The Data Protection Act 2018 was given Royal Assent on 23 May 2018, but what exactly does this mean for charities, and what is its purpose when we already have the General Data Protection Regulation (GDPR)?
The GDPR is, as readers will be aware, EU law, and therefore applies across all member States. It contains a number of areas where an individual country had some discretion over how something would apply. To facilitate this, and to ensure that the provisions of the GDPR remain valid at the point of Brexit, the Data Protection Act 2018 has been passed. It largely deals with how information relating to criminal activity and security services are dealt with, but there are a few useful sections that will be particularly relevant to charities.
- 1. The existing exemptions to the right of access still exist
This includes the exemption where release would also mean disclosure of another person’s personal data, and includes more detail on what to think about if you are relying on the fact that you do not have consent from the third party.
Some of the exemptions apply to other rights too – such as the right to erasure and the right to data portability. The detail of this is outside of the scope of this note, but it’s worth knowing that the exemptions exist.
- 2. Protection of economic wellbeing is a substantial public interest
Sensitive personal data can only be used by an organisation where it meets one of the specific criteria in the GDPR which makes that use lawful.One lawful use is where that use is in the “substantial public interest”.The Act sets out various circumstances that fit this, and the protection of economic wellbeing of those at risk is one.This means that charities who work with vulnerable individuals will be able to transfer personal data about those individuals to other organisations who can assist them, without their consent, if the transfer will assist with that individual’s economic wellbeing.
- 3. Safeguarding information is protected – allowing necessary disclosure and preventing access where appropriate
There are specific provisions in the Act which mean that it’s easier to refuse to release safeguarding information where to do so would not be in the interests of the child or vulnerable adult involved. The Act also allows for disclosures where such a disclosure would be in the interests of the child or vulnerable adult, by recognizing that such disclosures are in the “substantial public interest”.
- 4. DBS information can still be used
Information about criminal convictions was expressly excluded from the GDPR, and so the Act deals with how and when this can be used. Charities are given a special exemption, allowing them to hold and use this information where appropriate. Not that we would have expected anything else, but it is useful to have this spelt out.
- 5. You will need some additional policies
As previously reported, you will need additional policies if you do hold sensitive data for employment purposes.You will also need a policy if you are relying on any of the substantial public interests grounds to process sensitive data – so safeguarding and economic wellbeing information will need a mention.
The Act has a variety of jobs to do – it has to amend the GDPR so that references to EU law become national law, it has to deal with the areas where the UK has discretion over particular provisions, it has to provide more detail for the processing of criminal records and security service information, and has to ensure that the UK remains a “safe place” for the remaining EU member States to transfer personal data to post Brexit. So whilst all 339 pages are not strictly relevant to the day to day interpretation, there are a number of helpful areas in there, and we now have a complete picture as to how the UK expects data protection to look for the immediate future.