Search

How can we help?

Icon

The Data Protection and Digital Information Bill  

In September 2021, the government launched a consultation – ‘Data: a new direction’ – as part of its proposals to reform the UK’s data protection laws following Brexit, the responses to which were published in June this year (see our previous article here).   

These responses fed into the new Data Protection and Digital Information Bill which was introduced into Parliament on 18 July 2022.    

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

As the Bill is still working its way through Parliament it may be amended before it is given Royal Assent and becomes an Act but we have highlighted some of the key provisions for employers, as they currently stand, below. 

Amended Definition of ‘Personal Data’ 

The Bill limits the definition of personal data by focussing on the knowledge of the controller or processor and not, arguably, the whole world.   

Currently, an identifiable living individual is defined as ‘a living individual who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual’. 

This is very wide.  However, the Bill seeks to limit this down by adding that the individual will only be identifiable if they are identifiable by the controller or processor through reasonable means at the time of the processing or where the controller or processor knows, or ought to know, that another person will (or is likely to) obtain the information as a result of the processing (for example if it is shared with them) and will be able to identify the individual using reasonable means at the time of the processing.   

In theory this may make it easier for businesses to anonymise data. In reality, it is unlikely to have much of an impact on employers with regard to the personal data they process on their employees which usually clearly identifies the employees by name, job title or employee number (all of which are known to the employer at the time of processing).   

Data Access Requests  

Vexatious and excessive requests 

The Bill changes the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’.  

The revised threshold is intended to capture a wider set of unreasonable and/or disproportionate requests.  The onus will be on the controller to show that the request is vexatious or excessive if challenged.  

The Bill provides some factors for organisations to consider when looking at whether a request is vexatious or excessive, although these are similar to factors already highlighted in ICO guidance.  They include: 

  • The nature of the request 
  • The relationship between the data subject and controller 
  • The resources available to the data controller  
  • The extent to which the request repeats an earlier request and how long ago any such request was made 
  • Whether the request overlaps with other requests made by the data subject 

The Bill highlights that requests intended to cause distress, not made in good faith and/or that are an abuse of process will be vexatious.  Some of these are already referred to, albeit to a limited extent, in ICO guidance (for example a request may be viewed as manifestly unfounded if the individual making it expressly states that they intend to cause disruption). 

The list is clearly helpful for organisations and may help employers who are faced with data access requests from ex-employees as part of Employment Tribunal proceedings (or the build up to these).  However, more guidance will be needed from the ICO on these factors to understand clearly what circumstances they cover.  

Requests for further information  

The Bill also adds wording to suggest that where an organisation needs more information to identify the personal data or processing activities it can request this.  This has the effect of pausing the time limit for compliance until the information is provided.  An example of when such information may be required is where the controller processes a large amount of information about the data subject.   

More guidance will be needed from the ICO on this point and when it can be used but it does suggest that employers who process a large amount of information on their employees could request further information and need not comply until such information is provided.  

The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. 

New Legal Basis – Recognised Legitimate Interests 

The Bill introduces a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’.  

A list of recognised legitimate interests is provided within the Bill.  These are relatively limited and focus on matters of public interest but include, for example, where processing is necessary for the purposes of detecting, investigating or preventing crime which may be helpful to employers who need to complete checks such as those for anti-money laundering. 

Data Protection Officer (‘DPO’) 

The Bill removes the need for certain organisations to appoint a DPO and instead requires them to designate a ‘senior responsible individual’ who must be part of the organisations’ senior management.    As such this seems to be a departure from the original requirement under the UK GDPR for the DPO to be independent and many organisations who have already appointed external consultants may be concerned about this change.  Again, it would be useful to have further clarification on this point from the ICO.   

Accountability – Record Keeping 

The Bill states that controllers must retain ‘appropriate records’ of processing.  Much of the information that should be included in these records remains unchanged but the emphasis seems to be on controllers now to assess the nature, scope and processing of their activities, the risks to individuals rights and freedoms and their resources in deciding what is appropriate here. 

The Bill confirms that the exemption for organisations with less than 250 employees remains in place but says that those with less than 250 employees will need to comply if processing is likely to result in a high risk to individuals’ rights and freedoms.  This is slightly narrower than the current position which says those with less than 250 employees also need to comply if the processing is not occasional or involves the processing of special category of criminal convictions data. 

For those smaller organisations that have already retained records based on the broader current wording, it’s likely to be helpful to maintain this in any event to enable them to identify data flows which assists with compliance with wider data protection obligations.   

  

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

Pub
  • 21 March 2024
  • Employment

TUPE Podcast Series: Who Transfers?

In this fifth podcast in our TUPE Podcast Series, Amanda Glover will be focusing on ‘who transfers’ under TUPE. Looking at the definition of ‘employee’ under TUPE legislation and the tests that apply in deciding if those employees transfer.

art
  • 20 March 2024
  • Employment

Changes to Employment Laws from April 2024 – are you ready?

There’s a large number of employment law changes coming in April which are set to shake up the workplace. It’s crucial for employers to stay informed and prepared.

art
  • 19 March 2024
  • Employment

Instant Messaging in the Workplace: Factors to be aware of

Workplaces have changed beyond recognition in the four years since the first COVID-19 lockdowns. This anniversary represents an opportunity to look back at how workplaces have changed in that period, from the increased use of flexible and hybrid working, to the continuing and significant integration of more technology in office-based work.

art
  • 14 March 2024
  • Employment

The impact of technology-dependent Gen Z on the workplace – Amanda Glover writes for Business Voice magazine

In Business Voice magazine, Amanda Glover, Associate at Clarkslegal writes about the impact of Gen Z sharing details of their work woes on social media and how organisations should respond.

art
  • 08 March 2024
  • Employment

The Labour Party proposes extensions to discrimination law

With a general election to come in 2024, it is vital that employers keep up to speed with the proposals of both major parties that are likely to affect the day-to-day operation of their business. 

art
  • 27 February 2024
  • Employment

Changing Attitudes to Menopause

We have set out some answers to the frequently asked questions that employers ask when considering how to support a menopausal employee.