The processing of personal data in the UK has been regulated by the Data Protection Act 1998 since 2 March 2000. This UK Act implemented EU Directive 95/46/EC. This will be replaced by the General Data Protection Regulation 2016/679, which came into force in May 2016 but will be enforced from 25 May 2018. It is an EU regulation, which applies directly across all 28 EU member states. As the UK will still be in the EU at that date, the UK Government expects all business to comply. In relation to the UK’s plans to leave the EU, the intention is that the GDPR will become part of UK law through the EU Withdrawal Act.
There will also be a new UK Data Protection Act 2018 (which, at the time of writing, is still in draft form). This will contain additional requirements from the UK Government in relation to the processing of personal data.
The UK Data Protection Act 2018 also contains the UK provisions implementing the EU Law Enforcement Directive, which regulates how investigatory bodies, including the police, handle personal data.
|Data Protection Act 1998||GDPR|
||Data There is no specific definition under the GDPR but the regulation applies to the processing of personal data wholly or partly by automated means and to processing other than by automated means of data which forms part of a filing system or which is intended to form part of a filing system. Filing System (Art 1(6)) Any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis. Personal Data (Art 4(1)) Any information relating to an identified or identifiable natural person.|
|Data Controller (s1) A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data are, or are to be, processed.||Data Controller (Art 4(7)) The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes, conditions and means of the processing of personal data.|
|Data Processor (s1) In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.||Data Processor (Art 4(8)) A natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.|
|Data Subject (s1) A living individual who is the subject of personal data.||Data Subject (Art 4(1)) An identified natural person or a natural person who can be identified, directly or indirectly, by means reasonably likely to be used by the controller or by any other natural or legal person, in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.|
|Special Categories of Data /Sensitive Personal Data (s2)
Personal data consisting of information as to:
||Special Categories of Data (Arts 9 &10) Personal data which is revealing race or ethnic origin, political opinions, religion or beliefs, trade union membership, and the processing of genetic data or data concerning health or sex life or criminal convictions or related security measures. Genetic Data (Art4(13)) All data, of whatever type, concerning the characteristics of an individual which are inherited or acquired during early prenatal development. Biometric Data (Art 4(14)) Any data relating to the physical, physiological or behavioural characteristics of an individual which allow their unique identification, such as facial images or dactyloscopic (fingerprint) data. Data Concerning Health (Art4(15)) Any information which relates to the physical or mental health of an individual, or to the provision of health services to the individual.|
In relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
||Processing (Art 4(2)) Any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, erasure or destruction.|
|Data Subject's Consent Any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed.||Data Subject's Consent (Art 4(11)) Any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed. Article 7 sets out further conditions for consent and how it must be demonstrated.|
|Data Breach A contravention of the data protection principles [but this is not really a defined term under the Data Protection Act 1998].||Personal Data Breach (Art 4(12)) A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.|
|Child (s66) A person of 12 years of age or more shall be presumed to be of sufficient age and maturity to have legal capacity in Scotland but only if they have a general understanding of what it means to exercise that right.||Child (Art 8) Any person below the age of 18 years. If the processing relates to the offering of information to social services (social media), then the relevant age is 16. A lower age can be set by member states by not less than 13.|
|Article 29 Working Party Advisory body comprising representatives from the member states’ data protection authorities and the European Data Protection Supervisor.||European Data Protection Board (Art 68) An EU-level body that will oversee implementation and enforcement of the regulation. It will issue guidance and oversee the compliance mechanism designed to ensure consistency throughout the member states.|
|Recipient (s70) Any person to whom the data are disclosed, including any person (such as an employee or agent of the data controller, a data processor or an employee or agent of a data processor) to whom they are disclosed in the course of processing the data for the data controller, but does not include any person to whom disclosure is or may be made as a result of, or with a view to, a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law.||Recipient (Art 4 and 13-15) A natural person or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party of not. Some public authorities who receive personal data in the framework of an inquiry in compliance with EU or UK law and other rules are not regarded as recipients, ie police or other investigatory body.|