PART 1Preliminary
1Overview
(1)This Act makes provision about the processing of personal data.
(2)Most processing of personal data is subject to the GDPR.
(3)Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply (see Chapter 3).
(4)Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes and implements the Law Enforcement Directive.
(5)Part 4 makes provision about the processing of personal data by the intelligence services.
(6)Part 5 makes provision about the Information Commissioner.
(7)Part 6 makes provision about the enforcement of the data protection legislation.
(8)Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.
2Protection of personal data
(1)The GDPR, the applied GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—
(a)requiring personal data to be processed lawfully and fairly, on the basis of the data subject’s consent or another specified basis,
(b)conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and
(c)conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.
(2)When carrying out functions under the GDPR, the applied GDPR and this Act, the Commissioner must have regard to the importance of securing an appropriate level of protection for personal data, taking account of the interests of data subjects, controllers and others and matters of general public interest.
3Terms relating to the processing of personal data
(1)This section defines some terms used in this Act.
(2)“Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3)“Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—
(a)an identifier such as a name, an identification number, location data or an online identifier, or
(b)one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
(4)“Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—
(a)collection, recording, organisation, structuring or storage,
(b)adaptation or alteration,
(c)retrieval, consultation or use,
(d)disclosure by transmission, dissemination or otherwise making available,
(e)alignment or combination, or
(f)restriction, erasure or destruction,
(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).
(5)“Data subject” means the identified or identifiable living individual to whom personal data relates.
(6)“Controller” and “processor”, in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies, have the same meaning as in that Chapter or Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).
(7)“Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.
(8)“The Commissioner” means the Information Commissioner (see section 114).
(9)“The data protection legislation” means—
(a)the GDPR,
(b)the applied GDPR,
(c)this Act,
(d)regulations made under this Act, and
(e)regulations made under section 2(2) of the European Communities Act 1972 which relate to the GDPR or the Law Enforcement Directive.
(10)“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
(11)“The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.
(12)“The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.
(13)“The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.
(14)In Parts 5 to 7, except where otherwise provided—
(a)references to the GDPR are to the GDPR read with Chapter 2 of Part 2 and include the applied GDPR read with Chapter 3 of Part 2 ;
(b)references to Chapter 2 of Part 2, or to a provision of that Chapter, include that Chapter or that provision as applied by Chapter 3 of Part 2;
(c)references to personal data, and the processing of personal data, are to personal data and processing to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies;
(d)references to a controller or processor are to a controller or processor in relation to the processing of personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.
(15)There is an index of defined expressions in section 206.