Recently, having worked and trained a number of people on the Data Protection Act 2018 (DPA18), I’ve noticed a few people struggle to get their head around it and how it’s structured. And to be fair, I can’t really blame them. It’s not exactly, what you might say, a tidy piece of legislation. In my experience England & Wales (and/or the United Kingdom) very rarely writes ‘tidy’ legislation. And with the drafting of the DPA18, given the election and 25 May deadline, the Government certainly didn’t disappoint.
Outside of establishing the rules for using Personal Data for ‘Law Enforcement’ & National Security purposes (and tidying up the ICO’s ‘powers’ from other bits of legislation) the DPA has 2 main purposes. One is to provide further clarification on certain grounds for processing (Article 6 and Article 9) that are not defined in the GDPR and the other is to provide detail on the ‘derogations’, or as we call them, the ‘Exemptions’ to the GDPR.
For clarity, a ‘derogation’ or ‘exemption’ is a way of not doing something that you would normally be required to under the GDPR if that obligation is likely to cause harm or prejudice to something. There are a number of scenarios where you could legitimately need to avoid complying with the GDPR/DPA, especially if harm would come to you, them or others. Therefore the DPA outlines a number of scenarios whereby complying with certain parts of the GDPR/DPA would infringe your ability to do something then you can look to exempt yourself from complying with that particular aspect.
There are 30 or so different exemptions in the DPA2018 spread out across Schedules 2, 3 & 4. Unlike the old Data Protection Act 1998, rather than a long list of them we now have them grouped together and spread out a little more. Each ‘grouping’ scopes different parts of the GDPR for potential exemption and all of them require to some degree the need to evidence that not applying the exemption you affect your purpose of what you are trying to achieve (or would result in serious harm to the individual). The exemptions can be grouped together into logical groups, for example;
Data used for legalistic purposes
Data used for regulatory purposes
Data relating to third parties
Data subject to confidentiality
Data used for journalistic & academic purposes
Medical, Educational, Social Care & Child Abuse Data
Each group has different rights in scope for exemption, a summary of which can be found below. NOTE, this only shows the rights that are in scope for exemption based on what you are doing. Not an 'automatically qualifies' for exemption as you must demonstrate applicablity and 'prejudice' when looking to apply one.
If you have not started to look at the DPA2018 yet (and yes there are a few that haven’t as they thought it was all in the GDPR) I highly recommend doing so. What worked well for me (while I was still ‘in-house as the GDPR lead back at Essex County Council) is sitting down with my counterpart manager (or other suitable colleague would suffice) in an out of the way room and reading through it. We had everything from the old Data Protection Act 1998 (DPA98) with us and we went through the DPA18 and DPA98 bits side by side. If, the old exemption wording was the same in the new law from the old law then we had minimal issues other than to change templates, processes and training of relevant staff. However, where there were substantial changes in wording new wording then we went through them to see what this meant and if it could pose any issues for us.
This little exercise was invaluable to us and helped us scope out what the nature of the change was, the scope of work needed, and what sort of benefits or headaches we might face.
As a side note, if you can do it with access to gin I highly recommend as well - it makes the whole experience go much faster and a little more enjoyable.
Keep an eye out for future blog posts as we work our way through the various exemptions, what is meant by 'prejudice', look at any guidance from the ICO and other sources, and possibly even start to see some cases and decision notices around the application of the exemptions.