UK DPA 2018
“A regulator’s job is never easy. There’s a balance to be struck between being a champion of innovation, of supporting new technology, and being a protector of people’s rights. While I believe the two can coexist, and aren’t in direct opposition, it sometimes requires careful consideration to balance the scales”, said John Edwards, the UK’s Information Commissioner in February 2024.
Written by a human
Off the back of a review on the Data Protection Act, the ICO are increasingly focusing on this regulation as digital technologies evolve. While there might be a gap, it’s up to companies to prove their compliance and meet the demands of this evolving regulation going forward.
What is the UK DPA 2018?
The UK’s Data Protection Act (DPA) was introduced in 2018 to bring new standards of information protection. It replaces the 1984 version, which was heavily outdated thanks to low internet usage, and a lack of today’s technology.
The 2018 DPA aims to limit the way that organizations can use identifiable personal data, ensuring that businesses act within the interests of customers when it comes to data sharing. Thanks to a heavy focus on individual rights, the 2018 DPA has been responsible for empowering individuals to take back control over their personal information.
The DPA encompasses the General Data Protection Act (GDPR), which was an EU legislation, launched while the UK was still part of the European Union. In order to carry the same regulations across to UK law post-Brexit, the UK had to form its own law, known as the Data Protection Act.
Scope of the Data Protection Act
The full, published legislation of the DPA has 215 chapters over 7 parts, but here are some of the most relevant:
- Rights of the data subject
- Subject Access Requests (SARs)
- Controller vs Processor
- Exemptions
Rights of the data subject
The ‘Rights of the Data Subject’ provides an overview for the obligations of controllers and processors to meet the basic needs that individual data subjects are entitled to.
- The right to be informed: data subjects are entitled to know when their data is being collected or processed and for what purpose
- The right to access: individuals are entitled to request a copy of the data that any organization holds on them
- The right to portability: subjects can ask for their data to be transferred securely to other organizations in specified cases
- The right to edit, delete or opt-out of data collection and usage: apart from some key exceptions, data subjects are the ultimate owners of their data and can choose to stop sharing, or ask for the deletion of records at any time
Subject Access Requests (SARs)
Subject Access Requests must be recognized by data controllers. They don’t need to be formal requests, but simply involve any indication that an individual is looking for their own personal data.
SARs can be challenging as there is a legal responsibility to handle and respond to these requests correctly. Specific staff training is therefore required to identify and comply with these requests.
Under a valid SAR, controllers must be able to find and present the personally identifiable information that the individual requests about themself. The controller might also have to:
- Explain the purpose for data collection and storage
- Provide a timeline for data storage
- Rectify personal data if it is wrong
- Delete personal data at the request of the subject
Data controller vs data processor
The legislation highlights the different responsibilities of data controllers and data processors, which are both governed under the DPA.
Data controllers are individuals or organizations who determine the purpose and means of processing personal data. In plain terms, it’s the entity requiring the data, and therefore devises the collection, storage and usage methods.
Whereas data processors are the individuals or organizations who process the personal data – they fulfill the collection, storage and usage plans on behalf of the controller.
The DPA makes it very clear that controllers have more of a responsibility to comply with the UK’s GDPR, whereas processors are more limited in their compliance requirements.
Exemptions
There are several exemptions to the UK DPA which are worth noting. The simplest of these includes collecting and processing data for personal reasons, such as keeping an address book to send letters to family or friends. Law enforcement and intelligence agencies are also outside the scope of the UK’s GDPR.
The regulator considers exemptions on a case-by-case basis, but do provide some examples of available exemptions:
- Certain financial information audit functions
- Parliamentary privileges
- ‘Special’ journalistic purposes
- Research or statics
Applications of the UK’s DPA
The Data Protection Act can be applied to many professional situations to ensure that corporations control and process data according to the regulations.
Landlord-tenant data sharing
In the first ICO case study, a housing association is receiving requests from third parties such as utilities companies, debt collectors and councils. The housing association needed to decide which cases permitted data-sharing, and how to perform it in compliance with the DPA.
Importantly, the UK’s GDPR makes it clear that data subject consent is key. The housing association was able to gain the consent from each tenant when they signed the initial tenancy agreement contract.
The housing agency developed the following criteria for external data-sharing:
- Verify the identity of the requester
- Get the requests in writing (either in paper or electronic form)
- Train the decision-makers with real-life scenarios
- Record any data disclosures
This case study is a good example of compliance as it reveals where the housing association should and shouldn’t share tenant data. For example, they chose not to share a tenant’s new forwarding address with a debt collection agency because there was no lawful basis for the disclosure.
Social worker risk assessments
The ICO also highlights the need for social workers to be able to access as much information as possible about the disadvantaged families that they are investigating in order to make the most accurate assessments.
One key problem is that social workers were wasting a significant portion of time in simply finding those involved in the families lives. There was no precedent for data sharing to and from schools and emergency services, for example.
The two councils in this case study devised a data-sharing platform which could effectively share the details of lead practitioners from third parties with the social workers. By taking part in ethical workshops, they ensured this program was built to comply with the UK’s DPA.
This led to:
- A decrease in time spent gathering information on each case
- An increase in inter-agency collaboration
- Significantly greater access to information
- Better and faster decision-making for assessments
UK Data Protection compliance
Compliance with the UK’s Data Protection Act requires firms to securely control and process personal information, react to data requests and document their data sharing.
Setting up the right policies is key to compliance with the 2018 DPA regulation. But in order to cover all bases, an automated solution is recommended.
Global Relay captures personal data communications across any channel, enabling regulated parties to store it in a centralized and searchable database. Meet regulatory requirements with confidence, whether your firm is a data controller or processor.
