Category: News

The Data Protection Bill (“DPBill”) based on the General Data Protection Regulation (“GDPR”) will, hopefully, call time on what always has been a problem. Controllers who believe that the delivery of health, education and social work public sector services have to rely on “data subject consent” for the processing of personal data related to those services. When the DPBill is enacted, any reliance on consent creates a problem because when a data subject withdraws consent, there is an expectation that

Under the current Data Protection Act (“DPA”), controllers need a Schedule 2 legal basis/ground to process personal data. Schedule 2 lists six main groupings and a controller has to select at least one from the list. If a controller does not have a legal basis/ground for the processing, then the controller cannot process the personal data – end of argument. So, it is surprising to discover that Clause 8 of the Data Protection Bill (“DPBill”), through the use of the word “includes”, can

The Government has added a completely new immigration control exemption to the Data Protection Bill (“DPBill”). This exemption does not appear in the Data Protection Act 1984 nor in the Data Protection Act 1998 so the question immediately arises as to “why an immigration exemption is now suddenly needed?”. The exemption is very broad; it is from all data subject’s rights (e.g. of access, information about the processing) if satisfying these rights would prejudice “the maintenance of effective immigration control” or “the

Unless the European Union (Withdrawal) Bill is modified, the new Data Protection Bill that implements the UK’s version of the GDPR (expected tomorrow) can be modified or even repealed using Ministerial powers that are not subject to detailed scrutiny.  Indeed, I will go so far to say that the European Commission would be advised not to grant the UK the status of offering an adequate level of protection until further legislative guarantees are enacted by the UK. So bad is

The ICO’s enforcement (or lack of enforcement depending on your view) in the Royal Free/DeepMind case has divided the data protection community. The ICO found that the Royal Free had breached four data protection principles, had breached the medical confidentiality of 1.6 million patients but concluded that such a breach warranted an Undertaking. Reaction from many data protection specialists has often been on the following lines: “If a breach on this scale involving millions of patients’ Health Sensitive Personal Data

A few comments on the Data Protection Bill as announced in the Queen's Speech. Note that it is a Bill (i.e. primary legislation) covering all aspects of data protection including law enforcement as does the current Data Protection Act. As is well known, Member State law can allow modifications to Articles 4(7), 4(9),  6(2), 6(3)(b), 6(4),  8(1), 8(3), 9(2)(a), 9(2)(b), 9(2)(g), 9(2)(h), 9(2)(i), 9(2)(j), 9(3), 9(4),  10,  14(5)(b), 14(5)(c), 14(5)(d),  17(1)(e), 17(3)(b), 17(3)(d), 22(2)(b),  23(1)(e),  26(1),  28(3), 28(3)(a), 28(3)(g), 28(3)(h),