Data Protection in the United Kingdom: Difference between revisions
No edit summary |
|||
(13 intermediate revisions by 3 users not shown) | |||
Line 18: | Line 18: | ||
|- | |- | ||
|National Decision Database(s):||[https://www.bailii.org/ BAILII] | |National Decision Database(s):||[https://www.bailii.org/ BAILII] | ||
[https://ico.org.uk/action-weve-taken/ ICO decisions] | |||
|} | |} | ||
==Legislation== | ==Legislation== | ||
===History=== | ===History=== | ||
The first Act of Parliament concerning data protection was the [https://www.legislation.gov.uk/ukpga/1984/35/pdfs/ukpga_19840035_en.pdf Data Protection Act 1984]. This was then repealed when the Directive 95/46/EC came into force. The national act which implemented the EU Directive was the [https://www.legislation.gov.uk/ukpga/1998/29/contents/enacted Data Protection Act 1998]. | |||
Subsequently, when the General Data Protection Regulation 2016/679 was enacted, it was transposed into national law through through the [https://www.legislation.gov.uk/ukpga/2018/12/contents Data Protection Act 2018]. | |||
===National constitutional protections=== | ===National constitutional protections=== | ||
As the | As the constitution of the United Kingdom is unwritten and uncodified, the constitutional protection of rights is not derived from the constitution per se. Rather, there are certain "civil liberties" that have gained a higher level of protection domestically. Unfortunately, the right to data protection or privacy is not currently one of them. | ||
The UK has enshrined the European Convention on Human Rights (ECHR) into national law through the [https://www.legislation.gov.uk/ukpga/1998/42/contents Human Rights Act 1998 (HRA)]. The ECHR rights are therefore directly applicable in the UK. This includes Article 8 (right to privacy) which encompasses the right to data protection. According to case law, this Act of Parliament (HRA) has been granted a constitutional status. It cannot be repealed "implicitly" as is normally the case with normal Acts of Parliament (it must be done "explicitly"). This was first outlined in ''[https://www.bailii.org/ew/cases/EWHC/Admin/2002/195.html Thorburn v Sunderland City Council]'' in 2002 and reiterated in ''[https://www.bailii.org/uk/cases/UKSC/2014/3.html HS2 Action Alliance Ltd, R (ex parte) v The Secretary of State for Transport]'' in 2014. Nonetheless, it is important to note that whilst the HRA's constitutional status grants it further protection, it cannot be equated to the protection afforded when a right is enshrined in the written Constitution of a country as the UK Parliament still has the right to create an Act of Parliament that goes against it, so long as it expressly repeals the HRA (principle of parliamentary sovereignty). | The UK has enshrined the European Convention on Human Rights (ECHR) into national law through the [https://www.legislation.gov.uk/ukpga/1998/42/contents Human Rights Act 1998 (HRA)]. The ECHR rights are therefore directly applicable in the UK. This includes Article 8 (right to privacy) which encompasses the right to data protection. According to case law, this Act of Parliament (HRA) has been granted a constitutional status. It cannot be repealed "implicitly" as is normally the case with normal Acts of Parliament (it must be done "explicitly"). This was first outlined in ''[https://www.bailii.org/ew/cases/EWHC/Admin/2002/195.html Thorburn v Sunderland City Council]'' in 2002 and reiterated in ''[https://www.bailii.org/uk/cases/UKSC/2014/3.html HS2 Action Alliance Ltd, R (ex parte) v The Secretary of State for Transport]'' in 2014. Nonetheless, it is important to note that whilst the HRA's constitutional status grants it further protection, it cannot be equated to the protection afforded when a right is enshrined in the written Constitution of a country, as the UK Parliament still has the right to create an Act of Parliament that goes against it, so long as it expressly repeals the HRA (principle of parliamentary sovereignty). | ||
===National GDPR implementation law=== | ===National GDPR implementation law=== | ||
In United Kingdom, the GDPR | In United Kingdom, the GDPR has been transposed into national law through the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018]. The application of the GDPR is, however, limited during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A12019W%2FTXT%2802%29 Agreement on the Withdrawal of the UK from the EU]. At this point in time, it is uncertain what will happen beyond the end of the transition period (31 December 2020). Albeit there being speculation that the UK will still continue to apply the GDPR post-Brexit, this has not been confirmed. Another question that has garnered a lot of attention is whether the UK will be granted an "adequacy" decision, such that it will be seen as offering a level of protection for personal data essentially equivalent to that offered in the EU. | ||
The application of the GDPR | |||
At this point in time, it is uncertain what will happen beyond the end of the transition period (31 December 2020). | |||
