Data Protection Act passes into law, implementing the GDPR - with significant extensions.
Parish councils have escaped being classed as 'public bodies' in a last minute amendment to the Data Protection Act, which entered into force along with the EU General Data Protection Regulation (GDPR) on Friday. This means that they will not be compelled to appoint full-time data protection officers, a suggestion which had alarmed many of England's smallest local authorities.
The new law, which replaces the now repealed 1998 Data Protection Act, 'Brexit-proofs' the GDPR by implementing its provisions in UK law so that they will continue to be in force after March 2019.
It also extends and clarifies the law in several areas, including preserving exemptions where individual EU member states have the power. For example, the act sets the age of consent for a child to sign up to 'information society services' at 13, rather than the 16 proposed by the GDPR.
It also preserves the budget of the Information Commissioner's Office by imposing a notification fee. The ICO is also granted new powers of entry and inspection.
Meanwhile, the exemption protecting 'public interest' journalism from subject access and data requests is also carried over to the new law. The act creates a new criminal offence of knowingly or recklessly to re-identifying individuals from de-identified personal data, for example by 'jigsaw' identification.
In the final debates on the bill - dominated by a fierce arguments over press regulation - Lord Ashton of Hyde (pictured), Lords minister for digital, culture, media and sport, said the Government had accepted House of Commons amendments covering parish and community councils. As 'public authorities' under the regulation, the bill would have required these authorities appoint a data protection officer.
Ashton noted, however: "We have concluded that as parish and community councils process very little personal data and often have few staff and small budgets, the burden that they will face may be disproportionate." As a result they were taken out of the public body category.
"Their status in respect of other legislation, including the Freedom of Information Act, is unaffected," he said.
Another Government amendment will allow political parties and elected representatives more latitude in processing personal information by adding “an activity that supports or promotes democratic engagement” to public interest provisions. However, Ashton stressed that "any processing of personal data in connection with these activities would have to be necessary for the purpose and have a legal basis".
Despite Parliament's last minute efforts, many concerns still hang over the way the new law will be interpreted, particularly if the UK's approach to data protection diverges significantly from that of remaining EU members. As Elizabeth Denham, the information commissioner, noted following the granting of Royal Assent: "The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning."
Image from GOV.UK, Open Government Licence v3.0