xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"

SCHEDULES

Section 211

SCHEDULE 19E+W+S+N.I.Minor and consequential amendments

PART 1 E+W+S+N.I.Amendments of primary legislation

Prospective

Registration Service Act 1953 (c. 37)E+W+S+N.I.

1(1)Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

Prospective

Veterinary Surgeons Act 1966 (c. 36)E+W+S+N.I.

2(1)Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.E+W+S+N.I.

(2)In subsection (8)—

(a)omit “personal data protection legislation in the United Kingdom that implements”,

(b)for paragraph (a) substitute—

(a)the GDPR; and, and

(c)in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.

(3)In subsection (9), after “section” insert

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

Prospective

Parliamentary Commissioner Act 1967 (c. 13)E+W+S+N.I.

3In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—E+W+S+N.I.

(a)in paragraph (a), for sub-paragraph (i) substitute—

(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),, and

(b)for paragraph (b) substitute—

(b)the commission of an offence under—

(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or

(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Local Government Act 1974 (c. 7)E+W+S+N.I.

4The Local Government Act 1974 is amended as follows.E+W+S+N.I.

5In section 33A(1) (disclosure of information by Local Commissioner to Information Commissioner)—E+W+S+N.I.

(a)in paragraph (a), for sub-paragraph (i) substitute—

(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),, and

(b)for paragraph (b) substitute—

(b)the commission of an offence under—

(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or

(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

6In section 34O(1) (disclosure of information by Local Commissioner to Information Commissioner)—E+W+S+N.I.

(a)in paragraph (a), for sub-paragraph (i) substitute—

(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),, and

(b)for paragraph (b) substitute—

(b)the commission of an offence under—

(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or

(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Consumer Credit Act 1974 (c. 39)E+W+S+N.I.

7The Consumer Credit Act 1974 is amended as follows.E+W+S+N.I.

8In section 157(2A) (duty to disclose name etc of agency)—E+W+S+N.I.

(a)in paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and

(b)in paragraph (b), after “any” insert “ other ”.

9In section 159(1)(a) (correction of wrong information) for “section 7 of the Data Protection Act 1998” substitute “ Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) ”.E+W+S+N.I.

10In section 189(1) (definitions), at the appropriate place insert—E+W+S+N.I.

the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);.

Prospective

Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))E+W+S+N.I.

11The Pharmacy (Northern Ireland) Order 1976 is amended as follows.E+W+S+N.I.

12In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”.E+W+S+N.I.

13In article 8D (European professional card), after paragraph (3) insert—E+W+S+N.I.

(4)In Schedule 2C, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.

14In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.), before sub-paragraph (a) insert—E+W+S+N.I.

(za)the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

15(1)Schedule 2C (Directive 2005/36/EC: European professional card) is amended as follows.E+W+S+N.I.

(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

16(1)The table in Schedule 2D (functions of the Society under Directive 2005/36/EC) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

17(1)Paragraph 2 of Schedule 3 (fitness to practice: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (2)(a), after “provision” insert “ or the GDPR ”.

(3)For sub-paragraph (3) substitute—

(3)In determining for the purposes of sub-paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.

(4)After sub-paragraph (4) insert—

(5)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

Prospective

Representation of the People Act 1983 (c. 2)E+W+S+N.I.

18(1)Schedule 2 to the Representation of the People Act 1983 (provisions which may be contained in regulations as to registration etc) is amended as follows.E+W+S+N.I.

(2)In paragraph 1A(5), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.

(3)In paragraph 8C(2), for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.

(4)In paragraph 11A—

(a)in sub-paragraph (1) for “who are data users to supply data, or documents containing information extracted from data and” substitute “ to supply information ”, and

(b)omit sub-paragraph (2).

Prospective

Medical Act 1983 (c. 54)E+W+S+N.I.

19The Medical Act 1983 is amended as follows.E+W+S+N.I.

20(1)Section 29E (evidence) is amended as follows.E+W+S+N.I.

(2)In subsection (5), after “enactment” insert “ or the GDPR ”.

(3)For subsection (7) substitute—

(7)In determining for the purposes of subsection (5) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.

(4)In subsection (9), at the end insert—

“the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

21(1)Section 35A (General Medical Council's power to require disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (4), after “enactment” insert “ or the GDPR ”.

(3)For subsection (5A) substitute—

(5A)In determining for the purposes of subsection (4) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.

(4)In subsection (7), at the end insert—

“the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

22In section 49B(7) (Directive 2005/36: designation of competent authority etc.), after “Schedule 4A” insert E+W+S+N.I.

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

23In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”.E+W+S+N.I.

24(1)Paragraph 9B of Schedule 1 (incidental powers of the General Medical Council) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (2)(a), after “enactment” insert “ or the GPDR ”.

(3)After sub-paragraph (3) insert—

(4)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

25(1)Paragraph 5A of Schedule 4 (professional performance assessments and health assessments) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (8), after “enactment” insert “ or the GDPR ”.

(3)For sub-paragraph (8A) substitute—

(8A)In determining for the purposes of sub-paragraph (8) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this paragraph.

(4)After sub-paragraph (13) insert—

(14)In this paragraph, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

26(1)The table in Schedule 4A (functions of the General Medical Council as competent authority under Directive 2005/36) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Prospective

Dentists Act 1984 (c. 24)E+W+S+N.I.

27The Dentists Act 1984 is amended as follows.E+W+S+N.I.

28(1)Section 33B (the General Dental Council's power to require disclosure of information: the dental profession) is amended as follows.E+W+S+N.I.

(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.

(3)For subsection (4) substitute—

(4)For the purposes of subsection (3)—

  • relevant enactment” means any enactment other than—

    (a)

    this Act, or

    (b)

    the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);

  • relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).

(4)After subsection (10) insert—

(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

29In section 36ZA(6) (Directive 2005/36: designation of competent authority etc), after “Schedule 4ZA—” insert—E+W+S+N.I.

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

30(1)Section 36Y (the General Dental Council's power to require disclosure of information: professions complementary to dentistry) is amended as follows.E+W+S+N.I.

(2)In subsection (3), after “enactment” insert “ or relevant provision of the GDPR ”.

(3)For subsection (4) substitute—

(4)For the purposes of subsection (3)—

  • relevant enactment” means any enactment other than—

    (a)

    this Act, or

    (b)

    the listed provisions in paragraph 1 of Schedule 11 to the Data Protection Act 2018 (exemptions to Part 4 : disclosures required by law);

  • relevant provision of the GDPR” means any provision of the GDPR apart from the listed GDPR provisions in paragraph 1 of Schedule 2 to the Data Protection Act 2018 (GDPR provisions to be adapted or restricted: disclosures required by law).

(4)After subsection (10) insert—

(11)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

31In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”.E+W+S+N.I.

32(1)The table in Schedule 4ZA (Directive 2005/36: functions of the General Dental Council under section 36ZA(3)) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Prospective

Companies Act 1985 (c. 6)E+W+S+N.I.

33In section 449(11) of the Companies Act 1985 (provision for security of information obtained), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

Prospective

Access to Medical Reports Act 1988 (c. 28)E+W+S+N.I.

34In section 2(1) of the Access to Medical Reports Act 1988 (interpretation), for the definition of “health professional” substitute—E+W+S+N.I.

health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act);.

Prospective

Opticians Act 1989 (c. 44)E+W+S+N.I.

35(1)Section 13B of the Opticians Act 1989 (the Council's power to require disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (3), after “enactment” insert “ or the GDPR ”.

(3)For subsection (4) substitute—

(4)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.

(4)After subsection (9) insert—

(10)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

Prospective

Access to Health Records Act 1990 (c. 23)E+W+S+N.I.

36The Access to Health Records Act 1990 is amended as follows.E+W+S+N.I.

37For section 2 substitute—E+W+S+N.I.

2Health professionals

In this Act, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).

38(1)Section 3 (right of access to health records) is amended as follows.E+W+S+N.I.

(2)In subsection (2), omit “Subject to subsection (4) below,”.

(3)In subsection (4), omit from “other than the following” to the end.

Prospective

Human Fertilisation and Embryology Act 1990 (c. 37)E+W+S+N.I.

39(1)Section 33D of the Human Fertilisation and Embryology Act 1990 (disclosure for the purposes of medical or other research) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (9), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)E+W+S+N.I.

40(1)Section 251B of the Trade Union and Labour Relations (Consolidation) Act 1992 (prohibition on disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (6) insert—

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Tribunals and Inquiries Act 1992 (c. 53)E+W+S+N.I.

41In the table in Part 1 of Schedule 1 to the Tribunals and Inquiries Act 1992 (tribunals to which the Act applies), in the second column, in paragraph 14(a), for “section 6 of the Data Protection Act 1998” substitute “ section 114 of the Data Protection Act 2018 ”.E+W+S+N.I.

Prospective

Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))E+W+S+N.I.

42(1)Article 90B of the Industrial Relations (Northern Ireland) Order 1992 (prohibition on disclosure of information held by the Labour Relations Agency) is amended as follows.E+W+S+N.I.

(2)In paragraph (3), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After paragraph (6) insert—

(7)In this Article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Health Service Commissioners Act 1993 (c. 46)E+W+S+N.I.

43In section 18A(1) of the Health Service Commissioners Act 1993 (power to disclose information)—E+W+S+N.I.

(a)in paragraph (a), for sub-paragraph (i) substitute—

(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),, and

(b)for paragraph (b) substitute—

(b)the commission of an offence under—

(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or

(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Data Protection Act 1998 (c. 29)E+W+S+N.I.

44The Data Protection Act 1998 is repealed, with the exception of section 62 and paragraphs 13, 15, 16, 18 and 19 of Schedule 15 (which amend other enactments).E+W+S+N.I.

Prospective

Crime and Disorder Act 1998 (c. 37)E+W+S+N.I.

45In section 17A(4) of the Crime and Disorder Act 1998 (sharing of information), for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.E+W+S+N.I.

Prospective

Food Standards Act 1999 (c. 28)E+W+S+N.I.

46(1)Section 19 of the Food Standards Act 1999 (publication etc by the Food Standards Agency of advice and information) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (8), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Immigration and Asylum Act 1999 (c. 33)E+W+S+N.I.

47(1)Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported) is amended as follows.E+W+S+N.I.

(2)For subsection (4) substitute—

(4)For the purposes of Article 49(1)(d) of the GDPR, the provision under this section of identification data is a transfer of personal data which is necessary for important reasons of public interest.

(3)After subsection (4) insert—

(4A)The GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

Prospective

Financial Services and Markets Act 2000 (c. 8)E+W+S+N.I.

48The Financial Services and Markets Act 2000 is amended as follows.E+W+S+N.I.

49In section 86(9) (exempt offers to the public), for “the Data Protection Act 1998 or any directly applicable EU legislation relating to data protection” substitute E+W+S+N.I.

(a)the data protection legislation, or

(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.

50In section 391A(6)(b) (publication: special provisions relating to the capital requirements directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

51In section 391C(7)(a) (publication: special provisions relating to the UCITS directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

52In section 391D(9)(a) (publication: special provisions relating to the markets in financial instruments directive), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

53In section 417 (definitions), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Terrorism Act 2000 (c. 11)E+W+S+N.I.

54In section 21F(2)(d) of the Terrorism Act 2000 (other permitted disclosures between institutions etc) for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.E+W+S+N.I.

Freedom of Information Act 2000 (c. 36)E+W+S+N.I.

Prospective

55The Freedom of Information Act 2000 is amended as follows.E+W+S+N.I.

Prospective

56In section 2(3) (absolute exemptions), for paragraph (f) substitute—E+W+S+N.I.

(f)section 40(1),

(fa)section 40(2) so far as relating to cases where the first condition referred to in that subsection is satisfied,.

Prospective

57In section 18 (the Information Commissioner), omit subsection (1).E+W+S+N.I.

Prospective

58(1)Section 40 (personal information) is amended as follows.E+W+S+N.I.

(2)In subsection (2)—

(a)in paragraph (a), for “do” substitute “ does ”, and

(b)in paragraph (b), for “either the first or the second” substitute “ the first, second or third ”.

(3)For subsection (3) substitute—

(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).

(4)For subsection (4) substitute—

(4A)The third condition is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.

(5)For subsection (5) substitute—

(5A)The duty to confirm or deny does not arise in relation to information which is (or if it were held by the public authority would be) exempt information by virtue of subsection (1).

(5B)The duty to confirm or deny does not arise in relation to other information if or to the extent that any of the following applies—

(a)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a)—

(i)would (apart from this Act) contravene any of the data protection principles, or

(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;

(b)giving a member of the public the confirmation or denial that would have to be given to comply with section 1(1)(a) would (apart from this Act) contravene Article 21 of the GDPR (general processing: right to object to processing);

(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in subsection (4A)(a);

(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.

(6)Omit subsection (6).

(7)For subsection (7) substitute—

(7)In this section—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR, and

    (b)

    section 34(1) of the Data Protection Act 2018;

  • data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • “the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act).

(8)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Prospective

59Omit section 49 (reports to be laid before Parliament).E+W+S+N.I.

60For section 61 (appeal proceedings) substitute—E+W+S+N.I.

61Appeal proceedings

(1)Tribunal Procedure Rules may make provision for regulating the exercise of rights of appeal conferred by sections 57(1) and (2) and 60(1) and (4).

(2)In relation to appeals under those provisions, Tribunal Procedure Rules may make provision about—

(a)securing the production of material used for the processing of personal data, and

(b)the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.

(3)Subsection (4) applies where—

(a)a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal on an appeal under those provisions, and

(b)if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.

(4)The First-tier Tribunal may certify the offence to the Upper Tribunal.

(5)Where an offence is certified under subsection (4), the Upper Tribunal may—

(a)inquire into the matter, and

(b)deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.