====Age of consent==== | ====Age of consent==== | ||
In the United Kingdom, it is legally presumed that anyone is entitled to enter into a contract, unless an exception applies. One of these exceptions is related to minors. Article 1 of the [https://www.legislation.gov.uk/ukpga/1969/46 Family Law Reform Act 1969] sets the age of majority at 18 years. Consequently, the age of consent in English contract law is 18. However, minors can make valid contracts for purposes of 'necessity' (such as food or clothing) at any age (''Ryder v Wombell'' [1868] LR 4 Ex Ch 32 D 165). Furthermore, minors will be deemed as bound to that contract, if it is for their benefit (''De Francesco v Barmum'' [1819] 43 Ch D165). However, the [https://www.legislation.gov.uk/ukpga/1987/13?timeline=false Minors’ Contracts Act 1987] states that an 18 year old can ratify an unenforceable contract entered into when they were under 18 years old. | |||
====Freedom of Speech==== | ====Freedom of Speech==== | ||
' | Article 26 of Part 5 of Schedule 2 of the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018] provides an exemption for processing for reasons of freedom of expression wherever it is for journalistic, academic, artistic and literary purposes. This exemption is based on Article 85(2) GDPR. | ||
According to Article 26(3) of the 2018 Act, certain GDPR provisions (listed in Article 26(9)) will not apply where the controller "reasonably believes" that these provisions would be incompatible with the aforementioned purposes. This is only the case where processing is carried out for the publication of journalistic, academic, artistic and literary material <u>and</u> where the controller "reasonably believes" that publication would be in the "public interest" (Article 26(2)). There are various factors to consider when determining whether publication would be in the public interest (Articles 26(4) to 26(6)). Article 26(4) states a controller must take into account the "special importance of the public interest in the freedom of expression and information", whereas Article 26(5) states that a controller must also have regard for relevant codes and practices listed as part of either the [https://www.bbc.co.uk/editorialguidelines/ BBC Editorial Guidelines], the [https://www.ofcom.org.uk/tv-radio-and-on-demand/broadcast-codes/broadcast-code Ofcom Broadcasting Code], or the [https://www.ipso.co.uk/editors-code-of-practice/ Editors' Code of Practice]. | |||
====Employment context==== | ====Employment context==== | ||
'' | When processing of personal data is necessary for the purposes of "performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection", [https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/paragraph/1/enacted Part 1 of Schedule 1 of the Data Protection Act 2018] requires that the controller introduces an "appropriate policy document". This policy document is defined in paragraph 39 of Part 4 Schedule 1. In particular, the policy document must (1) explain the controller's procedures for ensuring compliance with the principles in Article 5 and (2) explain the controller's policies regarding the retention and erasure of personal data, and indicate how long such personal data is likely to be retained. | ||
Where personal data is processed in reliance of this policy document, paragraph 40 of Part 4 Schedule 1 states that controller must during the relevant period retain this policy document, review it from time to time, and make it available to the Commissioner, on request and without charge. Here "relevant period" is defined as the period beginning at when the controller begins the processing of personal data, and ending after six months after the controller has ceased to carry out processing (para. 40(2) Part 4 Schedule 1). | |||
Furthermore, according to paragraph 41 of Part 4 Schedule 1, the the controller is required to maintain a record of processing (in line with Article 30 GDPR), which is to detail which condition is relied upon for processing, how the processing satisfies Article 6 of the GDPR, and whether the personal data is retained and erased in accordance with the controller's policy document. | |||
The Data Protection Act 2018 also restricts certain data subject rights, including subject access, with regard to employment references. Paragraph 24 of Schedule 2 states that the GDPR provisions Article 13(1) to (3), Article 14(1) to (4) and Article 15(1) to (3) do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of: | |||
*the education, training or employment (or prospective education, training or employment) of the data subject, | |||
*the placement (or prospective placement) of the data subject as a volunteer, | |||
*the appointment (or prospective appointment) of the data subject to any office, or | |||
*the provision (or prospective provision) by the data subject of any service. | |||
====Research, Statistics and Archiving==== | |||
