Who is exempt from Data Protection Act?
The Data Protection Act (DPA) incorporates a regulation which permits the exemption of some data controllers and their respective organisations from complying with the DPA. These exemptions are classified as complete exemption and partial exemption. However, complete exemption or partial exemption from the DPA can only legally occur if it upholds an individual's fundamental rights and freedoms. Therefore, it is essential for an organisation to understand whether they need to comply with the DPA, or whether they have complete exemption or partial exemption.
Complete exemption allows particular organisations to hold data from data subjects legally and tends to be related to specific sectors, such as for national security purposes, scientific research organisations and financial services sector. The complete exemption bill allows sensitive and personal data to be processed without a data subject's consent.
The Home Office has been granted complete exemption from the DPA, meaning that data subjects are not entitled to question the Home Office about their immigration status. The Windrush generation have warned that the Home Office's ability to hold data is threatening for them as it withdraws immigration matters away from the scope of data protection. The changes to the DPA in 2018 means that data subjects will be denied access to obtain their files from the Home Office, therefore subject access requests will be nullified.
Some UK citizens who are uncertain about the complete exemption of the Home Office, notably the Windrush generation, have expressed fears that the Home Office will not handle person data lawfully or fairly due to this exemption. The Windrush generation, who were affected by changes to the Immigration Law in 2012, have stated that the Home Office could potentially destroy vital immigration records from the Windrush generation, and it would not be accounted for due to this complete exemption.
Despite the reservations of some UK citizens in regard to the complete exemption of the Home Office, the Home Office and the UK government have declared that the complete exemption status has been used to aid the transition of personal data between the Home Office and the NHS, and this data will still be processed lawfully and fairly.
The DPA states that businesses are mostly expected to comply with the DPA, but there are conditions in which some businesses are subject to certain partial exemptions. Partial exemptions for businesses include exemptions such as, employment references from a previous employer can be considered as exempt. Furthermore, businesses are not legally bound to expose planning information referencing staff members.
Moreover, partial exemption also refers to taxmen and the police, who do not have to disclose certain personal data achieved from data subjects. Furthermore, a data subject does not have a legal right to subject access regarding their health.
Within the healthcare service, there are two main exemptions which can reject a data subject's subject access request to their health records. If the health records contain information regarding a third-party member, then the data controller can reject the subject access request, as the third-party member may not have given consent for this health record to be seen. Moreover, if the health record contains information which may harm the mental or physical health of the data subject, then the health services can again reject the data subject's access request.
Through having a sound knowledge and understanding of the DPA protection principles, whilst remaining up-to-date with the ICO guidelines, an organisation should comfortably comply with the DPA. It is considered logical to ensure that staff members are involved with this training and learning, to ensure that an organisation is collectively compliant with the DPA and is aware of when they are exempt from the DPA.