'Tailored exemptions' to allow the processing of data in areas such as money laundering investigations and investigative journalism will be preserved under a new law to replace the Data Protection Act 1998, the government promised today.
The Data Protection Bill, introduced in the Lords, will bring domestic law in line with the EU General Data Protection Regulation (GDPR) which comes into effect in May next year. Such a measure is urgently needed to enable data about individuals to be exchanged between the UK and the EU after March 2019.
In a statement accompanying the bill, Matt Hancock, minister of state for digital, said the new regime would give people more control over their own data. This will include a ‘right to be forgotten’. However he said that to cover circumstances where the processing of data is ‘vital for our economy, our democracy and to protect us against illegality’, the law would contain exemptions negotiated from the GDPR. These would be carried over from the Data Protection Act 1998 where they have ‘worked well’ he said.
According to the statement, the bill includes exemptions for data processing in the following areas:
- Processing of personal data by journalists for freedom of expression and to expose wrongdoing is to be safeguarded.
- Scientific and historical research organisations such as museums and universities will be exempt from certain obligations which would impair their core functions.
- National bodies responsible for the fight against doping in sport will continue to be able to process data to catch drug cheats.
- In the financial services sector, the pricing of risk or data processing done on suspicion of terrorist financing or money laundering will be protected.
- Where it is justified, the bill will allow the processing of sensitive and criminal conviction data without consent, including to allow employers to fulfil employment law obligations.
However, solicitors warned of potential clashes in the domestic and EU legislation. Alex Aisthorpe, solicitor in the commercial team at City firm Ashfords said. 'An immediate area for concern is the interplay between the Data Protection Bill, once passed, and the directly applicable GDPR, during the period of overlap between May 2018 and the eventual passing of the repeal bill.
'This represents a period during which both domestic data protection legislation and European legislation will be effective in the UK.'
The bill’s second reading in the House of Lords is scheduled for 10 October.