Data protection proposals unveiled by ministers
More details of planned reforms to the UK's data protection laws have been published by the Government today, following responses to a consultation it held.
They include the adoption in UK law of the EU's General Data Protection Regulation, so that information can continue to be transferred to and from EU countries after Brexit.
Individuals will have more control over their personal information, and will be able to ask for personal data, or information posted when they were children, to be deleted.
The legislation will:
- make it easier, and free, for individuals to require an organisation to reveal the personal data it holds on them.
- make it easier for people to withdraw consent for their data to be used;
- enable them to ask for their data to be erased;
- enable them to move personal data, including photographs, if changing internet service providers;
- require parents and guardians to give consent to data processing for a child under 13, and make it simple to withdraw consent;
- expand the definition of personal data to include IP addresses, internet cookies and DNA;
- require firms to obtain “unambiguous” consent before they collect and process personal information, and “explicit” consent to processing sensitive personal data, ending the reliance on pre-selected tick boxes;
- create new criminal offences of intentionally or recklessly re-identifying individuals from anonymised data, and altering records with intent to prevent disclosure following a subject access request; and widen the existing offence of unlawfully obtaining data to include retaining it against the wishes of the controller (even where it was initially obtained lawfully).
There will be exemptions for journalists and whistleblowers to protect their role of holding organisations to account, underpinning the free press.
Enforcement
Data controllers will require to have a data protection officer to advise them on data issues, handle complaints and ensure compliance with the Data Protection Law Enforcement Directive.
The UK Information Commissioner will have additional powers to police and enforce the new regime. Under the GDPR, the maximum civil fine it can impose for failing to protect information or breaching data protection laws will rise from the present £500,000 to £17m or 4% of an organisation's global turnover.
Launching the proposals, Digital Minister Matt Hancock commented: "The new Data Protection Bill will give us one of the most robust, yet dynamic, set of data laws in the world.
“It will give people more control over their data, require more consent for its use, and prepare Britain for Brexit.”
Figures in the Government's paper show the internet economy contributing an estimated one-eighth of the UK's GDP in 2016, well ahead of other leading economies: the average for the EU 27 member states and the G20 economies comes in at between 5% and 6% for each grouping.
Elizabeth Denham, the Information Commissioner, responded: “We are pleased the Government recognises the importance of data protection, its central role in increasing trust and confidence in the digital economy and the benefits the enhanced protections will bring to the public.”