(6)Before exercising the power under subsection (5)(b), the Upper Tribunal must—

(a)hear any witness who may be produced against or on behalf of the person charged with the offence, and

(b)hear any statement that may be offered in defence.

(7)In this section, “personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).

Annotations:

Commencement Information

I1Sch. 19 para. 60 in force at Royal Assent for specified purposes, see s. 212(2)(f)

Prospective

61In section 76(1) (disclosure of information between Commissioner and ombudsmen), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

Prospective

62After section 76A insert—E+W+S+N.I.

76BDisclosure of information to Tribunal

(1)No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of their functions in connection with appeals under section 60 of this Act.

(2)But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(3)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.

Prospective

63In section 77(1)(b) (offence of altering etc records with intent to prevent disclosure), omit “or section 7 of the Data Protection Act 1998,”.E+W+S+N.I.

Prospective

64In section 84 (interpretation), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Political Parties, Elections and Referendums Act 2000 (c. 41)E+W+S+N.I.

65(1)Paragraph 28 of Schedule 19C to the Political Parties, Elections and Referendums Act 2000 (civil sanctions: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After sub-paragraph (5) insert—

(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Public Finance and Accountability (Scotland) Act 2000 (asp 1)E+W+S+N.I.

66The Public Finance and Accountability (Scotland) Act 2000 is amended as follows.E+W+S+N.I.

67In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

68In section 26C(3)(a) (power to require disclosure of data), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

69In section 29(1) (interpretation), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Criminal Justice and Police Act 2001 (c. 16)E+W+S+N.I.

70The Criminal Justice and Police Act 2001 is amended as follows.E+W+S+N.I.

71In section 57(1) (retention of seized items)—E+W+S+N.I.

(a)omit paragraph (m), and

(b)after paragraph (s) insert—

(t)paragraph 10 of Schedule 15 to the Data Protection Act 2018;.

72In section 65(7) (meaning of “legal privilege”)—E+W+S+N.I.

(a)for “paragraph 1 of Schedule 9 to the Data Protection Act 1998 (c. 29)” substitute “ paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 ”, and

(b)for “paragraph 9” substitute “ paragraph 11 (matters exempt from inspection and seizure: privileged communications) ”.

73In Schedule 1 (powers of seizure)—E+W+S+N.I.

(a)omit paragraph 65, and

(b)after paragraph 73R insert—

Data Protection Act 2018E+W+S+N.I.

73SThe power of seizure conferred by paragraphs 1 and 2 of Schedule 15 to the Data Protection Act 2018 (powers of entry and inspection).

Prospective

Anti-terrorism, Crime and Security Act 2001 (c.24)E+W+S+N.I.

74The Anti-terrorism, Crime and Security Act 2001 is amended as follows.E+W+S+N.I.

75(1)Section 19 (disclosure of information held by revenue departments) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (9), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

76(1)Part 1 of Schedule 4 (extension of existing disclosure powers) is amended as follows.E+W+S+N.I.

(2)Omit paragraph 42.

(3)After paragraph 53F insert—

53GSection 132(3) of the Data Protection Act 2018.

Prospective

Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))E+W+S+N.I.

77(1)Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc) is amended as follows.E+W+S+N.I.

(2)In subsection (3), after “provision” insert “ or the GDPR ”.

(3)For subsection (5) substitute—

(5)In determining for the purposes of subsection (3) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this section.

(4)After subsection (7) insert—

(8)In this section, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

Prospective

Justice (Northern Ireland) Act 2002 (c. 26)E+W+S+N.I.

78(1)Section 5A of the Justice (Northern Ireland) Act 2002 (disclosure of information to the Commission) is amended as follows.E+W+S+N.I.

(2)In subsection (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (9) insert—

(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Proceeds of Crime Act 2002 (c. 29)E+W+S+N.I.

79The Proceeds of Crime Act 2002 is amended as follows.E+W+S+N.I.

80In section 333C(2)(d) (other permitted disclosures between institutions etc), for “(within the meaning of section 1 of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”.E+W+S+N.I.

81In section 436(3)(a) (disclosure of information to certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

82In section 438(8)(a) (disclosure of information by certain Directors), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

83In section 439(3)(a) (disclosure of information to Lord Advocate and to Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

84In section 441(7)(a) (disclosure of information by Lord Advocate and Scottish Ministers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

85After section 442 insert—E+W+S+N.I.

442AData protection legislation

In this Part, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Enterprise Act 2002 (c. 40)E+W+S+N.I.

86(1)Section 237 of the Enterprise Act 2002 (general restriction on disclosure) is amended as follows.E+W+S+N.I.

(2)In subsection (4), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (6) insert—

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Scottish Public Services Ombudsman Act 2002 (asp 11)E+W+S+N.I.

87(1)In Schedule 5 to the Scottish Public Services Ombudsman Act 2002 (disclosure of information by the Ombudsman), the entry for the Information Commissioner is amended as follows.E+W+S+N.I.

(2)In paragraph 1, for sub-paragraph (a) substitute—

(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),.

(3)For paragraph 2 substitute—

2The commission of an offence under—

(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc), or

(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Freedom of Information (Scotland) Act 2002 (asp 13)E+W+S+N.I.

88The Freedom of Information (Scotland) Act 2002 is amended as follows.E+W+S+N.I.

89In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection (2)(a)(i) or (b) of that section”.E+W+S+N.I.

90(1)Section 38 (personal information) is amended as follows.E+W+S+N.I.

(2)In subsection (1), for paragraph (b) substitute—

(b)personal data and the first, second or third condition is satisfied (see subsections (2A) to (3A));.

(3)For subsection (2) substitute—

(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under this Act—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under this Act would contravene Article 21 of the GDPR (general processing: right to object to processing).

(4)For subsection (3) substitute—

(3A)The third condition is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.

(5)Omit subsection (4).

(6)In subsection (5), for the definitions of “the data protection principles” and of “data subject” and “personal data” substitute—

the data protection principles” means the principles set out in—

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018;

data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

“the GDPR”, “personal data”, “processing” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4), (10), (11) and (14) of that Act);.

(7)After that subsection insert—

(5A)In determining for the purposes of this section whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Prospective

Courts Act 2003 (c. 39)E+W+S+N.I.

91Schedule 5 to the Courts Act 2003 (collection of fines) is amended as follows.E+W+S+N.I.

92(1)Paragraph 9C (disclosure of information in connection with making of attachment of earnings orders or applications for benefit deductions: supplementary) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After sub-paragraph (5) insert—

(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

93(1)Paragraph 10A (attachment of earnings orders (Justice Act (Northern Ireland) 2016): disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In sub-paragraph (8), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Sexual Offences Act 2003 (c. 42)E+W+S+N.I.

94(1)Section 94 of the Sexual Offences Act 2003 (Part 2: supply of information to the Secretary of State etc for verification) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (8), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Criminal Justice Act 2003 (c. 44)E+W+S+N.I.

95The Criminal Justice Act 2003 is amended as follows.E+W+S+N.I.

96In section 327A(9) (disclosure of information about convictions etc of child sex offenders to members of the public), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

97In section 327B (disclosure of information about convictions etc of child sex offenders to members of the public: interpretation), after subsection (4) insert—E+W+S+N.I.

(4A)The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)E+W+S+N.I.

98(1)Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “research purposes within the meaning given by section 33 of the Data Protection Act 1998 (c. 29) (research, history and statistics)” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”.

(3)After subsection (9) insert—

(10)In this section, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Prospective

Public Audit (Wales) Act 2004 (c. 23)E+W+S+N.I.

99(1)Section 64C of the Public Audit (Wales) Act 2004 (voluntary provision of data) is amended as follows.E+W+S+N.I.

(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (5), at the beginning insert In this section—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)E+W+S+N.I.

100The Companies (Audit, Investigations and Community Enterprise) Act 2004 is amended as follows.E+W+S+N.I.

101(1)Section 15A (disclosure of information by tax authorities) is amended as follows.E+W+S+N.I.

(2)In subsection (2)—

(a)omit “within the meaning of the Data Protection Act 1998”, and

(b)for “that Act” substitute “ the data protection legislation ”.

(3)After subsection (7) insert—

(8)In this section—

  • the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).

102(1)Section 15D (permitted disclosure of information obtained under compulsory powers) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (7) insert—

(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Domestic Violence, Crime and Victims Act 2004 (c. 28)E+W+S+N.I.

103(1)Section 54 of the Domestic Violence, Crime and Victims Act 2004 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (8) insert—

(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Children Act 2004 (c. 31)E+W+S+N.I.

104The Children Act 2004 is amended as follows.E+W+S+N.I.

105(1)Section 12 (information databases) is amended as follows.E+W+S+N.I.

(2)In subsection (13)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (13) insert—

(14)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

106(1)Section 29 (information databases: Wales) is amended as follows.E+W+S+N.I.

(2)In subsection (14)(e) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (14) insert—

(15)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Constitutional Reform Act 2005 (c. 4)E+W+S+N.I.

107(1)Section 107 of the Constitutional Reform Act 2005 (disclosure of information to the Commission) is amended as follows.E+W+S+N.I.

(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (9) insert—

(10)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Mental Capacity Act 2005 (c. 9)E+W+S+N.I.

108In section 64 of the Mental Capacity Act 2005 (interpretation), for the definition of “health record” substitute—E+W+S+N.I.

health record” has the same meaning as in the Data Protection Act 2018 (see section 205 of that Act);.

Prospective

Public Services Ombudsman (Wales) Act 2005 (c. 10)E+W+S+N.I.

109(1)Section 34X of the Public Services Ombudsman (Wales) Act 2005 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (4), for paragraph (a) substitute—

(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);.

(3)For subsection (5) substitute—

(5)The offences are those under—

(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc);

(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Commissioners for Revenue and Customs Act 2005 (c. 11)E+W+S+N.I.

110(1)Section 22 of the Commissioners for Revenue and Customs Act 2005 (data protection, etc) is amended as follows.E+W+S+N.I.

(2)The existing text becomes subsection (1).

(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(4)After that subsection insert—

(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Gambling Act 2005 (c. 19)E+W+S+N.I.

111(1)Section 352 of the Gambling Act 2005 (data protection) is amended as follows.E+W+S+N.I.

(2)The existing text becomes subsection (1).

(3)In that subsection, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(4)After that subsection insert—

(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Commissioner for Older People (Wales) Act 2006 (c. 30)E+W+S+N.I.

112(1)Section 18 of the Commissioner for Older People (Wales) Act 2006 (power to disclose information) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for paragraph (a) substitute—

(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);.

(3)For subsection (8) substitute—

(8)The offences are those under—

(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or

(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

National Health Service Act 2006 (c. 41)E+W+S+N.I.

113The National Health Service Act 2006 is amended as follows.E+W+S+N.I.

114(1)Section 251 (control of patient information) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for “made by or under the Data Protection Act 1998 (c 29)” substitute “ of the data protection legislation ”.

(3)In subsection (13), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

115(1)Section 264C (provision and disclosure of information about health service products: supplementary) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (3) insert—

(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

116In paragraph 7B(3) of Schedule 1 (further provision about the Secretary of State and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.E+W+S+N.I.

Prospective

National Health Service (Wales) Act 2006 (c. 42)E+W+S+N.I.

117The National Health Service (Wales) Act 2006 is amended as follows.E+W+S+N.I.

118(1)Section 201C (provision of information about medical supplies: supplementary) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (3) insert—

(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

119In paragraph 7B(3) of Schedule 1 (further provision about the Welsh Ministers and services under the Act), for “has the same meaning as in the Data Protection Act 1998” substitute “ has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act) ”.E+W+S+N.I.

Prospective

Companies Act 2006 (c. 46)E+W+S+N.I.

120The Companies Act 2006 is amended as follows.E+W+S+N.I.

121In section 458(2) (disclosure of information by tax authorities)—E+W+S+N.I.

(a)for “within the meaning of the Data Protection Act 1998 (c. 29)” substitute “ within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act) ”, and

(b)for “that Act” substitute “ the data protection legislation ”.

122In section 461(7) (permitted disclosure of information obtained under compulsory powers), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

123In section 948(9) (restrictions on disclosure) for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

124In section 1173(1) (minor definitions: general), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

125In section 1224A(7) (restrictions on disclosure), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

126In section 1253D(3) (restriction on transfer of audit working papers to third countries), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

127In section 1261(1) (minor definitions: Part 42), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

128In section 1262 (index of defined expressions: Part 42), at the appropriate place insert—E+W+S+N.I.

the data protection legislationsection 1261(1).

129In Schedule 8 (index of defined expressions: general), at the appropriate place insert—E+W+S+N.I.

the data protection legislationsection 1173(1).

Prospective

Tribunals, Courts and Enforcement Act 2007 (c. 15)E+W+S+N.I.

130The Tribunals, Courts and Enforcement Act 2007 is amended as follows.E+W+S+N.I.

131In section 11(5)(b) (right to appeal to Upper Tribunal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.E+W+S+N.I.

132In section 13(8)(a) (right to appeal to the Court of Appeal), for “section 28(4) or (6) of the Data Protection Act 1998 (c. 29)” substitute “ section 27(3) or (5), 79(5) or (7) or 111(3) or (5) of the Data Protection Act 2018 ”.E+W+S+N.I.

Prospective

Statistics and Registration Service Act 2007 (c. 18)E+W+S+N.I.

133The Statistics and Registration Service Act 2007 is amended as follows.E+W+S+N.I.

134(1)Section 45 (information held by HMRC) is amended as follows.E+W+S+N.I.

(2)In subsection (4A), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

(3)In subsection (4B), for “the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.

135(1)Section 45A (information held by other public authorities) is amended as follows.E+W+S+N.I.

(2)In subsection (8), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

(3)In subsection (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)In subsection (12)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(5)In subsection 12(c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.

