All News

    You are here:  
  1. Home
  2. All News
  3. The Data Protection And Digital Information Bill (DPADI)
The Data Protection And Digital Information Bill (DPADI)
General news

The Data Protection And Digital Information Bill (DPADI)

This article is now obsolete - the Data Protection and Digital Information Bill was not passed in the last parliamentary session.

It might seem like only yesterday that GDPR, as part of the Data Protection Act 2018 became law, but already we have another change in the law coming our way.

This has been slow getting here - a consultation 'Data: a New Direction' was launched by the government on 10 September 2021 and since then, a Bill was introduced, withdrawn and then the No 2 Bill introduced...with various delays and bumps along the way. Least of all the final reading, which introduced 125 pages of amendments from the Committee stage and four days later, gave these amendments one afternoon to scrutinise in parliament.

It should be emphasised that this is not law yet, and it is expected that there will be various amendments emerging from its passage in the House of Lords. However, the  Data Protection And Digital Information Bill (No2) (DPADI) Bill has now moved through the House of Commons and is likely to become law in Spring or Summer of 2024. Unlike GDPR, which effectively had a two-year implementation phase prior to the 2018 Act becoming law, any changes in the new Act will come into immediate effect once it receives royal assent.

What we know now is this...there are various changes in the Bill and DPE will be adding information on the Knowledge Bank about many of these in the coming few months. These include changes to the definition of personal data, changes to lawful bases for processing, structure and independence of the ICO, international data transfers, website cookies and more.

Whilst the Bill's aim is to reduce the burden on business of complying with data protection law - which is an admirable aim - the flip side is that it comes with a reduction on the rights of data subjects.  

 The most pertinent for schools are:

1. The requirement for a DPO for public authorities will no longer be a mandatory requirement. There will instead be a requirement for a named Senior Responsible Individual (SRI) who must be on the SLT. This is intended to increase accountability, but currently a data controller (the organisation) is responsible and whilst a named individual may have some benefits, it doesn't have the independence that the DPO role has.

This also comes with a number of responsibilities, not limited to:

a) monitoring compliance with data protection legislation;
b) ensuring that the controller develops, implements, reviews and updates measures to ensure compliance;
c) advising the controller, any processor engaged by the controller and employees of their obligations;
d) organising training for employees;
e) dealing with complaints and personal data breaches; and
f) co-operating with the ICO.


However, these responsibilities can be delegated and DPE will be continuing to provide our DPO service with delegated SRI support. We will be examining these responsibilities and how delegated models (there is more than one option) will work over the coming months in readiness for the new Bill becoming law.

2. Changes to Data Protection Impact Assessments and Records of Processing Activity.

DPIAs and ROPAs will only be required where the processing is likely to be "high risk". It is expected that the ICO will provide examples of what constitutes high risk, but it's going to mean that there has to be an assessment to further decide whether to conduct an assessment.

3. Subject Access Requests. In what will please many, some SARs may be able to be limited , or even refused. There is a change to the phrase "manifestly unfounded" (which is a current exemption) to "vexatious" - which is sure to please some.

In the amendments introduced on 29th November, changes to the right of access included that data controllers only need to conduct reasonable and proportionate searches in response to a data subject access request. In Parliament, the minister noted controllers should make the "best possible efforts" but said it is important to allow controllers to limit efforts in ways that reflect U.K. case law.

This could reduce many of the SARs which involve large and complex email searches - however, it also potentially is a get out of jail free card for data controllers who exercise poor data and records management. It also may make it significantly harder for data subjects to rightfully access their data.

We will be holding some awareness and Q&A sessions - online and in person - and we encourage everyone to attend - and we would encourage you to share the sign-up below with any of your colleagues in your wider school network. Find out more and register to attend here:


  Register now for a DPADI Webinar  



Share this page, using the links below

©2024 Data Protection Education Ltd.

Search

  • News