In the United Kingdom, the legislation concerning the protection of personal data is the Data Protection Act 1998 (DPA). Specifically, section 2 gives a list of what is considered as sensitive data. Although it is not an exhaustive list, covers information on the racial or ethnic origin, religious belief and the physical or mental health condition of an individual. Information containing this level of sensitivity is already starting to be incorporated into a blockchain ledger technology to make for an even more secure database. However, standard businesses will just rely on existing databases and encryptions to protection the data that is held about their client’s/customers.
Some of the key words used to describe certain individuals concerned with data protection are useful to note. Primarily, the definition of a data subject, data processor and more importantly the data controller are outlined in Article 4 of the new General Data Protection Regulations (GDPR) of which the DPA currently looks up to until Brexit will result in updates being required on the DPA. Data subject refers to information relating to an identified or identifiable natural person. This would simply be the person that the information on the database is referring to, or the subject matter of whom the information is pertaining to. A data controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purpose and means of the processing of personal data.
There are provisions in this new regulation which stand out as significant to explicate further. Firstly, it must be noted that everyone has a fundamental right to be protected in relation to the processing of personal data which includes the right to erasure or the right to be forgotten. The GDPR sets out seven key principles, namely Lawfulness, fairness and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality (security); Accountability. All of these are important for any business to ensure that they understand and follow. Further information on these principles can be seen on the ICO website under the heading ‘For Organisations’.
Note that there is also a requirement to conform to the implementation of a data protection impact assessment. A risk assessment must be undertaken by the data controller. If the impact assessment is carried out and identifies the form of database as a high risk, it will be referred to the Information Commissioners Office (ICO) for consideration. They highlight on their website that they will give written advice within eight weeks, or 14 weeks in complex cases. In appropriate cases they may issue a formal warning not to process the data or ban the processing altogether.
All of the above information are just the basics. If you require further understanding to ensure that you are complying with the Data Protection rules even after Brexit, do not hesitate to contact our office.