136(1)Section 45B(3) (access to information held by Crown bodies etc) is amended as follows.E+W+S+N.I.

(2)In paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In paragraph (c), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.

137(1)Section 45C(13) (power to require disclosures by other public authorities) is amended as follows.E+W+S+N.I.

(2)In paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In paragraph (d), after the first “legislation” insert “ (which is not part of the data protection legislation) ”.

138In section 45D(9)(b) (power to require disclosure by undertakings), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

139(1)Section 45E (further provision about powers in sections 45B, 45C and 45D) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (16), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

(4)In subsection (17), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

140(1)Section 53A (disclosure by the Statistics Board to devolved administrations) is amended as follows.E+W+S+N.I.

(2)In subsection (9), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

(3)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)In subsection (12)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

141(1)Section 54 (Data Protection Act 1998 and Human Rights Act 1998) is amended as follows.E+W+S+N.I.

(2)In the heading, omit “Data Protection Act 1998 and”.

(3)Omit paragraph (a) (together with the final “or”).

142In section 67 (general interpretation: Part 1), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Serious Crime Act 2007 (c. 27)E+W+S+N.I.

143The Serious Crime Act 2007 is amended as follows.E+W+S+N.I.

144(1)Section 5A (verification and disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (6)—

(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)for “are” substitute “ is ”.

(3)After subsection (6) insert—

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

145(1)Section 68 (disclosure of information to prevent fraud) is amended as follows.E+W+S+N.I.

(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (8), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

146(1)Section 85 (disclosure of information by Revenue and Customs) is amended as follows.E+W+S+N.I.

(2)In subsection (8)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (9), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Legal Services Act 2007 (c. 29)E+W+S+N.I.

147(1)Section 169 of the Legal Services Act 2007 (disclosure of information to the Legal Services Board) is amended as follows.E+W+S+N.I.

(2)In subsection (3)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (8) insert—

(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Adoption and Children (Scotland) Act 2007 (asp 4)E+W+S+N.I.

148In section 74 of the Adoption and Children (Scotland) Act 2007 (disclosure of medical information about parents), for subsection (5) substitute—E+W+S+N.I.

(5)In subsection (4)(e), “processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act).

Prospective

Criminal Justice and Immigration Act 2008 (c. 4)E+W+S+N.I.

149The Criminal Justice and Immigration Act 2008 is amended as follows.E+W+S+N.I.

150Omit—E+W+S+N.I.

(a)section 77 (power to alter penalty for unlawfully obtaining etc personal data), and

(b)section 78 (new defence for obtaining etc for journalism and other special purposes).

151(1)Section 114 (supply of information to Secretary of State etc) is amended as follows.E+W+S+N.I.

(2)In subsection (5), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (6) insert—

(6A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Regulatory Enforcement and Sanctions Act 2008 (c. 13)E+W+S+N.I.

152(1)Section 70 of the Regulatory Enforcement and Sanctions Act 2008 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (4)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (5) insert—

(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Health and Social Care Act 2008 (c. 14)E+W+S+N.I.

153In section 20A(5) of the Health and Social Care Act 2008 (functions relating to processing of information by registered persons), in the definition of “processing”, for “the Data Protection Act 1998” substitute “ Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act); ”.E+W+S+N.I.

Prospective

Counter-Terrorism Act 2008 (c. 28)E+W+S+N.I.

154(1)Section 20 of the Counter-Terrorism Act 2008 (disclosure and the intelligence services: supplementary provisions) is amended as follows.E+W+S+N.I.

(2)In subsection (2)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (4) insert—

(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Public Health etc. (Scotland) Act 2008 (asp 5)E+W+S+N.I.

155(1)Section 117 of the Public Health etc. (Scotland) Act 2008 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (7) insert—

(7A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Banking Act 2009 (c. 1)E+W+S+N.I.

156(1)Section 83ZY of the Banking Act 2009 (special resolution regime: publication of notices etc) is amended as follows.E+W+S+N.I.

(2)In subsection (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (11), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Borders, Citizenship and Immigration Act 2009 (c. 11)E+W+S+N.I.

157(1)Section 19 of the Borders, Citizenship and Immigration Act 2009 (use and disclosure of customs information: application of statutory provisions) is amended as follows.E+W+S+N.I.

(2)In subsection (1)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (4) insert—

(5)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Marine and Coastal Access Act 2009 (c. 23)E+W+S+N.I.

158The Marine and Coastal Access Act 2009 is amended as follows.E+W+S+N.I.

159(1)Paragraph 13 of Schedule 7 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After sub-paragraph (6) insert—

(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

160(1)Paragraph 9 of Schedule 10 (further provision about fixed monetary penalties: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After sub-paragraph (6) insert—

(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Coroners and Justice Act 2009 (c. 25)E+W+S+N.I.

161In Schedule 21 to the Coroners and Justice Act 2009 (minor and consequential amendments), omit paragraph 29(3).E+W+S+N.I.

Prospective

Broads Authority Act 2009 (c. i)E+W+S+N.I.

162(1)Section 38 of the Broads Authority Act 2009 (provision of information) is amended as follows.E+W+S+N.I.

(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)In subsection (6), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))E+W+S+N.I.

163(1)Section 13 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (functions of the Regional Agency) is amended as follows.E+W+S+N.I.

(2)In subsection (8), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (8) insert—

(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Terrorist Asset-Freezing etc. Act 2010 (c. 38)E+W+S+N.I.

164(1)Section 25 of the Terrorist Asset-Freezing etc. Act 2010 (application of provisions) is amended as follows.E+W+S+N.I.

(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (6), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Marine (Scotland) Act 2010 (asp 5)E+W+S+N.I.

165(1)Paragraph 12 of Schedule 2 to the Marine (Scotland) Act 2010 (further provision about civil sanctions under Part 4: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After sub-paragraph (6) insert—

(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Charities Act 2011 (c. 25)E+W+S+N.I.

166(1)Section 59 of the Charities Act 2011 (disclosure: supplementary) is amended as follows.E+W+S+N.I.

(2)The existing text becomes subsection (1).

(3)In that subsection, in paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)After that subsection insert—

(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Welsh Language (Wales) Measure 2011 (nawm 1)E+W+S+N.I.

167The Welsh Language (Wales) Measure 2011 is amended as follows.E+W+S+N.I.

168(1)Section 22 (power to disclose information) is amended as follows.E+W+S+N.I.

(2)In subsection (4)—

(a)in the English language text, for paragraph (a) substitute—

(a)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement);, and

(b)in the Welsh language text, for paragraph (a) substitute—

(a)adrannau 142 i 154, 160 i 164, neu 174 i 176 o Ddeddf Diogelu Data 2018 neu Atodlen 15 i'r Ddeddf honno (darpariaethau penodol yn ymwneud â gorfodi);.

(3)For subsection (5)—

(a)in the English language text substitute—

(5)The offences referred to under subsection (3)(b) are those under—

(a)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of exercise of warrant etc); or

(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure)., and

(b)in the Welsh language text substitute—

(5)Y tramgwyddau y cyfeirir atynt yn is-adran (3)(b) yw'r rhai—

(a)o dan ddarpariaeth yn Neddf Diogelu Data 2018 ac eithrio paragraff 15 o Atodlen 15 (rhwystro gweithredu gwarant etc); neu

(b)o dan adran 77 o Ddeddf Rhyddid Gwybodaeth 2000 (trosedd o altro etc cofnodion gyda'r bwriad o atal datgelu).

(4)In subsection (8)—

(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.

(5)In subsection (9)—

(a)at the appropriate place in the English language text insert—

the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);, and

(b)at the appropriate place in the Welsh language text insert—

“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);.

169(1)Paragraph 8 of Schedule 2 (inquiries by the Commissioner: reports) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (7)—

(a)in the English language text, for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)in the Welsh language text, for “gymhwyso Deddf Diogelu Data 1998” substitute “gymhwyso'r ddeddfwriaeth diogelu data”.

(3)In sub-paragraph (8)—

(a)in the English language text, after “this paragraph” insert

the data protection legislation” (“y ddeddfwriaeth diogelu data”) has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);, and

(b)in the Welsh language text, after “hwn” insert—

“mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno);.

Prospective

Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))E+W+S+N.I.

170(1)Section 10 of the Safeguarding Board Act (Northern Ireland) 2011 (duty to co-operate) is amended as follows.E+W+S+N.I.

(2)In subsection (3), for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”.

(3)After subsection (3) insert—

(4)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Health and Social Care Act 2012 (c. 7)E+W+S+N.I.

171The Health and Social Care Act 2012 is amended as follows.E+W+S+N.I.

172In section 250(7) (power to publish information standards), for the definition of “processing” substitute—E+W+S+N.I.

processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);.

173(1)Section 251A (consistent identifiers) is amended as follows.E+W+S+N.I.

(2)In subsection (7)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.

(3)After subsection (8) insert—

(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

174(1)Section 251B (duty to share information) is amended as follows.E+W+S+N.I.

(2)In subsection (5)(a), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.

(3)After subsection (6) insert—

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Protection of Freedoms Act 2012 (c. 9)E+W+S+N.I.

175The Protection of Freedoms Act 2012 is amended as follows.E+W+S+N.I.

176(1)Section 27 (exceptions and further provision about consent and notification) is amended as follows.E+W+S+N.I.

(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (5) insert—

(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

177In section 28(1) (interpretation: Chapter 2), for the definition of “processing” substitute—E+W+S+N.I.

processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);.

178In section 29(7) (code of practice for surveillance camera systems), for the definition of “processing” substitute—E+W+S+N.I.

processing” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(4) and (14) of that Act);.

Prospective

HGV Road User Levy Act 2013 (c. 7)E+W+S+N.I.

179(1)Section 14A of the HGV Road User Levy Act 2013 (disclosure of information by Revenue and Customs) is amended as follows.E+W+S+N.I.

(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (5) insert—

(6)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Crime and Courts Act 2013 (c. 22)E+W+S+N.I.

180The Crime and Courts Act 2013 is amended as follows.E+W+S+N.I.

181(1)Section 42 (other interpretive provisions) is amended as follows.E+W+S+N.I.

(2)In subsection (5)(a), for “section 13 of the Data Protection Act 1998 (damage or distress suffered as a result of a contravention of a requirement of that Act)” substitute “ Article 82 of the GDPR or section 168 or 169 of the Data Protection Act 2018 (compensation for contravention of the data protection legislation) ”.

(3)After subsection (5) insert—

(5A)In subsection (5)(a), “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

182(1)Paragraph 1 of Schedule 7 (statutory restrictions on disclosure) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In that sub-paragraph, in paragraph (a)—

(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)for “are” substitute “ is ”.

(4)After that sub-paragraph, insert—

(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))E+W+S+N.I.

183(1)Paragraph 8 of Schedule 2 to the Marine Act (Northern Ireland) 2013 (further provision about fixed monetary penalties under section 35: disclosure of information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After sub-paragraph (6) insert—

(7)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Local Audit and Accountability Act 2014 (c. 2)E+W+S+N.I.

184(1)Paragraph 3 of Schedule 9 to the Local Audit and Accountability Act 2014 (data matching: voluntary provision of data) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (3)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After sub-paragraph (3) insert—

(3A)The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

(4)In sub-paragraph (4), for “comprise or include” substitute “ comprises or includes ”.

Prospective

Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)E+W+S+N.I.

185(1)Paragraph 7 of Schedule 4 to the Anti-social Behaviour, Crime and Policing Act 2014 (anti-social behaviour case reviews: information) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (4)—

(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)for “are” substitute “ is ”.

(3)After sub-paragraph (5) insert—

(6)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Immigration Act 2014 (c. 22)E+W+S+N.I.

186(1)Paragraph 6 of Schedule 6 to the Immigration Act 2014 (information: limitation on powers) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In that sub-paragraph, in paragraph (a)—

(a)for “the Data Protection Act 1998” substitute “ the data protection legislation ”, and

(b)for “are” substitute “ is ”.

(4)After that sub-paragraph insert—

(2)In this paragraph, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Care Act 2014 (c. 23)E+W+S+N.I.

187In section 67(9) of the Care Act 2014 (involvement in assessment, plans etc), for paragraph (a) substitute—E+W+S+N.I.

(a)a health record (within the meaning given in section 205 of the Data Protection Act 2018),.

Prospective

Social Services and Well-being (Wales) Act 2014 (anaw 4)E+W+S+N.I.

188In section 18(10)(b) of the Social Services and Well-being (Wales) Act 2014 (registers of sight-impaired, hearing-impaired and other disabled people)—E+W+S+N.I.

(a)in the English language text, for “(within the meaning of the Data Protection Act 1998)” substitute “ (within the meaning of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act)) ”, and

(b)in the Welsh language text, for “(o fewn ystyr “personal data” yn Neddf Diogelu Data 1998)” substitute “(o fewn ystyr “ personal data ” yn Rhan 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno))”.

Prospective

Counter-Terrorism and Security Act 2015 (c. 6)E+W+S+N.I.

189(1)Section 38 of the Counter-Terrorism and Security Act 2015 (support etc for people vulnerable to being drawn into terrorism: co-operation) is amended as follows.E+W+S+N.I.

(2)In subsection (4)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (4) insert—

(4A)The data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Small Business, Enterprise and Employment Act 2015 (c. 26)E+W+S+N.I.

190(1)Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies) is amended as follows.E+W+S+N.I.

(2)In subsection (7)—

(a)for paragraph (b) substitute—

(b)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers);, and

(b)omit paragraph (c).

(3)After subsection (7) insert—

(7A)In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

Prospective

Modern Slavery Act 2015 (c. 30)E+W+S+N.I.

191(1)Section 54A of the Modern Slavery Act 2015 (Gangmasters and Labour Abuse Authority: information gateways) is amended as follows.E+W+S+N.I.

