Part 2 – General Processing
I’d go get yourself a pot of coffee. Part 2 is going to be a long one. I get the feeling that the UK was attempting to outdo the European Union in unnecessary verboseness. Current thinking is that they won. I’ll attempt to keep a scoreboard.
Now I see problems or issues on the horizon throughout this Part, but don’t think me against this legislation. I definitely have issues with its writing, but we are attempting to protect people’s privacy here in the UK and I am strongly for this. I’m sure we’ll give this a go again in 10 years or so, but till then we need to see what ideas are here and how we can work with them to create a more secure digital world for ourselves.
Chapter 1 – Scope and Definitions
Section 4 – Processing to which this Part applies
Start as you mean to go on I suppose. We’ve got a section that pre-defines to upcoming chapters just to give you a heads up. Essentially Chapter 2 is all about processing of personal data to which the GDPR applies and Chapter 3 is all about the processing of personal data to which the GDPR does not apply. Why that can’t be defined in those chapters is nobody’s guess.
Section 5 – Definitions
Holy cow, 8 subsections essentially stating that all terms in the GDPR mean the exact same thing unless they don’t because they are re-defined in this legislation. I really need to get a job writing legislation. The current guy writes like the time Joey used a thesaurus for every word in his resume on Friends.
Chapter 2 – The GDPR
Section 6 – Meaning of “controller”
Can’t see why this was re-defined. Perhaps because it is a central theme of the document, but this is as far as I can see the same meaning as in the GDPR.
Section 7 – Meaning of “public authority” and “public body”
Ooh, here’s the first little gem. So this relates these terms to UK based public authorities as defined in their relevant legislation. For example, Scottish Public Authorities as defined by the Freedom of Information (Scotland) Act 2002 (asp 13). But there is a caveat. It only counts when that body is performing a task carried out in the public interest or in the exercise of an official authority it has been vested with. Seems like a nice touch, if any public authority goes above and beyond its remit then we’ll give them a little rap on the knuckles.
And I’m not sure on this, but community councils have been disavowed the title of public authority. It seems like this will rear its head sometime in the future.
Section 8 – Lawfulness of processing: public interest etc
This seems fairly coherent, referencing Article6(1) of GDPR it expands upon the earlier definition. Which is mostly just saying that the government can process data in relation to running a government, but one neat little idea sneaks its way in. Public interest includes an activity that supports or promotes democratic engagement. Could you not argue that Russian use of social media to influence elections is actually an activity that supports democratic engagement especially since it riles up a section of the citizenry to get up and vote?
Section 9 – Child’s consent in relation to information society services
We’ve reduced the key age from 16 years down to 13 years. I can see the sentiment, but with the likes of Snapchat, I’d expect this is going to bring a world of hurt the more prevalent kids sending pictures of their butts or whatnot is recognized as child pornography rather than kids being dumb.
Not sure where I stand on this.
Section 10 – Special categories of personal data and criminal convictions etc data
We’re tying the GDPR back to UK law here, but it does bring up GDPR Artcile9(1)(g) where “substantial public interest” is mentioned. I had to look back and this was written in GDPR first. However, I do not seem to have a definition for the difference between public interest and substantial public interest.
We’ve got a mention of something here saying that regulations are subject to the “affirmative resolution procedure” never heard of it. Perhaps we’ll get a definition later?
Section 11 – Special categories of personal data etc: supplementary
I see a neat provision in Section 2(b) where GDPR Article 10 is nuanced with UK law. But it makes provision that personal data can lawfully be processed for “an offense committed or alleged to have been committed” now that makes sense. If I’m accused of a crime then I can’t run to the police and say they need to delete all of my personal details. However, we know that processing also includes storing data. So there lies the possibility that the government can retain data about all allegations against a citizen for an undetermined amount of time. Allegations don’t stop being allegations just because they were proven false.
Section 12 – Limits on fees that may be charged by controllers
Not as interesting as the title would suggest, we’re just saying that the Secretary of State specifies limits on fees in relation to the instances in the GDPR that reference “reasonable fees”. The odd thing here is that they reference “The” Secretary of State. There are currently 18 Secretaries of State which generally refer to heads of departments. It is not clear if this refers to a specific Secretary of State or if all of them have this ability.
The plot thickens in relation to procedures as these regulations are subject to the “negative resolution procedure”?
Section 13 – Obligations of credit reference agencies
These are a bit vague. They needed to be included as we didn’t want everyone to just ask the credit agencies to forget all of their data. However, they say that these agencies can process data related to financial standing. That seems like a statement that could be abused. Can they manage all purchase data I make as it relates to my financial standing? What about family members in relation to my financial standing? Friends? I’m worried at the lack of a strong definition here.