Article 27 of Part 6 of Schedule 2 of the [https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted Data Protection Act 2018] provides derogations from certain GDPR rights where personal data is processed for scientific or historical research or statistical purposes, in line with Article 89 GDPR. Concretely, the GDPR rights which can be derogated from are: | |||
*Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); | |||
*Article 16 (right to rectification); | |||
*Article 18(1) (restriction of processing); | |||
*Article 21(1) (objections to processing). | |||
Article 27 states that the GDPR provisions do not apply to personal data processed for scientific or historical research purposes or statistical purposes to the extent that the application of the GDPR provisions "would prevent or seriously impair the achievement of the purposes in question". However, this is subject to the conditions in Article 27(3), which states that these derogations can only be applied where (1) the personal data has been processed in accordance with Article 89(1) GDPR, and (2) if the results of research and statistics do not disclose the identity of the data subject. | |||
Similarly, Article 28 of Part 6 of Schedule 2 provides an exemption for archiving in the public interest, which states that the listed GDPR provisions do not apply to "personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes". The GDPR rights that can be derogated from for archiving purposes are: | |||
*Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers); | |||
*Article 16 (right to rectification); | |||
*Article 18(1) (restriction of processing); | |||
*Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing); | |||
*Article 20(1) (right to data portability); | |||
*Article 21(1) (objections to processing). | |||
Similarly, this provision too is subject to the condition listed in Article 28(3), which requires that the personal data be processed in accordance with GDPR Article 89(1). | |||
===National ePrivacy Law=== | ===National ePrivacy Law=== | ||
' | [https://www.legislation.gov.uk/uksi/2003/2426/made The Privacy and Electronic Communications (EC Directive) Regulations 2003] is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The UK's Data Protection Authority - the ICO - is also competent to enforce the PECR. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit. | ||
==Data Protection Authority== | ==Data Protection Authority== | ||
The Information Commissioner’s Office (''Information Commissioner’s Office'') is the national data protection authority for the United Kingdom. | The Information Commissioner’s Office (''Information Commissioner’s Office'') is the national data protection authority for the United Kingdom. The requirement for the appointment of an Information Commissioner can be found in Paragraph 114 of Part 5 of the Data Protection Act 2018. Paragraph 115 of Part 5 details the general functions conferred upon the Commissioner. The current Information Commissioner is Elizabeth Denham, who was appointed in 2016. | ||
The ICO is primarily funded by organizations paying the data protection fee, which accounts for around 85% to 90% of the ICO’s annual budget. Under the Data Protection Act 2018, organizations processing personal data must pay a data protection fee, unless they are exempt. | |||
→ Details see [[ICO (UK)]] | → Details see [[ICO (UK)]] | ||
==Judicial protection== | ==Judicial protection== | ||
=== | ===Tribunals=== | ||
' | Paragraph 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint. | ||
Paragraph 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal. | |||
===Administrative Courts=== | ===Civil and Administrative Courts=== | ||
There is no distinction between Civil and Administrative courts in the UK other than different "Divisions" of the same court. | There is no distinction between Civil and Administrative courts in the UK other than different "Divisions" of the same court. | ||
Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court. | |||
Latest revision as of 15:42, 25 November 2020
Data Protection in the United Kingdom | |
---|---|
Data Protection Authority: | ICO (UK) |
National Implementation Law (Original): | Data Protection Act 2018 |
English Translation of National Implementation Law: | n/a |
Official Language(s): | English |
National Legislation Database(s): | Link |
English Legislation Database(s): | n/a |
National Decision Database(s): | BAILII |
Legislation
History
The first Act of Parliament concerning data protection was the Data Protection Act 1984. This was then repealed when the Directive 95/46/EC came into force. The national act which implemented the EU Directive was the Data Protection Act 1998.
Subsequently, when the General Data Protection Regulation 2016/679 was enacted, it was transposed into national law through through the Data Protection Act 2018.
National constitutional protections
As the constitution of the United Kingdom is unwritten and uncodified, the constitutional protection of rights is not derived from the constitution per se. Rather, there are certain "civil liberties" that have gained a higher level of protection domestically. Unfortunately, the right to data protection or privacy is not currently one of them.