(2)In subsection (5)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (9), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))E+W+S+N.I.

192The Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 is amended as follows.E+W+S+N.I.

193In section 13(5) (duty to notify National Crime Agency about suspected victims of certain offences) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

194In section 25(1) (interpretation of this Act), at the appropriate place insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

195In paragraph 18(5) of Schedule 3 (supply of information to relevant Northern Ireland departments, Secretary of State, etc) for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

Prospective

Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))E+W+S+N.I.

196(1)Section 72 of the Justice Act (Northern Ireland) 2015 (supply of information to relevant Northern Ireland departments or Secretary of State) is amended as follows.E+W+S+N.I.

(2)In subsection (5), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (7), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Immigration Act 2016 (c. 19)E+W+S+N.I.

197(1)Section 7 of the Immigration Act 2016 (information gateways: supplementary) is amended as follows.E+W+S+N.I.

(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (11), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

Prospective

Investigatory Powers Act 2016 (c. 25)E+W+S+N.I.

198The Investigatory Powers Act 2016 is amended as follows.E+W+S+N.I.

199In section 1(5)(b), for sub-paragraph (ii) substitute—E+W+S+N.I.

(ii)in section 170 of the Data Protection Act 2018 (unlawful obtaining etc of personal data),.

200In section 199 (bulk personal datasets: interpretation), for subsection (2) substitute—E+W+S+N.I.

(2)In this Part, “personal data” means—

(a)personal data within the meaning of section 3(2) of the Data Protection Act 2018 which is subject to processing described in section 82(1) of that Act, and

(b)data relating to a deceased individual where the data would fall within paragraph (a) if it related to a living individual.

201In section 202(4) (restriction on use of class BPD warrants), in the definition of “sensitive personal data”, for “which is of a kind mentioned in section 2(a) to (f) of the Data Protection Act 1998” substitute “ the processing of which would be sensitive processing for the purposes of section 86(7) of the Data Protection Act 2018 ”.E+W+S+N.I.

202In section 206 (additional safeguards for health records), for subsection (7) substitute—E+W+S+N.I.

(7)In subsection (6)—

  • health professional” has the same meaning as in the Data Protection Act 2018 (see section 204(1) of that Act);

  • “health service body” has meaning given by section 204(4) of that Act.

203(1)Section 237 (information gateway) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (2) insert—

(3)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))E+W+S+N.I.

204(1)Section 49 of the Police Services Ombudsman Act (Northern Ireland) 2016 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (4), for paragraph (a) substitute—

(a)sections 142 to 154, 160 to 164 and 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 (certain provisions relating to enforcement),.

(3)For subsection (5) substitute—

(5)The offences are those under—

(a)any provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (powers of entry and inspection: offences),

(b)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

(4)After subsection (6) insert—

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))E+W+S+N.I.

205(1)Section 1 of the Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (control of information of a relevant person) is amended as follows.E+W+S+N.I.

(2)In subsection (8), for “made by or under the Data Protection Act 1998” substitute “ of the data protection legislation ”.

(3)After subsection (12) insert—

(12A)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))E+W+S+N.I.

206In section 306(1) of the Mental Capacity Act (Northern Ireland) 2016 (definitions for purposes of Act), for the definition of “health record” substitute—E+W+S+N.I.

health record” has the meaning given by section 205 of the Data Protection Act 2018;.

Prospective

Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))E+W+S+N.I.

207The Justice Act (Northern Ireland) 2016 is amended as follows.E+W+S+N.I.

208(1)Section 17 (disclosure of information) is amended as follows.E+W+S+N.I.

(2)In subsection (7), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (8), after “section” insert

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

209In section 44(3) (disclosure of information)—E+W+S+N.I.

(a)in paragraph (a), for “Part 5 of the Data Protection Act 1998” substitute “ sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the Data Protection Act 2018 ”, and

(b)for paragraph (b) substitute—

(b)the commission of an offence under—

(i)a provision of the Data Protection Act 2018 other than paragraph 15 of Schedule 15 (obstruction of execution of warrant etc); or

(ii)section 77 of the Freedom of Information Act 2000 (offence of altering etc records with intent to prevent disclosure).

Prospective

Policing and Crime Act 2017 (c. 3)E+W+S+N.I.

210(1)Section 50 of the Policing and Crime Act 2017 (Freedom of Information Act etc: Police Federation for England and Wales) is amended as follows.E+W+S+N.I.

(2)The existing text becomes subsection (1).

(3)In that subsection, in paragraph (b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)After that subsection, insert—

(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Children and Social Work Act 2017 (c. 12)E+W+S+N.I.

211In Schedule 5 to the Children and Social Work Act 2017—E+W+S+N.I.

(a)in Part 1 (general amendments to do with social workers etc in England), omit paragraph 6, and

(b)in Part 2 (renaming of Health and Social Work Professions Order 2001), omit paragraph 47(g).

Prospective

Higher Education and Research Act 2017 (c. 29)E+W+S+N.I.

212The Higher Education and Research Act 2017 is amended as follows.E+W+S+N.I.

213(1)Section 63 (cooperation and information sharing by the Office for Students) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)In subsection (7), at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);.

214(1)Section 112 (cooperation and information sharing between the Office for Students and UKRI) is amended as follows.E+W+S+N.I.

(2)In subsection (6), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (6) insert —

(7)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Prospective

Digital Economy Act 2017 (c. 30)E+W+S+N.I.

215The Digital Economy Act 2017 is amended as follows.E+W+S+N.I.

216(1)Section 40 (further provisions about disclosures under sections 35 to 39) is amended as follows.E+W+S+N.I.

(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (10) insert—

(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

217(1)Section 43 (codes of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

218(1)Section 49 (further provision about disclosures under section 48) is amended as follows.E+W+S+N.I.

(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (10) insert—

(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

219(1)Section 52 (code of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.

220(1)Section 57 (further provision about disclosures under section 56) is amended as follows.E+W+S+N.I.

(2)In subsection (8)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (10) insert—

(11)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

221(1)Section 60 (code of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (13), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.

222(1)Section 65 (supplementary provision about disclosures under section 64) is amended as follows.E+W+S+N.I.

(2)In subsection (2)(a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After subsection (8) insert—

(9)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

223(1)Section 70 (code of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (15), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 (other codes of practice) ”.

224Omit sections 108 to 110 (charges payable to the Information Commissioner).E+W+S+N.I.

Prospective

Landfill Disposals Tax (Wales) Act 2017 (anaw 3)E+W+S+N.I.

225(1)Section 60 of the Landfill Disposals Tax (Wales) Act 2017 (disclosure of information to the Welsh Revenue Authority) is amended as follows.E+W+S+N.I.

(2)In subsection (4)(a)—

(a)in the English language text, for “the Data Protection Act 1998 (c. 29)” substitute “ the data protection legislation ”, and

(b)in the Welsh language text, for “torri Deddf Diogelu Data 1998 (p. 29)” substitute “torri'r ddeddfwriaeth diogelu data”.

(3)After subsection (7)—

(a)in the English language text insert—

(8)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act)., and

(b)in the Welsh language text insert—

(8)Yn yr adran hon, mae i “y ddeddfwriaeth diogelu data” yr un ystyr ag a roddir i “the data protection legislation” yn Neddf Diogelu Data 2018 (gweler adran 3 o'r Ddeddf honno).

Prospective

Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)E+W+S+N.I.

226(1)Section 4 of the Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (additional learning needs code) is amended as follows.E+W+S+N.I.

(2)In the English language text—

(a)in subsection (9), omit from “and in this subsection” to the end, and

(b)after subsection (9) insert—

(9A)In subsection (9)—

  • data subject” (“testun y data”) has the meaning given by section 3(5) of the Data Protection Act 2018;

  • personal data” (“data personol”) has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).

(3)In the Welsh language text—

(a)in subsection (9), omit from “ac yn yr is-adran hon” to the end, and

(b)after subsection (9) insert—

(9A)Yn is-adran (9)—

  • mae i “data personol” yr un ystyr ag a roddir i “personal data” yn Rhannau 5 i 7 o Ddeddf Diogelu Data 2018 (gweler adran 3(2) a (14) o'r Ddeddf honno);

  • mae i “testun y data” yr ystyr a roddir i “data subject” gan adran 3(5) o'r Ddeddf honno.

Prospective

This ActE+W+S+N.I.

227(1)Section 204 of this Act (meaning of “health professional” and “social work professional”) is amended as follows (to reflect the arrangements for the registration of social workers in England under Part 2 of the Children and Social Work Act 2017).E+W+S+N.I.

(2)In subsection (1)(g)—

(a)omit “and Social Work”, and

(b)omit “, other than the social work profession in England”.

(3)In subsection (2), for paragraph (a) substitute—

(a)a person registered as a social worker in the register maintained by Social Work England under section 39(1) of the Children and Social Work Act 2017;.

Prospective

PART 2 E+W+S+N.I.Amendments of other legislation

Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)E+W+S+N.I.

228In the table in the Schedule to the Estate Agents (Specified Offences) (No. 2) Order 1991 (specified offences), at the end insert—E+W+S+N.I.

Data Protection Act 2018Section 144False statements made in response to an information notice
Section 148Destroying or falsifying information and documents etc

Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)E+W+S+N.I.

229(1)Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments) is amended as follows.E+W+S+N.I.

(2)In paragraph (2)—

(a)for “section 5 of the Data Protection Act 1998 (“the 1998 Act”), data which are” substitute “ section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is ”,

(b)for “data controller” substitute “ controller ”,

(c)after “in the context of” insert “ the activities of ”, and

(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.

(3)In paragraph (3)—

(a)for “section 5 of the 1998 Act, data which are” substitute “ section 207 of the 2018 Act, data which is ”,

(b)for “data controller” substitute “ controller ”,

(c)after “in the context of” insert “ the activities of ”, and

(d)for “and the 1998 Act” substitute “ and the 2018 Act ”.

Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))E+W+S+N.I.

230The Access to Health Records (Northern Ireland) Order 1993 is amended as follows.E+W+S+N.I.

231In Article 4 (health professionals), for paragraph (1) substitute—E+W+S+N.I.

(1)In this Order, “health professional” has the same meaning as in the Data Protection Act 2018 (see section 204 of that Act).

232In Article 5(4)(a) (fees for access to health records), for “under section 7 of the Data Protection Act 1998” substitute “ made by the Department ”.E+W+S+N.I.

Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)E+W+S+N.I.

233In article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments), for paragraphs (2) and (3) substitute—E+W+S+N.I.

(2)For the purposes of section 207 of the Data Protection Act 2018 (“the 2018 Act”), data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the United Kingdom is to be treated as processed by a controller established in the United Kingdom in the context of the activities of that establishment (and accordingly the 2018 Act applies in respect of such data).

(3)For the purposes of section 207 of the 2018 Act, data which is processed in a control zone in Belgium, in connection with the carrying out of frontier controls, by an officer belonging to the Kingdom of Belgium is to be treated as processed by a controller established in the Kingdom of Belgium in the context of the activities of that establishment (and accordingly the 2018 Act does not apply in respect of such data).

European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)E+W+S+N.I.

234The European Primary and Specialist Dental Qualifications Regulations 1998 are amended as follows.E+W+S+N.I.

235(1)Regulation 2(1) (interpretation) is amended as follows.E+W+S+N.I.

(2)Omit the definition of “Directive 95/46/EC”.

(3)At the appropriate place insert—

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

236(1)The table in Schedule A1 (functions of the GDC under Directive 2005/36) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)E+W+S+N.I.

237For article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 substitute—E+W+S+N.I.

Data Protection Act 2018E+W+S+N.I.

7(1)The Parliamentary corporation is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Parliamentary corporation is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Parliamentary corporation, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).

Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)E+W+S+N.I.

238For article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 substitute—E+W+S+N.I.

Data Protection Act 2018E+W+S+N.I.

9(1)The Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Commission is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Commission, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).

Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)E+W+S+N.I.

239The Data Protection (Corporate Finance Exemption) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)E+W+S+N.I.

240The Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)E+W+S+N.I.

241The Data Protection (Functions of Designated Authority) Order 2000 is revoked.E+W+S+N.I.

Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)E+W+S+N.I.

242The Data Protection (International Co-operation) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)E+W+S+N.I.

243The Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 are revoked.E+W+S+N.I.

Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)E+W+S+N.I.

244In the Consumer Credit (Credit Reference Agency) Regulations 2000, regulation 4(1) and Schedule 1 (statement of rights under section 9(3) of the Data Protection Act 1998) are revoked.E+W+S+N.I.

Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)E+W+S+N.I.

245The Data Protection (Subject Access Modification) (Health) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)E+W+S+N.I.

246The Data Protection (Subject Access Modification) (Education) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)E+W+S+N.I.

247The Data Protection (Subject Access Modification) (Social Work) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)E+W+S+N.I.

248The Data Protection (Crown Appointments) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)E+W+S+N.I.

249The Data Protection (Processing of Sensitive Personal Data) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)E+W+S+N.I.

250The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 is revoked.E+W+S+N.I.

Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)E+W+S+N.I.

251The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 is revoked.E+W+S+N.I.

Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)E+W+S+N.I.

252The Representation of the People (England and Wales) Regulations 2001 are amended as follows.E+W+S+N.I.

253In regulation 3(1) (interpretation), at the appropriate places insert—E+W+S+N.I.

Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);;

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);;

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

254In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

255In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

256In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

257In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—E+W+S+N.I.

(a)Article 89 GDPR purposes;.

258(1)Regulation 92(2) (interpretation and application of Part VI etc) is amended as follows.E+W+S+N.I.

(2)After sub-paragraph (b) insert—

(ba)relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.

(3)Omit sub-paragraphs (c) and (d).

259In regulation 96(2A)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.E+W+S+N.I.

