requiring a court to do so. In addition to retaining its full range of enforcement powers, the ICO wishes to see the introduction of an offence prohibiting the intentional reversing or circumvention of technical or organisational measures taken to ensure that data are not attributable to identifiable persons.
Demonstrating compliance: Options are being considered by the ICO for the introduction of a national certification mechanism. This could involve a national accreditation body and approved external certification bodies carrying out the evaluation process, rather than the ICO certifying processing itself.
Archiving and research: The ICO wishes to retain the current exemption in relation to the disapplication of data subjects' rights in relation to personal data processed for research and archiving purposes.
Sensitive personal data: In the interests of 'future-proofing' UK data protection legislation, the ICO proposes that the Secretary of State should be able to authorise (by order) the processing of special category personal data for reasons of substantial public interest. Processing for the purpose of medical research is used an explicit example.
Criminal convictions: The ICO is concerned that Article 10 of the GDPR, which governs the processing of criminal convictions, may cause difficulties for employers when recruiting for certain positions. The government is invited to consider this alongside its review of the current safeguards to the disclosure regime (i.e. filtering). A statutory code concerning employment practices is also proposed to address concerns relating to the processing of personal data without an individual's knowledge in a recruitment context.
Processing of children's personal data by online Services: The GDPR provides that a child under 16 cannot give valid consent to the processing of their data for the provision of a service, unless the law of their Member State sets a lower age (to be no lower than 13). The ICO favours an approach where even quite young children can access appropriate online services without parental consent, provided that organisations have put other safeguards in place.
Public access to official documents: Article 86 permits Member States to provide by law for public access to personal data in official documents held by public bodies in certain cases. The ICO considers that the provisions of the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 (both of which contain exemptions around disclosure) will need to be re-assessed in the light of Article 86.
It is clear that the ICO would like to retain as many of the existing arrangements under the DPA as possible. However, its response does flag that some changes are inevitable and there are several issues which will need further consideration by the government before the national derogations can be finalised.
Organisations will be particularly interested to follow the developments on processing personal data in an employment context. The ICO emphasises that employers should be required to follow the same data protection rules as other data controllers, to save confusion on the part of both the employer and the employee.