The UK has enshrined the European Convention on Human Rights (ECHR) into national law through the Human Rights Act 1998 (HRA). The ECHR rights are therefore directly applicable in the UK. This includes Article 8 (right to privacy) which encompasses the right to data protection. According to case law, this Act of Parliament (HRA) has been granted a constitutional status. It cannot be repealed "implicitly" as is normally the case with normal Acts of Parliament (it must be done "explicitly"). This was first outlined in Thorburn v Sunderland City Council in 2002 and reiterated in HS2 Action Alliance Ltd, R (ex parte) v The Secretary of State for Transport in 2014. Nonetheless, it is important to note that whilst the HRA's constitutional status grants it further protection, it cannot be equated to the protection afforded when a right is enshrined in the written Constitution of a country, as the UK Parliament still has the right to create an Act of Parliament that goes against it, so long as it expressly repeals the HRA (principle of parliamentary sovereignty).
National GDPR implementation law
In United Kingdom, the GDPR has been transposed into national law through the Data Protection Act 2018. The application of the GDPR is, however, limited during the UK's transition period out of the EU (in the context of Brexit). This is clear from Title VII (Articles 70-74) of the Agreement on the Withdrawal of the UK from the EU. At this point in time, it is uncertain what will happen beyond the end of the transition period (31 December 2020). Albeit there being speculation that the UK will still continue to apply the GDPR post-Brexit, this has not been confirmed. Another question that has garnered a lot of attention is whether the UK will be granted an "adequacy" decision, such that it will be seen as offering a level of protection for personal data essentially equivalent to that offered in the EU.
Age of consent
In the United Kingdom, it is legally presumed that anyone is entitled to enter into a contract, unless an exception applies. One of these exceptions is related to minors. Article 1 of the Family Law Reform Act 1969 sets the age of majority at 18 years. Consequently, the age of consent in English contract law is 18. However, minors can make valid contracts for purposes of 'necessity' (such as food or clothing) at any age (Ryder v Wombell [1868] LR 4 Ex Ch 32 D 165). Furthermore, minors will be deemed as bound to that contract, if it is for their benefit (De Francesco v Barmum [1819] 43 Ch D165). However, the Minors’ Contracts Act 1987 states that an 18 year old can ratify an unenforceable contract entered into when they were under 18 years old.
Freedom of Speech
Article 26 of Part 5 of Schedule 2 of the Data Protection Act 2018 provides an exemption for processing for reasons of freedom of expression wherever it is for journalistic, academic, artistic and literary purposes. This exemption is based on Article 85(2) GDPR.
According to Article 26(3) of the 2018 Act, certain GDPR provisions (listed in Article 26(9)) will not apply where the controller "reasonably believes" that these provisions would be incompatible with the aforementioned purposes. This is only the case where processing is carried out for the publication of journalistic, academic, artistic and literary material and where the controller "reasonably believes" that publication would be in the "public interest" (Article 26(2)). There are various factors to consider when determining whether publication would be in the public interest (Articles 26(4) to 26(6)). Article 26(4) states a controller must take into account the "special importance of the public interest in the freedom of expression and information", whereas Article 26(5) states that a controller must also have regard for relevant codes and practices listed as part of either the BBC Editorial Guidelines, the Ofcom Broadcasting Code, or the Editors' Code of Practice.
Employment context
When processing of personal data is necessary for the purposes of "performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection", Part 1 of Schedule 1 of the Data Protection Act 2018 requires that the controller introduces an "appropriate policy document". This policy document is defined in paragraph 39 of Part 4 Schedule 1. In particular, the policy document must (1) explain the controller's procedures for ensuring compliance with the principles in Article 5 and (2) explain the controller's policies regarding the retention and erasure of personal data, and indicate how long such personal data is likely to be retained.
Where personal data is processed in reliance of this policy document, paragraph 40 of Part 4 Schedule 1 states that controller must during the relevant period retain this policy document, review it from time to time, and make it available to the Commissioner, on request and without charge. Here "relevant period" is defined as the period beginning at when the controller begins the processing of personal data, and ending after six months after the controller has ceased to carry out processing (para. 40(2) Part 4 Schedule 1).
Furthermore, according to paragraph 41 of Part 4 Schedule 1, the the controller is required to maintain a record of processing (in line with Article 30 GDPR), which is to detail which condition is relied upon for processing, how the processing satisfies Article 6 of the GDPR, and whether the personal data is retained and erased in accordance with the controller's policy document.
The Data Protection Act 2018 also restricts certain data subject rights, including subject access, with regard to employment references. Paragraph 24 of Schedule 2 states that the GDPR provisions Article 13(1) to (3), Article 14(1) to (4) and Article 15(1) to (3) do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of:
- the education, training or employment (or prospective education, training or employment) of the data subject,
- the placement (or prospective placement) of the data subject as a volunteer,
- the appointment (or prospective appointment) of the data subject to any office, or
- the provision (or prospective provision) by the data subject of any service.