260In regulation 97(5) and (6) (supply of free copy of full register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

261In regulation 97A(7) and (8) (supply of free copy of full register to the National Library of Wales and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

262In regulation 99(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

263In regulation 109A(9) and (10) (supply of free copy of full register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

264In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—E+W+S+N.I.

(i)Article 89 GDPR purposes;.

Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)E+W+S+N.I.

265The Representation of the People (Scotland) Regulations 2001 are amended as follows.E+W+S+N.I.

266In regulation 3(1) (interpretation), at the appropriate places, insert—E+W+S+N.I.

Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);;

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);;

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

267In regulation 26(3)(a) (applications for registration), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

268In regulation 26A(2)(a) (application for alteration of register in respect of name under section 10ZD), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

269In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.E+W+S+N.I.

270In regulation 61(3) (records and lists kept under Schedule 4), for paragraph (a) (but not the final “or”) substitute—E+W+S+N.I.

(a)Article 89 GDPR purposes;.

271In regulation 61A (conditions on the use, supply and inspection of absent voter records or lists), for paragraph (a) (but not the final “or”) substitute—E+W+S+N.I.

(a)Article 89 GDPR purposes;.

272(1)Regulation 92(2) (interpretation of Part VI etc) is amended as follows.E+W+S+N.I.

(2)After sub-paragraph (b) insert—

(ba)relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards.

(3)Omit sub-paragraphs (c) and (d).

273In regulation 95(3)(b)(i) (restriction on use of the full register), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.E+W+S+N.I.

274In regulation 96(5) and (6) (supply of free copy of full register to the National Library of Scotland and the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

275In regulation 98(6) and (7) (supply of free copy of full register etc to Statistics Board and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

276In regulation 108A(9) and (10) (supply of full register to statutory library authorities and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

277In regulation 119(2) (conditions on the use, supply and disclosure of documents open to public inspection), for sub-paragraph (i) (but not the final “or”) substitute—E+W+S+N.I.

(i)Article 89 GDPR purposes;.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)E+W+S+N.I.

278(1)Article 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons) is amended as follows.E+W+S+N.I.

(2)In paragraph (2B), for sub-paragraph (a) substitute—

(a)the disclosure is made in accordance with Chapter V of the GDPR;.

(3)After paragraph (5) insert—

(6)In this article, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

Nursing and Midwifery Order 2001 (S.I. 2002/253)E+W+S+N.I.

279The Nursing and Midwifery Order 2001 is amended as follows.E+W+S+N.I.

280(1)Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.E+W+S+N.I.

(2)In paragraph (18), after “enactment” insert “ or the GDPR ”.

(3)After paragraph (18) insert—

(19)In this paragraph, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

281(1)Article 25 (the Council's power to require disclosure of information) is amended as follows.E+W+S+N.I.

(2)In paragraph (3), after “enactment” insert “ or the GDPR ”.

(3)In paragraph (6)—

(a)for “paragraph (5),” substitute “ paragraph (3)— ”, and

(b)at the appropriate place insert—

the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

282In article 39B (European professional card), after paragraph (2) insert—E+W+S+N.I.

(3)For the purposes of Schedule 2B, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.

283In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), at the appropriate place insert—E+W+S+N.I.

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

284(1)Schedule 2B (Directive 2005/36/EC: European professional card) is amended as follows.E+W+S+N.I.

(2)In paragraph 8(1) (access to data) for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In paragraph 9 (processing data), omit sub-paragraph (2) (deeming the Society to be the controller for the purposes of Directive 95/46/EC).

285(1)The table in Schedule 3 (functions of the Council under Directive 2005/36) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

286In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”.E+W+S+N.I.

Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)E+W+S+N.I.

287Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions) is amended as follows.E+W+S+N.I.

288In paragraph (1)(b) for “the Data Protection Directive and the Telecommunications Data Protection Directive” substitute “ the GDPR ”.E+W+S+N.I.

289In paragraph (3)—E+W+S+N.I.

(a)omit the definitions of “Data Protection Directive” and “Telecommunications Data Protection Directive”, and

(b)at the appropriate place insert—

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)E+W+S+N.I.

290The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 is revoked.E+W+S+N.I.

Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)E+W+S+N.I.

291The Privacy and Electronic Communications (EC Directive) Regulations 2003 are amended as follows.E+W+S+N.I.

292In regulation 2(1) (interpretation), in the definition of “the Information Commissioner” and “the Commissioner”, for “section 6 of the Data Protection Act 1998” substitute “ the Data Protection Act 2018 ”.E+W+S+N.I.

293(1)Regulation 4 (relationship between these Regulations and the Data Protection Act 1998) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In that sub-paragraph, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)After that sub-paragraph insert—

(2)In this regulation—

  • the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act).

(3)Regulation 2(2) and (3) (meaning of certain expressions) do not apply for the purposes of this regulation.

(5)In the heading of that regulation, for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)E+W+S+N.I.

294The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 is amended as follows.E+W+S+N.I.

295In article 8(2) (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales)—E+W+S+N.I.

(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”, and

(b)for “are” substitute “ is ”.

296In article 11(4) (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect)—E+W+S+N.I.

(a)for “The Data Protection Act 1998” substitute “ The Data Protection Act 2018 ”,

(b)for “are” substitute “ is ”,

(c)for “section 5” substitute “ section 207 ”,

(d)for “data controller” substitute “ controller ”, and

(e)after “in the context of” insert “ the activities of ”.

Pupils' Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)E+W+S+N.I.

297The Pupils' Educational Records (Scotland) Regulations 2003 are amended as follows.E+W+S+N.I.

298(1)Regulation 2 (interpretation) is amended as follows.E+W+S+N.I.

(2)Omit the definition of “the 1998 Act”.

(3)At the appropriate place insert—

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

299(1)Regulation 6 (circumstances where information should not be disclosed) is amended as follows.E+W+S+N.I.

(2)After “any information” insert “ to the extent that any of the following conditions are satisfied ”.

(3)For paragraphs (a) to (c) substitute—

(aa)the pupil to whom the information relates would have no right of access to the information under the GDPR;

(ab)the information is personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences);.

(4)In paragraph (d), for “to the extent that its disclosure” substitute “ the disclosure of the information ”.

(5)In paragraph (e), for “that” substitute “ the information ”.

300In regulation 9 (fees), for paragraph (1) substitute—E+W+S+N.I.

(1A)In complying with a request made under regulation 5(2), the responsible body may only charge a fee where Article 12(5) or Article 15(3) of the GDPR would permit the charging of a fee if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.

(1B)Where paragraph (1A) permits the charging of a fee, the responsible body may not charge a fee that—

(a)exceeds the cost of supply, or

(b)exceeds any limit in regulations made under section 12 of the Data Protection Act 2018 that would apply if the request had been made by the pupil to whom the information relates under Article 15 of the GDPR.

European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)E+W+S+N.I.

301Schedule 1 to the European Parliamentary Elections (Northern Ireland) Regulations 2004 (European Parliamentary elections rules) is amended as follows.E+W+S+N.I.

302(1)Paragraph 74(1) (interpretation) is amended as follows.E+W+S+N.I.

(2)Omit the definitions of “relevant conditions” and “research purposes”.

(3)At the appropriate places insert—

Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);;

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

303In paragraph 77(2)(b) (conditions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.E+W+S+N.I.

Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)E+W+S+N.I.

304In regulation 3(1) of the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004, omit “the appropriate limit referred to in section 9A(3) and (4) of the 1998 Act and”.E+W+S+N.I.

Environmental Information Regulations 2004 (S.I. 2004/3391)E+W+S+N.I.

305The Environmental Information Regulations 2004 are amended as follows.E+W+S+N.I.

306(1)Regulation 2 (interpretation) is amended as follows.E+W+S+N.I.

(2)In paragraph (1), at the appropriate places, insert—

the data protection principles” means the principles set out in—

(a)Article 5(1) of the GDPR,

(b)section 34(1) of the Data Protection Act 2018, and

(c)section 85(1) of that Act;;

data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);;

“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);;

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);.

(3)For paragraph (4) substitute—

(4A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—

(a)the references to an FOI public authority were references to a public authority as defined in these Regulations, and

(b)the references to personal data held by such an authority were to be interpreted in accordance with regulation 3(2).

307(1)Regulation 13 (personal data) is amended as follows.E+W+S+N.I.

(2)For paragraph (1) substitute—

(1)To the extent that the information requested includes personal data of which the applicant is not the data subject, a public authority must not disclose the personal data if—

(a)the first condition is satisfied, or

(b)the second or third condition is satisfied and, in all the circumstances of the case, the public interest in not disclosing the information outweighs the public interest in disclosing it.

(3)For paragraph (2) substitute—

(2A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(2B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(4)For paragraph (3) substitute—

(3A)The third condition is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(5)Omit paragraph (4).

(6)For paragraph (5) substitute—

(5A)For the purposes of this regulation a public authority may respond to a request by neither confirming nor denying whether such information exists and is held by the public authority, whether or not it holds such information, to the extent that—

(a)the condition in paragraph (5B)(a) is satisfied, or

(b)a condition in paragraph (5B)(b) to (e) is satisfied and in all the circumstances of the case, the public interest in not confirming or denying whether the information exists outweighs the public interest in doing so.

(5B)The conditions mentioned in paragraph (5A) are—

(a)giving a member of the public the confirmation or denial—

(i)would (apart from these Regulations) contravene any of the data protection principles, or

(ii)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded;

(b)giving a member of the public the confirmation or denial would (apart from these Regulations) contravene Article 21 of the GDPR or section 99 of the Data Protection Act 2018 (right to object to processing);

(c)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for confirmation of whether personal data is being processed, the information would be withheld in reliance on a provision listed in paragraph (3A)(a);

(d)on a request under section 45(1)(a) of the Data Protection Act 2018 (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section;

(e)on a request under section 94(1)(a) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(7)After that paragraph insert—

(6)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

308In regulation 14 (refusal to disclose information), in paragraph (3)(b), for “regulations 13(2)(a)(ii) or 13(3)” substitute “ regulation 13(1)(b) or (5A) ”.E+W+S+N.I.

309In regulation 18 (enforcement and appeal provisions), in paragraph (5), for “regulation 13(5)” substitute “ regulation 13(5A) ”.E+W+S+N.I.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)E+W+S+N.I.

310The Environmental Information (Scotland) Regulations 2004 are amended as follows.E+W+S+N.I.

311(1)Regulation 2 (interpretation) is amended as follows.E+W+S+N.I.

(2)In paragraph (1), at the appropriate places, insert—

the data protection principles” means the principles set out in—

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018;”;;

data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);;

“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);;

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);.

(3)For paragraph (3) substitute—

(3A)In these Regulations, references to the Data Protection Act 2018 have effect as if in Chapter 3 of Part 2 of that Act (other general processing)—

(a)the references to an FOI public authority were references to a Scottish public authority as defined in these Regulations, and

(b)the references to personal data held by such an authority were to be interpreted in accordance with paragraph (2) of this regulation.

312(1)Regulation 11 (personal data) is amended as follows.E+W+S+N.I.

(2)For paragraph (2) substitute—

(2)To the extent that environmental information requested includes personal data of which the applicant is not the data subject, a Scottish public authority must not make the personal data available if—

(a)the first condition set out in paragraph (3A) is satisfied, or

(b)the second or third condition set out in paragraph (3B) or (4A) is satisfied and, in all the circumstances of the case, the public interest in making the information available is outweighed by that in not doing so.

(3)For paragraph (3) substitute—

(3A)The first condition is that the disclosure of the information to a member of the public otherwise than under these Regulations—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B)The second condition is that the disclosure of the information to a member of the public otherwise than under these Regulations would contravene Article 21 of the GDPR (general processing: right to object to processing).

(4)For paragraph (4) substitute—

(4A)The third condition is that any of the following applies to the information—

(a)it is exempt from the obligation under Article 15(1) of the GDPR (general processing: right of access by the data subject) to provide access to, and information about, personal data by virtue of provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018, or

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section.

(5)Omit paragraph (5).

(6)After paragraph (6) insert—

(7)In determining, for the purposes of this regulation, whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)E+W+S+N.I.

313(1)Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence) is amended as follows.E+W+S+N.I.

(2)In paragraph (1)(b)—

(a)for paragraph (iii) (but not the final “, and”) substitute—

(iii)the results of a request made under Article 15 of the GDPR or section 45 of the Data Protection Act 2018 (rights of access by the data subject) to the National Identification Service for information contained in the Police National Computer, and

(b)in the words following paragraph (iii), omit “search”.

(3)After paragraph (2) insert—

(3)In this regulation, “the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act).

Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)E+W+S+N.I.

314The Education (Pupil Information) (England) Regulations 2005 are amended as follows.E+W+S+N.I.

315In regulation 3(5) (meaning of educational record) for “section 1(1) of the Data Protection Act 1998” substitute “ section 3(4) of the Data Protection Act 2018 ”.E+W+S+N.I.

316(1)Regulation 5 (disclosure of curricular and educational records) is amended as follows.E+W+S+N.I.

(2)In paragraph (4)—

(a)in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the GDPR ”, and

(b)in sub-paragraph (b), for “that Act or by virtue of any order made under section 30(2) or section 38(1) of the Act” substitute “ the GDPR ”.

(3)After paragraph (6) insert—

(7)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)E+W+S+N.I.

317(1)Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.E+W+S+N.I.

(2)In paragraph (1)(d)—

(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.

(3)After paragraph (1) insert—

(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C)The condition in this paragraph is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(1D)In this regulation—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 34(1) of the Data Protection Act 2018, and

    (c)

    section 85(1) of that Act;

  • “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

(4)Omit paragraphs (2) to (4).

Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)E+W+S+N.I.

318In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)—E+W+S+N.I.

