Data Protection (NI)

See also Data Protection (RoI)


GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). The EU GDPR is an EU Regulation and as such no longer applies domestically in the UK. The provisions of the EU GDPR have been incorporated directly into UK domestic law (including Northern Ireland) as the UK GDPR, although the UK has the independence to keep the framework under review. In practice, there is little change to the core data protection principles, rights and obligations. The key principles, rights and obligations remain the same. 

The UK GDPR is defined in Regulations made under the European Union (Withdrawal) Act 2018, section 211(2) of the Data Protection Act 2018 (DPA 2018) and section 2(2) of the European Communities Act 1972 as meaning "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018."

On 28 June 2021 the EU Commission adopted decisions on the UK’s adequacy under the EU’s General Data Protection Regulation (EU GDPR) and Law Enforcement Directive (LED). In both cases, the European Commission has found the UK to be adequate. Both decisions are expected to last until 27 June 2025. The EU adequacy decisions apply to the whole of the UK, including Northern Ireland. 

EEA to UK data

If a UK organisation receives personal data from the EU or EEA it can continue to flow as before and does not need to take further action, because of the EU adequacy decisions. Whilst these remain in place (until 27 June 2025), the UK GDPR applies. The EU Commission must monitor developments in the UK on an ongoing basis to ensure that the UK continues to provide an equivalent level of data protection. The Commission can amend, suspend, or repeal the decisions if issues cannot be resolved. Also, EU data subjects or an EU data protection authority can initiate a legal challenge to the decisions. The Court of Justice of the European union would then have to decide whether the UK did provide essentially equivalent protection.

UK to EEA data

Transfers of data from the UK (England, Scotland, Wales, and Northern Ireland only) to the EEA are also permitted. The UK government will keep this under review. The UK GDPR also applies to controllers and processors based outside the UK if their processing activities relate to:

If a UK organisation has an office, branch or other established presence in the EEA, or if has customers in the EEA, it needs to comply with both UK and EU data protection regulations, as the EU GDPR still applies to this processing. It may also need to designate a representative in the EEA. The UK Information Commissioner's Office (ICO) guidance covers the key issues to consider regarding cross-border processing.

Lawfulness, Fairness & Transparency

Article 5(1) of the UK GDPR says: 

1. Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness, transparency’)

There are more detailed provisions on lawfulness and having a ‘lawful basis for processing’ set out in Articles 6 to 10.

There are more detailed transparency obligations set out in Articles 13 and 14, as part of the ‘right to be informed’.

Summary obligations

A Data Controller or Processor must -

Data Protection Officer  (see Appendix III, Article 256)

Under the GDPR, certain organisations are required to appoint a designated Data Protection Officer (DPO). Organisations are also required to publish the details of their DPO and provide these details to their national supervisory authority. An organisation is required to appoint a designated data protection officer (Article 37) where  ... inter alia ... the core activities of the controller or the processor consist of processing on a large scale of special categories of data, or personal data relating to criminal convictions and offences

The NBSCCCI Guidance in Appendix B (see Article 256) recommends that a Church Authority appoint a DPO.

The Article 29 Data Protection Working Party (WP29) – an advisory group made up of a representative from the Data Protection authority of each EU Member State, the European Data Protection Supervisor and the EU Commission – have published guidance on the interpretation of the words "core activities" and "large scale". Thus, a bank or insurance company processing customer data in the regular course of their business should be considered large scale but the processing of patient data by a single GP should not.

The processing of personal data is not in any sense a "core activity" of the NWE Region of the Prelature, in the UK or elsewhere. Unlike, for example, a diocese, the instances in which Article 9 categories of data have to be processed are few and far between. Accordingly, the Prelature in Ireland does not require the formal appointment of a DPO. The Safeguarding Coordinator will supervise the compliance of the Prelature with the requirements of GDPR in its activities.