Data Protection Act Exemptions

An Overview of DPA 2018 Exemptions

With its introduction into British law in 2018, many companies and organisations across the country were prompted to examine their operations, workflows and processes for handling data, with many asking, are there any exemptions to the Data Protection Act?

Though it may seem with the advancement of data protection law, both the GDPR and the UK's Data Protection Act 2018, that regulations have tightened up and now impose a great deal of new responsibilities and obligations upon organisations; the truth is not a huge amount has changed from the DPA 1998.

What's more, the flexibility written into the General Data Protection Regulation allows European states to absorb the legislations into their own legal systems whilst being able to, within certain boundaries, adapt the law to suit specific needs (derogations); including specific exemptions to the Data Protection Act.

The Short Overview

-  Both the GDPR and the Data Protection Act outline exemptions from some of the rights and obligations

-  These exemptions invariably depend on the reasons for processing data

-  If you are relying on an exemption, justification for doing so must be present and documented

-  Exemptions are not to be relied on and should be considered on a case-by-case basis

-  If there isn't a justifiable exemption, then you need to be complying with GDPR/DPA as normal

The short answer to your question (are there any exemptions to the Data Protection Act?), is yes. There are indeed exemptions. Quite a few. And they may or may not apply to your business; it depends.

What the GDPR Does and Doesn't Cover

When discussing the exemptions related to the DPA, it's worth noting that there are several instances in which personal data may be being processed, but to which exemptions do not relate as they do not fall under the purview of GDPR in the first place. For example;

-  Personal or Household Activities

The processing of personal data in the course of personal or 'household' activity, unrelated to either any professional or commercial use, falls outside of the scope of GDPR. Unsurprisingly, you don't have to worry too much about GDPR compliance when you're sharing a friend's number or taking any family photographs.

-  Law Enforcement

Though governed by a tight set of rules, and certainly obliged to do a great deal to ensure the security of information, data processing for the purposes of law enforcement again stands largely outside the scope of GDPR. Addressed in Part 3 of the DPA 2018, this legislation is an example of a derogation allowing a nation state to govern its own law enforcement in a way it deems necessary.

-  National Security

As with the law enforcement exemption, national security is a matter which is outside of the scope of the GDPR, but is detailed within Part 2 of the DPA. It is less restrictive as to allow matters of national security to be carried out in a manner less constrained than commercial enterprise.

How do Exemptions Work?

There are several exemptions presented by the DPA 2018, many of which 'add to and complement' several details within certain GDPR provisions. Some of these exemptions may apply to only a single element of the wider DPA, such as a specific right of a data subject, whereas others may relieve you of obligations in multiple ways.

Whether an exemption can be relied upon largely depends on the purposes for processing personal data, whereas others may only apply to the extent that compliance would a) prejudice your purpose, or b) prevent or seriously impair your processing of data in a way that is required or necessary for your purpose.

As the ICO official advice proclaims, exemptions should not be routinely relied upon, nor should they be applied in a blanket fashion and instead be applied on a case-by-case basis. Likewise, in evaluating whether an exemption should or should not apply, to fulfil the accountability principle, justification should be both exercised and documented.

Exemptions to the Data Protection Act

The exemptions to the DPA 2018 span across a wide variety of different areas and sectors, including but not limited to: law and public protection, parliamentary and judicial matters and journalism.

With the DPA 2018 coming in at over three hundred pages, there are far too many exemptions or possible exemptions to outline here. The following are the areas in which there exists exemptions to data protection. A full look at the many possible exemptions are provided by the ICO.

-  Regulation, Parliament and the Judiciary

-  Journalism, Research and Archiving

-  Health, Social work, Education etc.

-  Finance, Management and Negotiations

-  References and Exams

-  Subject Access Requests - Information About Other People

-  Crime and Taxation

It should also be noted that with many of these areas in which exemptions can apply, many can only be applied so far as compliance would likely jeopardise or prejudice the purpose of processing.

To better understand the nature and reasons for exemptions, let's take a more detailed look at some of the provisions within the category of 'crime and taxation'.

As expounded by the UK's independent data protection authority; if the processing of data is being conducted for the prevention and detection of crime, the capture or prosecution of offenders or the assessment or collection of tax, then there may be an exemption of many of the GDPR's provisions, including;

-  All the individual (data subject) rights

-  Notification of data breaches

-  The principle of transparency

-  The purpose limitation principle

Right to Inform Example

Should a financial organisation suspect a customer or client of money laundering, the organisation could share information, including personal data relating to the individual, with the National Crime Agency (NCA) for the purpose of further investigation. In doing so, the financial organisation would not be obliged to inform the individual as it would likely lead to an attempt to obscure or destroy data, or even abscond. Thusly, the financial organisation need not comply with the right to inform.

Key Terms in Data Protection Legislation

-  Personal Data/Data Subject

As defined in the GDPR legislation, personal data is any information relating to an identified or identifiable person (the data subject), that could be used, or potentially used to identify an individual.

Encompassing a wide variety of information, which could include un-anonymised online browsing data (i.e. cookies), there is also 'special category' data; a category of particularly sensitive data (religious or political beliefs, medical data etc.) which requires extra protections beyond that of just 'personal data'.

-  Controller/Processor

In the data lifecycle, the controller is the party that determines the purpose and means of processing personal data, whereas the data processor is the party who performs operations upon that data (either manually or through an automated system), including the collection, use, transmission, viewing, alteration, or deletion of the given data or data set.

Though the processor and controller perform discretely different roles, a single organisation or entity can be both the controller and processor of a given set of data.

Right to Erasure Example

The registrar of companies, Companies House, is required by law to keep a public record of information about companies, including the names of the company directors. Should a director request, under the right to erasure, to have their name removed from the register, Companies House would not be obliged to comply with the request as it would conflict with their existing obligation to keep a public record.

Failure to Comply and Hefty Fines

When asking questions such as are there any exemptions to the Data Protection Act, it's also important for compliance and general information security to understand the consequences of failing to comply with the regulations, or even facilitating a data breach.

In the UK, the Information Commissioner is responsible for issuing fines to organisations that infringe on data protection law. With the power to hand out fines of up to the equivalent of 20 million Euros or 4% of the total annual worldwide turnover (from the preceding financial year), whichever is higher, the ICO is just one of the many bodies which helps to enforce high data protections standards.

Divided into two 'tiers', there exists the 'standard maximum' and the 'higher maximum' amounts for fines, the standard maximum being 50% lower than the higher. Both of which can be levied against an organisation for failure to comply with "any of the data protection principles, any rights an individual may have or in relation to any transfers of data to third countries."