(a)for the definition of “data protection principles” substitute—

data protection principles” means the principles set out in Article 5(1) of the GDPR;, and

(b)at the appropriate place insert—

the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)E+W+S+N.I.

319The Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 are amended as follows.E+W+S+N.I.

320(1)Regulation 39 (sensitive information) is amended as follows.E+W+S+N.I.

(2)In paragraph (1)(d)—

(a)omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.

(3)After paragraph (1) insert—

(1A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C)The condition in this paragraph is that—

(a)on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b)on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c)on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(1D)In this regulation—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 34(1) of the Data Protection Act 2018, and

    (c)

    section 85(1) of that Act;

  • data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • “the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(1E)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

(4)Omit paragraphs (2) to (4).

Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)E+W+S+N.I.

321The Data Protection (Processing of Sensitive Personal Data) Order 2006 is revoked.E+W+S+N.I.

National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)E+W+S+N.I.

322(1)Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)For paragraph (a) of that sub-paragraph (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);.

(4)After that sub-paragraph insert—

(2)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)E+W+S+N.I.

323In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (research which may be carried out despite a participant's loss of capacity), for paragraph (b) substitute—E+W+S+N.I.

(b)any material used consists of or includes human cells or human DNA,.

National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)E+W+S+N.I.

324For article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 substitute—E+W+S+N.I.

Data Protection Act 2018E+W+S+N.I.

5(1)The Assembly Commission is to be treated as a Crown body for the purposes of the Data Protection Act 2018 to the extent specified in this article.

(2)The Assembly Commission is to be treated as a government department for the purposes of the following provisions—

(a)section 8(d) (lawfulness of processing under the GDPR: public interest etc),

(b)section 209 (application to the Crown),

(c)paragraph 6 of Schedule 1 (statutory etc and government purposes),

(d)paragraph 7 of Schedule 2 (exemptions from the GDPR: functions designed to protect the public etc), and

(e)paragraph 8(1)(o) of Schedule 3 (exemptions from the GDPR: health data).

(3)In the provisions mentioned in paragraph (4)—

(a)references to employment by or under the Crown are to be treated as including employment as a member of staff of the Assembly Commission, and

(b)references to a person in the service of the Crown are to be treated as including a person so employed.

(4)The provisions are—

(a)section 24(3) (exemption for certain data relating to employment under the Crown), and

(b)section 209(6) (application of certain provisions to a person in the service of the Crown).

(5)In this article, references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).

Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))E+W+S+N.I.

325In regulation 3 of the Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (research which may be carried out despite a participant's loss of capacity) —E+W+S+N.I.

(a)in the English language text, for paragraph (c) substitute—

(c)any material used consists of or includes human cells or human DNA; and, and

(b)in the Welsh language text, for paragraph (c) substitute—

(c)os yw unrhyw ddeunydd a ddefnyddir yn gelloedd dynol neu'n DNA dynol neu yn eu cynnwys; ac.

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)E+W+S+N.I.

326(1)Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists) is amended as follows.E+W+S+N.I.

(2)In paragraph (1), for sub-paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);.

(3)After paragraph (1) insert—

(2)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)E+W+S+N.I.

327In regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)—E+W+S+N.I.

(a)in paragraph (2), for sub-paragraph (i) (but not the final “or”) substitute—

(i)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);, and

(b)after paragraph (3) insert—

(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)E+W+S+N.I.

328The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 are amended as follows.E+W+S+N.I.

329In regulation 2 (interpretation), at the appropriate place insert—E+W+S+N.I.

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

330In regulation 10(2) (duties of Boards of Governors), for “documents which are the subject of an order under section 30(2) of the Data Protection Act 1998” substitute “ information to which the pupil to whom the information relates would have no right of access under the GDPR ”.E+W+S+N.I.

Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)E+W+S+N.I.

331In regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)—E+W+S+N.I.

(a)in paragraph (2), for “research purposes within the meaning of that term in section 33 of the Data Protection Act 1998” substitute “ purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics) ”, and

(b)after paragraph (3) insert—

(4)In this regulation, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)E+W+S+N.I.

332In paragraph 1(c) of the Schedule to the Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (modifications with which Chapter 1 of Part 28 of the Companies Act 2006 extends to the Isle of Man), for “the Data Protection Act 1998 (c 29)” substitute “ the data protection legislation ”.E+W+S+N.I.

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))E+W+S+N.I.

333The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 are amended as follows.E+W+S+N.I.

334In regulation 2(1) (interpretation)—E+W+S+N.I.

(a)at the appropriate place in the English language text insert—

the GDPR” (“y GDPR”) and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);, and

(b)at the appropriate place in the Welsh language text insert—

“mae i “y GDPR” a chyfeiriadau at Atodlen 2 i Ddeddf Diogelu Data 2018 yr un ystyr ag a roddir i “the GDPR” a chyfeiriadau at yr Atodlen honno yn Rhannau 5 i 7 o'r Ddeddf honno (gweler adran 3(10), (11) a (14) o'r Ddeddf honno);”.

335(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.E+W+S+N.I.

(2)In paragraph (7)—

(a)in the English language text, at the end insert “ or the GDPR ”, and

(b)in the Welsh language text, at the end insert “neu'r GDPR”.

(3)For paragraph (8)—

(a)in the English language text substitute—

(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation., and

(b)in the Welsh language text substitute—

(8)Wrth benderfynu at ddibenion paragraff (7) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.

336(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.E+W+S+N.I.

(2)In paragraph (6)—

(a)in the English language text, at the end insert “ or the GDPR ”, and

(b)in the Welsh language text, at the end insert “neu'r GDPR”.

(3)For paragraph (7)—

(a)in the English language text substitute—

(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation., and

(b)in the Welsh language text substitute—

(7)Wrth benderfynu at ddibenion paragraff (6) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.

337(1)Regulation 29 (occurrence reports) is amended as follows.E+W+S+N.I.

(2)In paragraph (3)—

(a)in the English language text, at the end insert “ or the GDPR ”, and

(b)in the Welsh language text, at the end insert “neu'r GDPR”.

(3)For paragraph (4)—

(a)in the English language text substitute—

(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation., and

(b)in the Welsh language text substitute—

(4)Wrth benderfynu at ddibenion paragraff (3) a yw datgeliad wedi'i wahardd, mae i'w dybied at ddibenion paragraff 5(2) o Atodlen 2 i Ddeddf Diogelu Data 2018 a pharagraff 3(2) o Atodlen 11 i'r Ddeddf honno (esemptiadau rhag darpariaethau penodol o'r ddeddfwriaeth diogelu data: datgeliadau sy'n ofynnol gan y gyfraith) bod y datgeliad yn ofynnol gan y rheoliad hwn.

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)E+W+S+N.I.

338(1)Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation) is amended as follows.E+W+S+N.I.

(2)In paragraph (3)—

(a)omit “within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)for the words from “where” to the end substitute “ if the condition in paragraph (3A) or (3B) is satisfied ”.

(3)After paragraph (3) insert—

(3A)The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)would contravene any of the data protection principles, or

(b)would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(3B)The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)Article 21 of the GDPR (general processing: right to object to processing), or

(b)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(4)After paragraph (4) insert—

(5)In this regulation—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 34(1) of the Data Protection Act 2018, and

    (c)

    section 85(1) of that Act;

  • the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)E+W+S+N.I.

339(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Address) Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(ii)for the purposes of ensuring that it complies with its data protection obligations;.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert ; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);.

(5)After paragraph (c) of that sub-paragraph insert—

(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.

(6)After sub-paragraph (1) insert—

(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Overseas Companies Regulations 2009 (S.I. 2009/1801)E+W+S+N.I.

340(1)Paragraph 6 of Schedule 2 to the Overseas Companies Regulations 2009 (conditions for permitted disclosure to a credit reference agency) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(ii)for the purposes of ensuring that it complies with its data protection obligations;.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert ; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);.

(5)After paragraph (c) of that sub-paragraph insert—

(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.

(6)After sub-paragraph (1) insert—

(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)E+W+S+N.I.

341The Data Protection (Processing of Sensitive Personal Data) Order 2009 is revoked.E+W+S+N.I.

Provision of Services Regulations 2009 (S.I. 2009/2999)E+W+S+N.I.

342In regulation 25 of the Provision of Services Regulations 2009 (derogations from the freedom to provide services), for paragraph (d) substitute—E+W+S+N.I.

(d)matters covered by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

INSPIRE Regulations 2009 (S.I. 2009/3157)E+W+S+N.I.

343(1)Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.E+W+S+N.I.

(2)In paragraph (2)—

(a)omit “or” at the end of sub-paragraph (a),

(b)for sub-paragraph (b) substitute—

(b)Article 21 of the GDPR (general processing: right to object to processing), or

(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing)., and

(c)omit the words following sub-paragraph (b).

(3)After paragraph (7) insert—

(8)In this regulation—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 34(1) of the Data Protection Act 2018, and

    (c)

    section 85(1) of that Act;

  • the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(9)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)E+W+S+N.I.

344(1)Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services) is amended as follows.E+W+S+N.I.

(2)In paragraph (2)—

(a)omit “or” at the end of sub-paragraph (a),

(b)for sub-paragraph (b) substitute—

(b)Article 21 of the GDPR (general processing: right to object to processing), or

(c)section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing)., and

(c)omit the words following sub-paragraph (b).

(3)After paragraph (6) insert—

(7)In this regulation—

  • the data protection principles” means the principles set out in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 34(1) of the Data Protection Act 2018, and

    (c)

    section 85(1) of that Act;

  • the GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10), (11) and (14) of that Act);

  • personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(8)In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)E+W+S+N.I.

345The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 are amended as follows.E+W+S+N.I.

346In regulation 2(2) (interpretation), at the appropriate place insert—E+W+S+N.I.

“the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);.”

347(1)Regulation 25 (duty to co-operate by disclosing information as regards relevant persons) is amended as follows.E+W+S+N.I.

(2)In paragraph (7), at the end insert “ or the GDPR ”.

(3)For paragraph (8) substitute—

(8)In determining for the purposes of paragraph (7) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.

348(1)Regulation 26 (responsible bodies requesting additional information be disclosed about relevant persons) is amended as follows.E+W+S+N.I.

(2)In paragraph (6), at the end insert “ or the GDPR ”.

(3)For paragraph (7) substitute—

(7)In determining for the purposes of paragraph (6) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.

349(1)Regulation 29 (occurrence reports) is amended as follows.E+W+S+N.I.

(2)In paragraph (3), at the end insert “ or the GDPR ”.

(3)For paragraph (4) substitute—

(4)In determining for the purposes of paragraph (3) whether disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.

Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)E+W+S+N.I.

350The Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 are revoked.E+W+S+N.I.

Pharmacy Order 2010 (S.I. 2010/231)E+W+S+N.I.

351The Pharmacy Order 2010 is amended as follows.E+W+S+N.I.

352In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”.E+W+S+N.I.

353(1)Article 9 (inspection and enforcement) is amended as follows.E+W+S+N.I.

(2)For paragraph (4) substitute—

(4)If a report that the Council proposes to publish pursuant to paragraph (3) includes personal data, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure of the personal data is required by paragraph (3) of this article.

(3)After paragraph (4) insert—

(5)In this article, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).

354In article 33A (European professional card), after paragraph (2) insert—E+W+S+N.I.

(3)In Schedule 2A, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018.

355(1)Article 49 (disclosure of information: general) is amended as follows.E+W+S+N.I.

(2)In paragraph (2)(a), after “enactment” insert “ or the GDPR ”.

(3)For paragraph (3) substitute—

(3)In determining for the purposes of paragraph (2)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (1) of this article.

(4)After paragraph (5) insert—

(6)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

356(1)Article 55 (professional performance assessments) is amended as follows.E+W+S+N.I.

(2)In paragraph (5)(a), after “enactment” insert “ or the GDPR ”.

(3)For paragraph (6) substitute—

(6)In determining for the purposes of paragraph (5)(a) whether a disclosure is prohibited, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by paragraph (4) of this article.

(4)After paragraph (8) insert—

(9)In this article, “the GDPR” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act).

357In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.), after sub-paragraph (a) insert—E+W+S+N.I.

(aa)the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

358(1)Schedule 2A (Directive 2005/36/EC: European professional card) is amended as follows.E+W+S+N.I.

(2)In paragraph 8(1) (access to data), for “Directive 95/46/EC)” substitute “ the GDPR ”.

(3)In paragraph 9 (processing data)—

(a)omit sub-paragraph (2) (deeming the Council to be the controller for the purposes of Directive 95/46/EC), and

(b)after sub-paragraph (2) insert—

(3)In this paragraph, “personal data” has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).

359(1)The table in Schedule 3 (Directive 2005/36/EC: designation of competent authority etc.) is amended as follows.E+W+S+N.I.

(2)In the entry for Article 56(2), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

(3)In the entry for Article 56a(4), in the second column, for “Directive 95/46/EC” substitute “ the GDPR ”.

Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)E+W+S+N.I.

360The Data Protection (Monetary Penalties) Order 2010 is revoked.E+W+S+N.I.

National Employment Savings Trust Order 2010 (S.I. 2010/917)E+W+S+N.I.

361The National Employment Savings Trust Order 2010 is amended as follows.E+W+S+N.I.

362In article 2 (interpretation)—E+W+S+N.I.

(a)omit the definition of “data” and “personal data”, and

(b)at the appropriate place insert—

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

363(1)Article 10 (disclosure of requested data to the Secretary of State) is amended as follows.E+W+S+N.I.

(2)In paragraph (1)—

(a)for “disclosure of data” substitute “ disclosure of information ”, and

(b)for “requested data” substitute “ requested information ”.

(3)In paragraph (2)—

(a)for “requested data” substitute “ requested information ”,

(b)for “those data are” substitute “ the information is ”, and

(c)for “receive those data” substitute “ receive that information ”.