Research, Statistics and Archiving
Article 27 of Part 6 of Schedule 2 of the Data Protection Act 2018 provides derogations from certain GDPR rights where personal data is processed for scientific or historical research or statistical purposes, in line with Article 89 GDPR. Concretely, the GDPR rights which can be derogated from are:
- Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
- Article 16 (right to rectification);
- Article 18(1) (restriction of processing);
- Article 21(1) (objections to processing).
Article 27 states that the GDPR provisions do not apply to personal data processed for scientific or historical research purposes or statistical purposes to the extent that the application of the GDPR provisions "would prevent or seriously impair the achievement of the purposes in question". However, this is subject to the conditions in Article 27(3), which states that these derogations can only be applied where (1) the personal data has been processed in accordance with Article 89(1) GDPR, and (2) if the results of research and statistics do not disclose the identity of the data subject.
Similarly, Article 28 of Part 6 of Schedule 2 provides an exemption for archiving in the public interest, which states that the listed GDPR provisions do not apply to "personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes". The GDPR rights that can be derogated from for archiving purposes are:
- Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);
- Article 16 (right to rectification);
- Article 18(1) (restriction of processing);
- Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);
- Article 20(1) (right to data portability);
- Article 21(1) (objections to processing).
Similarly, this provision too is subject to the condition listed in Article 28(3), which requires that the personal data be processed in accordance with GDPR Article 89(1).
National ePrivacy Law
The Privacy and Electronic Communications (EC Directive) Regulations 2003 is the Statutory Instrument that implemented the ePrivacy Directive 2002/58/EC. The Privacy and Electronic Communications Regulations (PECR in short) operates alongside the Data Protection Act 2018 and the GDPR, and gives people specific privacy rights in relation to electronic communications. In particular, it regulates marketing calls, emails and texts, cookies, customer privacy as regards traffic and location data, and helps to keep communications services secure. The UK's Data Protection Authority - the ICO - is also competent to enforce the PECR. The powers granted to the ICO to enforce the PECR include the provision of monetary penalties, criminal prosecution, non-criminal enforcement and audit.
Data Protection Authority
The Information Commissioner’s Office (Information Commissioner’s Office) is the national data protection authority for the United Kingdom. The requirement for the appointment of an Information Commissioner can be found in Paragraph 114 of Part 5 of the Data Protection Act 2018. Paragraph 115 of Part 5 details the general functions conferred upon the Commissioner. The current Information Commissioner is Elizabeth Denham, who was appointed in 2016.
The ICO is primarily funded by organizations paying the data protection fee, which accounts for around 85% to 90% of the ICO’s annual budget. Under the Data Protection Act 2018, organizations processing personal data must pay a data protection fee, unless they are exempt.
→ Details see ICO (UK)
Judicial protection
Tribunals
Paragraph 166 of Part 6 of the Data Protection Act 2018 reflects a data subject's right to advance a complaint before a Tribunal if the ICO fails to take appropriate steps to respond to the complaint, fails to provide information within three months, or fails to provide the data subject with consideration of the complaint within three months. A Tribunal may order the ICO to take appropriate steps to respond to the complainant, or to inform the complainant of progress or the outcome of a complaint.
Paragraph 162 of Part 6 of the Data Protection Act 2018 grants the data subject the right to appeal to a Tribunal if they have been given a notice. A data subject should lodge a complaint at the First Tier Tribunal (Information Rights) within 28 calendar days of receiving the notice. If an appeal raises particularly complex or important issues, it may be transferred to the Upper Tribunal (Administrative Appeals) Chamber. The Upper Tribunal also hears appeals against decisions of the First Tier Tribunal (Information Rights). Appeals against decisions of the Upper Tribunal are heard in the Court of Appeal.
Civil and Administrative Courts
There is no distinction between Civil and Administrative courts in the UK other than different "Divisions" of the same court.
Paragraph 167 of Part 6 of the Data Protection Act 2018 gives the data subject the right to claim a remedy in court. Although the GDPR gives the data subject a right to claim compensation from an organization if they have suffered damage as a result of it breaking data protection law, ICO cannot award compensation. Therefore, data subjects will have to go before a court to claim compensation. Typically, this claim will first take place before the Small Claims Court.