Public bodies may not be able to escape fines of up to 4% of turnover set to be introduced under new European data protection rules.
The fines have been agreed as part of a draft General Data Protection Regulation which is aimed at regulating the processing of citizens’ data across the continent.
Businesses breaching the rules face the massive fines, but the text of the new directive allows the UK government to restrict the scope of the rules under a number of circumstances which are likely to cover government.
The text says that union state law “may restrict…the scope of the obligations and rights…when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure” to safeguard a number of public interest areas.
These areas include national security, defence, public security, preventing crime, preventing breaches of professional ethics plus “other important objectives of general public interests of the union or of a member state, in particular an important economic or financial interest of the union or of a member state, including monetary, budgetary and taxation a matters, public health and social security”.
The exemptions can also cover inspection or regulatory functions related to the defined areas of public interest.
However, David Cook, solicitor at PricewaterhouseCoopers Legal, told PublicTechnology: “It is unclear how likely it is that all government bodies will be exempted from the regulation. However, it does appear unlikely that absolutely every government body will be given such a blanket shield and, in many respects, such an outcome would be contrary to the spirit of the GDPR and the intention of the EU in seeking to strengthen the position of a data subject as champion of the data.”
“For the same reasons, it is unlikely that the government will seek to exempt private partners holding citizens’ personal data, although some may be exempted for very specific reasons.”
Des Ward, information governance director at public services industry association Innopsis said that there is little need for public bodies to worry, even if the UK government does not exempt them.
He told PublicTechnology.net: “Simply put, there is a lot being made of the GDPR, but the fact is that the 4% fine is not a reason to lock everything down.
“Indeed, the amount of IT budget being wasted in unnecessary storage and protection just because some sensitive data may be in there could be vastly reduced due to the requirement to ensure that data can be moved between providers easily.”
This, he said, could mean that GDPR helps customers understand their information better, resulting in better identification and management of requirements throughout the supply chain.
He pointed out: “The personal data held within corporations at present is already governed by other laws, such as Companies Act, Civil Contingencies Act and basic common law; the GPDR should be taken in context of these laws so ensure that we protect what we must and manage the risks of delivering digital services.”
Cook added: “Public bodies do need to engage in the process and, whether they or not they end up being an exempted category, the rights of data privacy promoted by the regulation will still be an important factor in the post-reform world, whether or not enforced by the harsh regulatory regime underpinning the GDPR.”
The deal will now be put to a vote by Parliament as whole in spring 2016 (probably in March or April), after which member states will have two years to transpose the provisions of the new directive into their national laws.
Last year, a survey found that half of public sector organisations were unaware of the proposed European regulation.