(4)In paragraph (3), for “requested data” substitute “ requested information ”.

(5)In paragraph (4), for “requested data” substitute “ requested information ”.

Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)E+W+S+N.I.

364(1)Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election) is amended as follows.E+W+S+N.I.

(2)In paragraph 1(1) (interpretation and general)—

(a)omit the definition of “research purposes”, and

(b)at the appropriate places insert—

Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);;

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

(3)In paragraph 5(3) (restrictions on the use, supply and disclosure of documents open to public inspection), for “research purposes” substitute “ Article 89 GDPR purposes ”.

Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))E+W+S+N.I.

365(1)Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records) is amended as follows.E+W+S+N.I.

(2)In paragraph (5)—

(a)in the English language text, for “documents which are subject to any order under section 30(2) of the Data Protection Act 1998” substitute information—

(a)which the head teacher could not lawfully disclose to the pupil under the GDPR, or

(b)to which the pupil would have no right of access under the GDPR., and

(b)in the Welsh language text, for “ddogfennau sy'n ddarostyngedig i unrhyw orchymyn o dan adran 30(2) o Ddeddf Diogelu Data 1998” substitute wybodaeth—

(a)na allai'r pennaeth ei datgelu'n gyfreithlon i'r disgybl o dan y GDPR, neu

(b)na fyddai gan y disgybl hawl mynediad ati o dan y GDPR.

(3)After paragraph (5)—

(a)in the English language text insert—

(6)In this regulation, “the GDPR” (“y GDPR”) means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018., and

(b)in the Welsh language text insert—

(6)Yn y rheoliad hwn, ystyr “y GDPR” (“the GDPR”) yw Rheoliad (EU) 2016/679 Senedd Ewrop a'r Cyngor dyddiedig 27 Ebrill 2016 ar ddiogelu personau naturiol o ran prosesu data personol a rhyddid symud data o'r fath (y Rheoliad Diogelu Data Cyffredinol), fel y'i darllenir ynghyd â Phennod 2 o Ran 2 o Ddeddf Diogelu Data 2018.

Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)E+W+S+N.I.

366In Schedule 4 to the Debt Arrangement Scheme (Scotland) Regulations 2011 (payments distributors), omit paragraph 2.E+W+S+N.I.

Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)E+W+S+N.I.

367The Police and Crime Commissioner Elections Order 2012 is amended as follows.E+W+S+N.I.

368(1)Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.E+W+S+N.I.

(2)In paragraph 20 (absent voter lists: supply of copies etc)—

(a)in sub-paragraph (8), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);, and

(b)after sub-paragraph (10) insert—

(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

(3)In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),, and

(b)after that sub-paragraph insert—

(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

369(1)Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.E+W+S+N.I.

(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3)In paragraph 5 (restriction on use of documents or of information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics),, and

(b)after sub-paragraph (4) insert—

(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)E+W+S+N.I.

370The Data Protection (Processing of Sensitive Personal Data) Order 2012 is revoked.E+W+S+N.I.

Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)E+W+S+N.I.

371Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (registering to vote in a business referendum) is amended as follows.E+W+S+N.I.

372(1)Paragraph 29(1) (interpretation of Part 8) is amended as follows.E+W+S+N.I.

(2)At the appropriate places insert—

Article 89 GDPR purposes” means the purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);;

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation);.

(3)For the definition of “relevant conditions” substitute—

relevant requirement” means the requirement under Article 89 of the GDPR, read with section 19 of the Data Protection Act 2018, that personal data processed for Article 89 GDPR purposes must be subject to appropriate safeguards;.

(4)Omit the definition of “research purposes”.

373In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection Act 1998” substitute “ section 122(5) of the Data Protection Act 2018 ”.E+W+S+N.I.

374In paragraph 33(6) and (7) (supply of copy of business voting register to the British Library and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

375In paragraph 34(6) and (7) (supply of copy of business voting register to the Office of National Statistics and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

376In paragraph 39(8) and (97) (supply of copy of business voting register to public libraries and local authority archives services and restrictions on use), for “research purposes in compliance with the relevant conditions” substitute “ Article 89 GDPR purposes in accordance with the relevant requirement ”.E+W+S+N.I.

377In paragraph 45(2) (conditions on the use, supply and disclosure of documents open to public inspection), for paragraph (a) (but not the final “or”) substitute—E+W+S+N.I.

(a)Article 89 GDPR purposes (as defined in paragraph 29),.

Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)E+W+S+N.I.

378(1)Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management) is amended as follows.E+W+S+N.I.

(2)For paragraph (4) substitute—

(4)Where a CDAO, a responsible body or someone acting on their behalf is permitted to share information which includes personal data by virtue of a function under these Regulations, it is to be assumed for the purposes of paragraph 5(2) of Schedule 2 to the Data Protection Act 2018 and paragraph 3(2) of Schedule 11 to that Act (exemptions from certain provisions of the data protection legislation: disclosures required by law) that the disclosure is required by this regulation.

(3)In paragraph (5), after “enactment” insert “ or the GDPR ”.

(4)After paragraph (6) insert—

(7)In this regulation, “the GDPR”, “personal data” and references to Schedule 2 to the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (10), (11) and (14) of that Act).

Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)E+W+S+N.I.

379(1)Article 3 of the Communications Act 2003 (Disclosure of Information) Order 2014 (specification of relevant functions) is amended as follows.E+W+S+N.I.

(2)The existing text becomes paragraph (1).

(3)In that paragraph, in sub-paragraph (a), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(4)After that paragraph insert—

(2)In this article, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)E+W+S+N.I.

380In the Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014, omit Part 4 (data protection in relation to police and judicial co-operation in criminal matters).E+W+S+N.I.

Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282)E+W+S+N.I.

381The Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 is revoked.E+W+S+N.I.

The Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R. (N.I.) 2014 No. 224)E+W+S+N.I.

382In regulation 6 of the Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (applications)—E+W+S+N.I.

(a)in paragraph (9), omit sub-paragraph (b) and the word “and” before it, and

(b)in paragraph (11), omit the definition of “processing” and “sensitive personal data” and the word “and” before it.

Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)E+W+S+N.I.

383In regulation 3 of the Control of Poisons and Explosives Precursors Regulations 2015 (applications in relation to licences under section 4A of the Poisons Act 1972)—E+W+S+N.I.

(a)in paragraph (7), omit sub-paragraph (b) and the word “and” before it, and

(b)omit paragraph (8).

Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)E+W+S+N.I.

384(1)Paragraph 6 of Schedule 2 to the Companies (Disclosure of Date of Birth Information) Regulations 2015 (conditions for permitted disclosure to a credit reference agency) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)In paragraph (b) of that sub-paragraph, for sub-paragraph (ii) substitute—

(ii)for the purposes of ensuring that it complies with its data protection obligations;.

(4)In paragraph (c) of that sub-paragraph—

(a)omit “or” at the end of sub-paragraph (i), and

(b)at the end insert ; or

(iii)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice) or section 148 of that Act (destroying or falsifying information and documents etc);.

(5)After paragraph (c) of that sub-paragraph insert—

(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.

(6)After sub-paragraph (1) insert—

(2)In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—

(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)E+W+S+N.I.

385The Small and Medium Sized Business (Credit Information) Regulations 2015 are amended as follows.E+W+S+N.I.

386(1)Regulation 12 (criteria for the designation of a credit reference agency) is amended as follows.E+W+S+N.I.

(2)In paragraph (1)(b), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)After paragraph (2) insert—

(3)In this regulation, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).

387(1)Regulation 15 (access to and correction of information for individuals and small firms) is amended as follows.E+W+S+N.I.

(2)For paragraph (1) substitute—

(1)Section 13 of the Data Protection Act 2018 (rights of the data subject under the GDPR: obligations of credit reference agencies) applies in respect of a designated credit reference agency which is not a credit reference agency within the meaning of section 145(8) of the Consumer Credit Act 1974 as if it were such an agency.

(3)After paragraph (3) insert—

(4)In this regulation, the reference to section 13 of the Data Protection Act 2018 has the same meaning as in Parts 5 to 7 of that Act (see section 3(14) of that Act).

European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)E+W+S+N.I.

388The European Union (Recognition of Professional Qualifications) Regulations 2015 are amended as follows.E+W+S+N.I.

389(1)Regulation 2(1) (interpretation) is amended as follows.E+W+S+N.I.

(2)Omit the definition of “Directive 95/46/EC”.

(3)At the appropriate place insert—

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

390In regulation 5(5) (functions of competent authorities in the United Kingdom) for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.E+W+S+N.I.

391In regulation 45(3) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.E+W+S+N.I.

392In regulation 46(1) (processing and access to data regarding the European Professional Card), for “Directive 95/46/EC” substitute “ the GDPR ”.E+W+S+N.I.

393In regulation 48(2) (processing and access to data regarding the European Professional Card), omit paragraph (2) (deeming the relevant designated competent authorities to be controllers for the purposes of Directive 95/46/EC).E+W+S+N.I.

394In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute “ the GDPR and Directive ”.E+W+S+N.I.

Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)E+W+S+N.I.

395The Scottish Parliament (Elections etc) Order 2015 is amended as follows.E+W+S+N.I.

396(1)Schedule 3 (absent voting) is amended as follows.E+W+S+N.I.

(2)In paragraph 16 (absent voting lists: supply of copies etc)—

(a)in sub-paragraph (4), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);, and

(b)after sub-paragraph (10) insert—

(11)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

(3)In paragraph 20 (restriction on use of absent voting lists)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);, and

(b)after that sub-paragraph insert—

(4)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

397(1)Schedule 8 (access to marked registers and other documents open to public inspection after an election) is amended as follows.E+W+S+N.I.

(2)In paragraph 1(2) (interpretation), omit paragraphs (c) and (d) (but not the final “and”).

(3)In paragraph 5 (restriction on use of documents or of information contained in them)—

(a)in sub-paragraph (3), for paragraph (a) (but not the final “or”) substitute—

(a)purposes mentioned in Article 89(1) of the GDPR (archiving in the public interest, scientific or historical research and statistics);, and

(b)after sub-paragraph (4) insert—

(5)In this paragraph, “the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)E+W+S+N.I.

398In paragraph 1(3) of Schedule 3 to the Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (access to marked registers after a petition), omit the definition of “relevant conditions”.E+W+S+N.I.

Register of People with Significant Control Regulations 2016 (S.I. 2016/339)E+W+S+N.I.

399Schedule 4 to the Register of People with Significant Control Regulations 2016 (conditions for permitted disclosure) is amended as follows.E+W+S+N.I.

400(1)Paragraph 6 (disclosure to a credit reference agency) is amended as follows.E+W+S+N.I.

(2)In sub-paragraph (b), for paragraph (ii) (together with the final “; and”) substitute—

(ii)for the purposes of ensuring that it complies with its data protection obligations;.

(3)In sub-paragraph (c)—

(a)omit “or” at the end of paragraph (ii), and

(b)at the end insert—

(iv)section 144 of the Data Protection Act 2018 (false statements made in response to an information notice); or

(v)section 148 of that Act (destroying or falsifying information and documents etc);

(4)After sub-paragraph (c) insert—

(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in sub-paragraph (c)(iii), other than a penalty notice that has been cancelled.

401In paragraph 12A (disclosure to a credit institution or a financial institution), for sub-paragraph (b) substitute—E+W+S+N.I.

(b)for the purposes of ensuring that it complies with its data protection obligations.

402In Part 3 (interpretation), after paragraph 13 insert—E+W+S+N.I.

14In this Schedule, “data protection obligations”, in relation to a credit reference agency, a credit institution or a financial institution, means—

(a)where the agency or institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the agency or institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)E+W+S+N.I.

403The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 are amended as follows.E+W+S+N.I.

404In regulation 2(1) (interpretation), omit the definition of “the 1998 Act”.E+W+S+N.I.

405In regulation 3(3) (supervision), omit “under the 1998 Act”.E+W+S+N.I.

406For Schedule 2 substitute—E+W+S+N.I.

SCHEDULE 2E+W+S+N.I.Information Commissioner's enforcement powers
Provisions applied for enforcement purposesE+W+S+N.I.

1For the purposes of enforcing these Regulations and the eIDAS Regulation, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 26—

(a)section 140 (publication by the Commissioner);

(b)section 141 (notices from the Commissioner);

(c)section 142 (information notices);

(d)section 143 (information notices: restrictions);

(e)section 144 (false statements made in response to an information notice);

(f)section 145 (information orders);

(g)section 146 (assessment notices);

(h)section 147 (assessment notices: restrictions);

(i)section 148 (destroying or falsifying information and documents etc);

(j)section 149 (enforcement notices);

(k)section 150 (enforcement notices: supplementary);

(l)section 152 (enforcement notices: restrictions);

(m)section 153 (enforcement notices: cancellation and variation);

(n)section 154 and Schedule 15 (powers of entry and inspection);

(o)section 155 and Schedule 16 (penalty notices);

(p)section 156(4)(a) (penalty notices: restrictions);

(q)section 157 (maximum amount of penalty);

(r)section 159 (amount of penalties: supplementary);

(s)section 160 (guidance about regulatory action);

(t)section 161 (approval of first guidance about regulatory action);

(u)section 162 (rights of appeal);

(v)section 163 (determination of appeals);

(w)section 164 (applications in respect of urgent notices);

(x)section 180 (jurisdiction);

(y)section 182(1), (2), (5), (7) and (13) (regulations and consultation);

(z)section 196 (penalties for offences);

(z1)section 197 (prosecution);

(z2)section 202 (proceedings in the First-tier Tribunal: contempt);

(z3)section 203 (Tribunal Procedure Rules).

General modification of references to the Data Protection Act 2018E+W+S+N.I.

