2.1 Data Protection
The original Data Protection Act (DPA) became law in 1984, which established legal obligations for organisations to act responsibly with respect to personal information. This UK’s Data Protection Act 2018 (DPA 2018) replaces earlier data protection legislation to make UK law align to the requirements of the EU's General Data Protection Regulation (GDPR).
GDPR replaces both national data protection legislation and a previous EU law going by the unwieldy name of Data Protection Directive 95/46/EC. GDPR provides a single set of data protection regulations across all EU member states. The introduction of a single EU-wide data protection regime is essential for any business or organisation wishing to operate across national boundaries, since differences in national data protection laws could mean that a data processing operation which was legal in one country would be illegal in another.
GDPR protects EU citizens from abuses of data privacy by companies based in their own country as well as those based in member states. Additionally, any company wishing to process personal data of EU citizens, no matter where they are based in the world, will be obligated to obey GDPR. In the UK, the Information Commissioner’s Office (ICO) is the Statutory Authority (SA) responsible for enforcing the requirements set out in the GDPR.
The DPA 2018 increases the responsibility on companies to ensure personal data is protected at all time. GDPR requires all organisations employing more than 250 people to have at least one Data Protection Officer (DPO) responsible for developing that organisation’s data protection policies and ensuring that it is compliant with GDPR. This represents a major change from the DPA which does not require organisations to employ DPOs.
Under the older DPA legislation, businesses were encouraged to report data breaches to the Information Commissioner but were under no obligation to do so. The DPA 2018 not only forces companies to report breaches, but they must inform the SA within 72 hours of the incident being discovered (the actual breach might have taken place long before but gone undiscovered).
Alongside greater requirements for organisations to protect data, the GDPR increases the penalties on those that fail to do so with a set of escalating penalties:
- a written warning for relatively minor breaches, first offences or unintentional non-compliance;
- regular data protection audits to ensure a business that experienced a breach has come into compliance with GDPR;
- a fine up to €20 million or 4% of a business’s annual global turnover – whichever is greater. (Remember, the DPA has a maximum fine of just £500,000).
One area of change in the DPA 2018 is where personal identifiers, such as a person’s name, address or social security number is replaced with a new tag to protect that person’s privacy; a process known as pseudonymisation.
Pseudonymisation is widely used where personal data is exchanged between organisations. An example might be a hospital patient receiving novel treatment. Their patient record containing their genuine name and address is used by their doctors, but a pseudonymised record with a random name might be shared with medical researchers.
Unfortunately, pseudonymisation is not perfect, it can be defeated relatively easily either if the original records are stored without the proper level of security, or if the algorithm that converts genuine personal data into pseudonyms is unsecured. As part of its implementation of GDPR, the DPA 2018 places new responsibilities on organisations using pseudonymisation to ensure that it is not possible to for attackers to easily deanonymise personal data.
The right to erasure
Many people have previously done or said something that now causes them great embarrassment, or which harms their prospects of a settled family life or employment. In previous generations, many of these indiscretions would have been forgotten in a few years, but digital technologies, especially social media, allow people’s past failings to come back to haunt them. An example might be a petty crime, such as vandalism, committed by a child who was punished by a court whose hearing was reported by a local newspaper. A few years later, the same individual stands for public office, and is the subject of attacks over their ‘criminal history’ by political opponents and a hostile media.
A concept of ‘the right to be forgotten’ was drafted by the European Commission in 2012 which would allow people to request personal data to be removed from search engines and websites because it was untrue or no longer relevant. The GDPR has adopted a more limited ‘right to erasure’ which will allow people to have personal data removed from computers either if the data was acquired by illegal methods (such as by hacking or unauthorised disclosure), or if the privacy of the person in question is seen to be more important than the interests of the organisation storing their data.
Data protection by design and by default
The Data Protection Act 2018 introduces a requirement on the developers of new data processing systems that they consider the privacy implications of using the system at the outset rather than once it is complete. As part of this, the act requires data processors to process as little personal information as possible to complete a task, requires organisations to delete data when no longer needed for its original purpose and forbids data being passed to other organisations without permission.
With the principles of GDPR included in the UK's 2018 Data Protection Act, they will continue to be important requirements for systems that collect and process UK citizen's data irrespective of the UK's membership of the European Union. It is also important to note that the Act is not limited to enacting the provisions of the GDPR and that it includes aspects for data collection and processing which fall under UK national jurisdiction – such as those relating to immigration and law enforcement.
Next, you’ll learn about The Investigatory Powers Act.