Section 14 – Automated decision-making authorised by law: safeguards
I like this section. I’m going to be a bit harsh, but I like reading that we have spent time thinking about this.
So this only applies if the automated decision makes a significant decision regarding a data subject (so either it has legal ramifications or it makes a significant effect on the data subject). Now me being flippant went to Google and typed in “Roughly how many laws exist in the UK?” There are so many that most people laugh at the answer and say that it can’t be answered. There is Statute Law, Common Law, Case Law and European Law that all intermingle to create our laws here in the UK. It is almost impossible to understand how many laws exist let alone know which ones affect my life.
So if so many laws exist what are the chances that any decision on my life has some legal impact? I get the feeling that this will be one of those statues that is broken continuously because nobody will know that they are breaking it.
Again we reference the Secretary of State, we probably need a definition for this position. Looking through the document it appears to confirm that they are describing an individual. Which of the 18 Secretaries of State they mean does not appear to be defined. Looking through the list I’m going to guess they mean the Home Secretary. However, the Information Commissioners Office is under the Secretary of State for Digital, Culture, Media and Sport. Who knows?
Section 15 – Exemptions etc
Just a simple list of exemptions in the DPA 2018 to the GDPR.
Section 16 – Power to make further exemptions etc by regulations
We can make more exemptions. Kind of like wishing for more wishes in my opinion. And we are back to being subject to “affirmative resolution procedure.”
Section 17 – Accreditation of certification providers
Looks like we are going to get a national accreditation body. My guess is that reasonable fees will not exactly apply here, but I’m cynical.
Section 18 – Transfers of personal data to third countries etc
Don’t do this unless you are following the rules as laid out in the GDPR, but beware that the UK government can now either transfer or block transfers if it deems it appropriate.
Section 19 – Processing for archiving, research and statistical purposes: safeguards
We keep records, and unless I’m gathering and publishing a list of all people sexually into My Little Pony this is deemed ok. If the gathering of data will affect my life causing me damage or distress then it is not ok. I’m just mentioning My Little Pony for a friend.
Section 20 – Meaning of “court”
“Court” is not included in the list of terms to have the same meaning as GDPR. Seems odd to have this here. Late minute addition perhaps?
Chapter 3 – Other General Processing
Section 21 – Processing to which this Chapter applies
Seems to state that this chapter applies to that processing which wasn’t defined in the previous chapter or in GDPR. Kind of like the earlier definition.
Section 22 – Application of the GDPR to processing to which this Chapter applies
This is absolutely confusing. The section spends all of its words referencing Chapter 2, but not with coherence, I quote:
A question as to the meaning or effect of a provision of the applied GDPR, or the applied Chapter 2, is to be determined consistently with the interpretation of the equivalent provision of the GDPR, or Chapter 2 of this Part, as it applies otherwise than by virtue of this Chapter, except so far as Schedule 6 requires a different interpretation.
Whoever wrote that should feel ashamed of themselves. Did they really make it through University?
Section 23 – Power to make provision in consequence of regulations related to GDPR
The unknown individual referred to as the Secretary of State can make provisions, and this is subject to “affirmative resolution procedure.” I was tired of seeing this and skipped ahead in the document. We’ll come back to what these procedures are in Part 7 Section 182. Hopefully, it’s worth the wait.
Section 24– Manual unstructured data held by FOI public authorities
Like most sections, you have to read through a few times, but I get the distinct impression that they are saying that GDPR does not apply in relation to appointments, removals, pay, discipline, superannuation or other personal matters relating to any office or employment under the Crown or under any public authority.
I’m fairly sure a request to get every single local authority employee’s salary details will fail. But it looks like I should be able to get it from the CEO on down to maintenance persons.
Section 25 – Manual unstructured data used in longstanding historical research
Exemptions exist for historical research using personal data.
Section 26 – National security and defense exemption
An exemption exists if the personal data is required to maintain national security. Obviously, there is no definition here of what is national security. So the base assumption is that GCHQ has every email, text and phone call with metadata as well. Video of you sitting at your laptop is not a movie fantasy, they have it. Do they really need hours and hours of footage of teenagers watching Rick and Morty? Who knows? We’ll never be told anyhow.
Section 27– National security: certificate
Even more invasive is if a minister calls out an individual then GCHQ can go and gather whatever they want on that individual. Apparently, the individual can appeal this certificate, but there does not appear to be any provision to tell the individual that a certificate has been granted for them. Seems convenient.
Section 28 – National security and defense: modifications to Articles 9 and 32 of the applied GDPR
Just a few mods to the GDPR rules. Essentially giving GDPR the whole UK flavour.
I’m noticing a lot of titles that use “etc,” that is without a full stop denoting an abbreviation. That will continue to be seen and just grates on me a bit. You’d think we could afford the ink for full stops. Austerity hits us in mysterious ways.