We review the proposed changes to the Data Protection and Digital Information (No.2) Bill ("the Bill") and consider their impact on academy trusts.
After a false start last year, the Data Protection and Digital Information (No.2) Bill ("the Bill") has passed through its first major parliamentary hurdle as it looks to update data protection laws in the first major change since Brexit. The Bill was given its second reading on Monday 17 April and is now undergoing line-by-line scrutiny by the House of Commons at committee stage.
In this article, we review the proposed changes and consider their impact on academy trusts.
Key changes proposed in the Bill relevant to academy trusts
The Bill is very much 'evolution' rather than 'revolution' of the existing data protection regime, nevertheless it will change the way in which academy trusts must ensure data protection compliance. The Bill, as drafted, makes several changes to data protection law including:
- Examples of legitimate interests– academy trusts currently have to justify each legitimate interest they identify as a lawful basis for processing personal data, balancing each against the rights and freedoms of a data subject. Many tasks relying on legitimate interests are clearly necessary for the functioning of the trust. The Bill introduces examples of legitimate interests, which, whilst still requiring balancing against the data subject's rights and freedoms, are identified explicitly as being an acceptable legitimate interest to pursue (e.g. where personal data is shared between members of a group of institutions affiliated to a central body).
- Recognised legitimate interests not requiring a balancing of data subject rights - the Bill also introduces a limited number of recognised legitimate interests, for example safeguarding children and vulnerable people, and preventing or detecting crime, which will not require the balancing with data subject rights and freedoms before being able to be relied upon.
- The end of the DPO? Data Protection Officers are no longer to be appointed, however in their place organisations that would previously have needed to appoint a DPO (which includes academy trusts) will need to appoint a "senior responsible individual". The senior responsible individual must be a member of the academy trust's senior management. The bill sets out the responsibilities of the senior responsible individual, which are similar to those of the DPO, and can be delegated to others.
- Records of processing activities– currently, organisations with more than 250 employees or which process personal data which risks the rights and freedoms of data subjects are required to keep a record of their processing activities. Anecdotally, many organisations have found that these records duplicate many other documents kept by organisations (such as retention policies and privacy notices). This obligation is removed in the Bill, replaced with a duty on organisations who undertake processing activities likely to result in a high risk to the rights and freedoms of individuals to keep "appropriate records". Academy trusts are likely to hold a range of special category data in relation to staff and students, and it is to be hoped that guidance will follow once the Bill has passed to clarify the kind of processing which might count as high risk, but it is anticipated that it will follow existing guidance on what might be considered high risk processing, which would not capture academy trust processing activities.
- Vexatious or excessive requests by data subjects– the Bill introduces a new definition of vexatious or excessive requests, so that data subject access and similar requests can be refused or charged for more easily than the "manifestly unfounded or excessive" test currently in place, providing factors organisations should take into account when deciding whether a request is vexatious or excessive. This definition builds on and develops existing guidance on when an organisation may consider a request "manifestly unfounded or excessive". Such clarity is to be welcomed for academy trusts dealing with an increasing number of data subject access requests.
Other proposed changes in the Bill
- Direct marketing changes – a welcome update for charities– charities (and political parties) will be able to send electronic marketing communications to individuals who have previously expressed support for the cause being promoted to them without requiring explicit consent (unless they have opted out of receiving such communications). This brings charitable donations into line with commercial promotions relying on the so-called 'soft opt-in', though charities will still need to ensure compliance with the particular requirements of the direct marketing and data protection legislation and should also consider the fundraising code when sending such communications.
- Direct marketing – a bigger stick– the maximum direct marketing fines have been increased to align with the maximum fines under the UK GDPR, such that an organisation can now be fined up to £17.5 million or, if higher, 4% of their global turnover for a breach of the electronic direct marketing regime.
- Making further scientific research easier to undertake– the Bill modifies the standard of consent required for scientific research purposes to allow those undertaking such research greater flexibility where the exact use of the information is not able to be determined at the point of the consent.
- A new Information Commission– reforms are made to the Information Commissioner's Office, which will become the Information Commission. Many of the changes amend the internal running of the body responsible for ensuring compliance with the UK's data protection regime.
The Bill is currently undergoing line-by-line scrutiny in the House of Commons. Once it has passed this hurdle, the legislation will also need to go through the House of Lords before it becomes law.
As the Bill makes its way through Parliament, it will be interesting to see how this first, tentative step to reform data protection law following Brexit is received. Our academy trust clients are seeing an increasing number of requests and complaints in relation to personal data and information sharing as individuals become ever-more aware of their information rights. It remains to be seen whether these proposed legislative changes will bring clarity or present additional burdens for academy trusts in managing data protection compliance.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.