The Data Protection Bill replaces the Data Protection Act 1998 and incorporates the requirements of GDPR with certain conditions and exceptions.
Exceptions contained in the Bill are that when responding to subject access requests you should not provide personal data of third parties unless it is reasonable to do so, nor should you provide records to patients where this is likely to cause serious harm to that person's physical or mental health. These replicate existing provisions of the DPA.
The Bill is also designed to create new criminal offences of:
- intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data
- altering records with an intent to prevent disclosures to a data subject following a subject access request (but see exemptions above)
- unlawfully obtaining or disclosing personal data without the data controller's consent.
This guidance was correct at publication 20/06/2018. It is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.