Data Protection Bill (DPB) to replace The Data Protection Act 1998

The​ ​Data​ ​Protection​ ​Bill​ (DPB) ​was​ ​announced​ ​in​ ​the​ ​Queen’s​ ​Speech​ ​on​ ​21 June​ ​2017 and will replace the ​Data​ ​Protection​ ​Act​ ​1998​.  The aim of the DPB is to modernise ​the​ ​data​ ​protection​ ​laws​ ​in​ ​the​ ​UK​ ​to​ ​make​ ​them​ ​fit​ ​for purpose​ ​for​ ​our​ ​increasingly​ ​digital​ ​economy​ ​and​ ​society.

The Department for Digital, Culture, Media and Sport state that the main​ ​elements​ ​of​ ​the​ ​Bill​ ​are:

General data processing

  • Implement​ ​the​ ​General Data Protection Regulation​ (GDPR) ​standards​ ​across​ ​all​ ​general​ ​data​ ​processing.
  • Provide​ ​clarity​ ​on​ ​the​ ​definitions​ ​used​ ​in​ ​the​ ​GDPR​ ​in​ ​the​ ​UK context.
  • Ensure​ ​that​ ​sensitive​ ​health, ​ ​social​ ​care​ ​and​ ​education​ ​data​ ​can continue​ ​to​ ​be​ ​processed​ ​to​ ​ensure​ ​continued​ ​confidentiality​ ​in health​ ​and​ ​safeguarding​ ​situations​ ​can​ ​be​ ​maintained.
  • Provide​ ​appropriate​ ​restrictions​ ​to​ ​rights​ ​to​ ​access​ ​and​ ​delete​ ​data to​ ​allow​ ​certain​ ​processing​ ​currently​ ​undertaken​ ​to​ ​continue​ ​where there​ ​is​ ​a​ ​strong​ ​public​ ​policy​ ​justification, ​ ​including​ ​for​ ​national security​ ​purposes.
  • Set​ ​the​ ​age​ ​from​ ​which​ ​parental​ ​consent​ ​is​ ​not​ ​needed​ ​to​ ​process data​ ​online​ ​at​ ​age​ ​13.

Law enforcement processing

  • Provide​ ​a​ ​bespoke​ ​regime​ ​for​ ​the​ ​processing​ ​of​ ​personal​ ​data​ ​by the​ ​police, ​ ​prosecutors​ ​and​ ​other​ ​criminal​ ​justice​ ​agencies​ ​for​ ​law enforcement​ ​purposes.
  • Allow​ ​the​ ​unhindered​ ​flow​ ​of​ ​data​ ​internationally​ ​whilst​ ​providing safeguards​ ​to​ ​protect​ ​personal​ ​data.

National security processing

  • Ensure​ ​that​ ​the​ ​laws​ ​governing​ ​the​ ​processing​ ​of​ ​personal​ ​data​ ​by the​ ​intelligence​ ​services​ ​remain​ ​up-to-date​ ​and​ ​in-line​ ​with modernised​ ​international​ ​standards, ​​including​ ​appropriate safeguards​ ​with​ ​which​ ​the​ ​intelligence​ ​community​ ​can​ ​continue​ ​to tackle​ ​existing, ​ ​new​ ​and​ ​emerging​ ​national​ ​security​ ​threats.

Regulation and enforcement

  • Enact​ ​additional​ ​powers​ ​for​ ​the​ ​Information​ ​Commissioner​ ​who​ ​will continue​ ​to​ ​regulate​ ​and​ ​enforce​ ​data​ ​protection​ ​laws.
  • Allow​ ​the​ ​Commissioner​ ​to​ ​levy​ ​higher​ ​administrative​ ​fines​ ​on​ ​data controllers​ ​and​ ​processors​ ​for​ ​the​ ​most​ ​serious​ ​data​ ​breaches, ​ ​up​ ​to £17m​ ​(€20m) ​ ​or​ ​4%​ ​of​ ​global​ ​turnover​ ​for​ ​the​ ​most​ ​serious breaches. Empower​ ​the​ ​Commissioner​ ​to​ ​bring​ ​criminal​ ​proceedings​ ​against offences​ ​where​ ​a​ ​data​ ​controller​ ​or​ ​processor​ ​alters​ ​records​ ​with intent​ ​to​ ​prevent​ ​disclosure​ ​following​ ​a​ ​subject​ ​access​ ​request.

The Data Protection Bill is likely to include specific provisions about health records.  Therefore, once the Bill is published we will ask Diana Kloss to undertake a comprehensive review of the Bill and advise what if any changes may be required within our software to enable all of our customers, whether in the Public, Private or Third Sector, to be compliant with the GDPR from 25th May 2018 and the Data Protection Bill.

The Government will also publish fact sheets​ ​covering​ ​​the​ ​Bill these can be found at: