- 21 May 2018
Important changes to data protection legislation
1. This SPPN highlights changes to UK Data Protection legislation which are expected to take effect in May 2018 and also some available information about how this impacts on public procurement.
- new data protection legislation (the General Data Protection Regulations, commonly known as GDPR) come into force on 25 May 2018
- organisations will have to consider the impact on their procurement processes and new and existing contracts to ensure these are compliant with the new legislation as it comes into force
- this SPPN provides general information only about the change and highlights specific GDPR guidance about contracts issued by the Information Commissioner's Office (ICO)
2. The established principles of data privacy remain relevant under GDPR which builds on the existing Data Protection Act 1998. GDPR is expected to continue to apply regardless of the nature of the UK's relationship with the European Union. Every organisation handling and using personal information will need to consider what action they should take to continue to protect that data under GDPR.
3. Specifically, GDPR enhances protection of personal data and imposes stricter obligations on those who process it. Generally, this means that public bodies should consider in light of GDPR how they:
- document personal data held, where it came from and who it is shared with
- identify the lawful basis for processing activity, how it is documented and update privacy notices to explain it
- check procedures to ensure these cover all the rights individuals have
Specific actions required by purchasing bodies
4. GDPR will have some impact on commercial arrangements. This is because contracts currently subject to the Data Protection Act 1998 will likely also be subject to GDPR. This means that public bodies must ensure that current and future procurement exercises (including contracts entered into before the legislation comes into force) are compliant with GDPR and all relevant procurement documents make reference to the new legislation.
5. Organisations should also note the requirement to set out, in each contract involving the processing of personal data with suppliers, details of the nature, scope and duration of any data processing with any third party data processors.
6. The Scottish Government has updated its standard Terms and Conditions that apply to our own contracts to ensure that these properly reflect GDPR. Public bodies may want to consider using similar terms and conditions but should take their own legal advice where doing so.
7. More specific guidance about GDPR and handling of contracts in light of that is available on the Information Commissioner's Office website.
The Law Enforcement Directive (LED)
8. The EU Law Enforcement Directive forms part 3 of a Data Protection Bill which is currently the subject to UK Parliamentary approval. In its current form, part 3 of the Bill applies in relation to domestic and cross-border processing of personal data for law enforcement purposes. Similar obligations apply as under GDPR, but there are some significant differences, in particular in relation to the storage and classification of data. The ICO has produced guidance on Part 3 of the Data Protection Bill. Organisations engaged in processing personal data for law enforcement purposes as Controllers may require more specific drafting in contracts. Legal advice should be sought in these cases.
9. Please bring this SPPN to the attention of all relevant staff, including those in agencies, non-departmental public bodies and other sponsored public bodies within your area of responsibility.
10. If you have any questions about this SPPN, please contact the Scottish Procurement Mailbox. You can also write to Scottish Procurement, Scottish Government, 5 Atlantic Quay, 150 Broomielaw, Glasgow, G2 8LU.
Any enquiries relating to this SPPN should be addressed to Scottish Procurement:
The Scottish Government
5 Atlantic Quay