2The provisions listed in paragraph 1 have effect as if—

(a)references to the Data Protection Act 2018 were references to the provisions of that Act as applied by these Regulations;

(b)references to a particular provision of that Act were references to that provision as applied by these Regulations.

Modification of section 142 (information notices)E+W+S+N.I.

3(1)Section 142 has effect as if subsections (9) and (10) were omitted.

(2)In that section, subsection (1) has effect as if—

(a)in paragraph (a)—

(i)for “controller or processor” there were substituted “ trust service provider ”;

(ii)for “the data protection legislation” there were substituted “ the eIDAS Regulation and the EITSET Regulations ”;

(b)paragraph (b) were omitted.

(3)In that section, subsection (2) has effect as if paragraph (a) were omitted.

Modification of section 143 (information notices: restrictions)E+W+S+N.I.

4(1)Section 143 has effect as if subsections (1) and (9) were omitted.

(2)In that section—

(a)subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”;

(b)subsection (7)(a) has effect as if for “this Act” there were substituted “ section 144 or 148 or paragraph 15 of Schedule 15 ”;

(c)subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “ section 148 or paragraph 15 of Schedule 15 ”.

Modification of section 145 (information orders)E+W+S+N.I.

5Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “ section 142(2) ”.

Modification of section 146 (assessment notices)E+W+S+N.I.

6(1)Section 146 has effect as if subsection (11) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “controller or processor” (in both places) there were substituted “ trust service provider ”;

(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”;

(b)subsection (2) has effect as if paragraphs (h) and (i) were omitted;

(c)subsections (7), (8), (9) and (10) have effect as if for “controller or processor” (in each place) there were substituted “trust service provider.

(d)subsection (9)(a) has effect as if for “as described in section 149(2) or that an offence under this Act” there were substituted “ to comply with the eIDAS requirements or that an offence under section 144 or 148 or paragraph 15 of Schedule 15 ”.

Modification of section 147 (assessment notices: restrictions)E+W+S+N.I.

7(1)Section 147 has effect as if subsections (5) and (6) were omitted.

(2)In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.

Modification of section 149 (enforcement notices)E+W+S+N.I.

8(1)Section 149 has effect as if subsections (2) to (5) and (7) to (9) were omitted.

(2)In that section—

(a)subsection (1) has effect as if—

(i)for “as described in subsection (2), (3), (4) or (5)” there were substituted “ to comply with the eIDAS requirements ”;

(ii)for “sections 150 and 151” there were substituted “ section 150 ”;

(b)subsection (6) has effect as if the words “given in reliance on subsection (2), (3) or (5)” were omitted.

Modification of section 150 (enforcement notices: supplementary)E+W+S+N.I.

9(1)Section 150 has effect as if subsection (3) were omitted.

(2)In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” and “or distress” were omitted.

Modification of section 152 (enforcement notices: restrictions)E+W+S+N.I.

10Section 152 has effect as if subsections (1), (2) and (4) were omitted.

Withdrawal noticesE+W+S+N.I.

11The provisions listed in paragraph 1 have effect as if after section 153 there were inserted—

Withdrawal noticesE+W+S+N.I.
153AWithdrawal notices

(1)The Commissioner may, by written notice (a “withdrawal notice”), withdraw the qualified status from a trust service provider, or the qualified status of a service provided by a trust service provider, if—

(a)the Commissioner is satisfied that the trust service provider has failed to comply with an information notice or an enforcement notice, and

(b)the condition in subsection (2) or (3) is met.

(2)The condition in this subsection is met if the period for the trust service provider to appeal against the information notice or enforcement notice has ended without an appeal having been brought.

(3)The condition in this subsection is met if an appeal against the information notice or enforcement notice has been brought and—

(a)the appeal and any further appeal in relation to the notice has been decided or has otherwise ended, and

(b)the time for appealing against the result of the appeal or further appeal has ended without another appeal having been brought.

(4)A withdrawal notice must—

(a)state when the withdrawal takes effect, and

(b)provide information about the rights of appeal under section 162.

Modification of Schedule 15 (powers of entry and inspection)E+W+S+N.I.

12(1)Schedule 15 has effect as if paragraph 3 were omitted.

(2)Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted—

(a)there are reasonable grounds for suspecting that—

(i)a trust service provider has failed or is failing to comply with the eIDAS requirements, or

(ii)an offence under section 144 or 148 or paragraph 15 of Schedule 15 has been or is being committed,.

(3)Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if—

(a)in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “ trust service provider ”;

(b)in sub-paragraph (2), for “the data protection legislation” there were substituted “ the eIDAS requirements ”.

(4)Paragraph 5 of that Schedule (content of warrants) has effect as if—

(a)in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “ the provision of trust services ”;

(b)in sub-paragraph (2)(d)—

(i)for “controller or processor” there were substituted “ trust service provider ”;

(ii)for “as described in section 149(2)” there were substituted “ to comply with the eIDAS requirements ”;

(c)in sub-paragraph (3)(a) and (d)—

(i)for “controller or processor” there were substituted “ trust service provider ”;

(ii)for “the data protection legislation” there were substituted “ the eIDAS requirements ”.

(5)Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “ the eIDAS Regulation or the EITSET Regulations ”.

Modification of section 155 (penalty notices)E+W+S+N.I.

13(1)Section 155 has effect as if subsections (1)(a), (2)(a), (3)(g), (4) and (6) to (8) were omitted.

(2)Subsection (2) of that section has effect as if—

(a)the words “Subject to subsection (4),” were omitted;

(b)in paragraph (b), the words “to the extent that the notice concerns another matter,” were omitted.

(3)Subsection (3) of that section has effect as if—

(a)for “controller or processor”, in each place, there were substituted “ trust services provider ”;

(b)in paragraph (c), the words “or distress” were omitted;

(c)in paragraph (c), for “data subjects” there were substituted “ relying parties ”;

(d)in paragraph (d), for “section 57, 66, 103 or 107” there were substituted “ Article 19(1) of the eIDAS Regulation ”.

Modification of Schedule 16 (penalties)E+W+S+N.I.

14Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted.

Modification of section 157 (maximum amount of penalty)E+W+S+N.I.

15Section 157 has effect as if subsections (1) to (3) and (6) were omitted.

Modification of section 159 (amount of penalties: supplementary)E+W+S+N.I.

16Section 159 has effect as if—

(a)in subsection (1), the words “Article 83 of the GDPR and” were omitted;

(b)in subsection (2), the words “Article 83 of the GDPR” and “and section 158” were omitted.

Modification of section 160 (guidance about regulatory action)E+W+S+N.I.

17(1)Section 160 has effect as if subsections (5) and (12) were omitted.

(2)In that section, subsection (4)(f) has effect as if for “controllers and processors” there were substituted “ trust service providers ”.

Modification of section 162 (rights of appeal)E+W+S+N.I.

18(1)Section 162 has effect as if subsection (4) were omitted.

(2)In that section, subsection (1) has effect as if, after paragraph (c), there were inserted—

(ca)a withdrawal notice;.

Modification of section 163 (determination of appeals)E+W+S+N.I.

19Section 163 has effect as if subsection (6) were omitted.

Modification of section 180 (jurisdiction)E+W+S+N.I.

20(1)Section 180 has effect as if subsections (2)(d) and (e) and (3) were omitted.

(2)Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “ subsection (4) ”.

Modification of section 182 (regulations and consultation)E+W+S+N.I.

21Section 182 has effect as if subsections (3), (4), (6), (8) to (11) and (14) were omitted.

Modification of section 196 (penalties for offences)E+W+S+N.I.

22(1)Section 196 has effect as if subsections (3) to (5) were omitted.

(2)In that section—

(a)subsection (1) has effect as if the words “section 119 or 173 or” were omitted;

(b)subsection (2) has effect as if for “section 132, 144, 148, 170, 171 or 184” there were substituted “ section 144 or 148 ”.

Modification of section 197 (prosecution)E+W+S+N.I.

23Section 197 has effect as if subsections (3) to (6) were omitted.

Modification of section 202 (proceedings in the First-tier Tribunal: contempt)E+W+S+N.I.

24Section 202 has effect as if in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “ on an appeal under section 162 ”.

Modification of section 203 (Tribunal Procedure Rules)E+W+S+N.I.

25Section 203 has effect as if—

(a)in subsection (1), for paragraphs (a) and (b) there were substituted “ the exercise of the rights of appeal conferred by section 162 ”;

(b)in subsection (2)(a) and (b), for “the processing of personal data” there were substituted “ the provision of trust services ”.

Approval of first guidance about regulatory actionE+W+S+N.I.

26(1)This paragraph applies if the first guidance produced under section 160(1) of the Data Protection Act 2018 and the first guidance produced under that provision as applied by this Schedule are laid before Parliament as a single document (“the combined guidance”).

(2)Section 161 of that Act (including that section as applied by this Schedule) has effect as if the references to “the guidance” were references to the combined guidance, except in subsections (2)(b) and (4).

(3)Nothing in subsection (2)(a) of that section (including as applied by this Schedule) prevents another version of the combined guidance being laid before Parliament.

(4)Any duty under subsection (2)(b) of that section (including as applied by this Schedule) may be satisfied by producing another version of the combined guidance.

InterpretationE+W+S+N.I.

27In this Schedule—

  • the eIDAS requirements” means the requirements of Chapter III of the eIDAS Regulation;

  • the EITSET Regulations” means these Regulations;

  • withdrawal notice” has the meaning given in section 153A of the Data Protection Act 2018 (as inserted in that Act by this Schedule).

Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)E+W+S+N.I.

407The Court Files Privileged Access Rules (Northern Ireland) 2016 are amended as follows.E+W+S+N.I.

408In rule 5 (information that may released) for “Schedule 1 of the Data Protection Act 1998” substitute E+W+S+N.I.

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018.

409In rule 7(2) (provision of information) for “Schedule 1 of the Data Protection Act 1998” substitute E+W+S+N.I.

(a)Article 5(1) of the GDPR, and

(b)section 34(1) of the Data Protection Act 2018.

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)E+W+S+N.I.

410The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 are amended as follows.E+W+S+N.I.

411In regulation 3(1) (interpretation), at the appropriate places insert—E+W+S+N.I.

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);;

“the GDPR” and references to provisions of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);.

412In regulation 16(8) (risk assessment by the Treasury and Home Office), for “the Data Protection Act 1998 or any other enactment” substitute E+W+S+N.I.

(a)the Data Protection Act 2018 or any other enactment, or

(b)the GDPR.

413In regulation 17(9) (risk assessment by supervisory authorities), for “the Data Protection Act 1998 or any other enactment” substitute E+W+S+N.I.

(a)the Data Protection Act 2018 or any other enactment, or

(b)the GDPR.

414For regulation 40(9)(c) (record keeping) substitute—E+W+S+N.I.

(c)data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

(d)personal data” has the same meaning as in Parts 5 to 7 of that Act (see section 3(2) and (14) of that Act).

415(1)Regulation 41 (data protection) is amended as follows.E+W+S+N.I.

(2)Omit paragraph (2).

(3)In paragraph (3)(a), after “Regulations” insert “ or the GDPR ”.

(4)Omit paragraphs (4) and (5).

(5)After those paragraphs insert—

(6)Before establishing a business relationship or entering into an occasional transaction with a new customer, as well as providing the customer with the information required under Article 13 of the GDPR (information to be provided where personal data are collected from the data subject), relevant persons must provide the customer with a statement that any personal data received from the customer will be processed only—

(a)for the purposes of preventing money laundering or terrorist financing, or

(b)as permitted under paragraph (3).

(7)In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest includes processing of personal data in accordance with these Regulations that is necessary for the prevention of money laundering or terrorist financing.

(8)In the case of sensitive processing of personal data for the purposes of the prevention of money laundering or terrorist financing, section 10 of, and Schedule 1 to, the Data Protection Act 2018 make provision about when the processing meets a requirement in Article 9(2) or 10 of the GDPR for authorisation under the law of the United Kingdom (see, for example, paragraphs 10, 11 and 12 of that Schedule).

(9)In this regulation—

  • data subject” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);

  • personal data” and “processing” have the same meaning as in Parts 5 to 7 of that Act (see section 3(2), (4) and (14) of that Act);

  • sensitive processing” means the processing of personal data described in Article 9(1) or 10 of the GDPR (special categories of personal data and personal data relating to criminal convictions and offences etc).

416(1)Regulation 84 (publication: the Financial Conduct Authority) is amended as follows.E+W+S+N.I.

(2)In paragraph (10), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)For paragraph (11) substitute—

(11)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

417(1)Regulation 85 (publication: the Commissioners) is amended as follows.E+W+S+N.I.

(2)In paragraph (9), for “the Data Protection Act 1998” substitute “ the data protection legislation ”.

(3)For paragraph (10) substitute—

(10)For the purposes of this regulation, “personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

418For regulation 106(a) (general restrictions) substitute—E+W+S+N.I.

(a)a disclosure in contravention of the data protection legislation; or.

419After paragraph 27 of Schedule 3 (relevant offences) insert—E+W+S+N.I.

27AAn offence under the Data Protection Act 2018, apart from an offence under section 173 of that Act.

Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)E+W+S+N.I.

420(1)Paragraph 6 of Schedule 5 to the Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (conditions for permitted disclosure to a credit institution or a financial institution) is amended as follows.E+W+S+N.I.

(2)The existing text becomes sub-paragraph (1).

(3)For paragraph (b) of that sub-paragraph substitute—

(b)for the purposes of ensuring that it complies with its data protection obligations.

(4)After sub-paragraph (1) insert—

(2)In this paragraph, “data protection obligations”, in relation to a relevant institution, means—

(a)where the institution carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);

(b)where the institution carries on business in a EEA State other than the United Kingdom, obligations under—

(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),

(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and

(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).

Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)E+W+S+N.I.

421In regulation 1(2) of the Data Protection (Charges and Information) Regulations 2018 (interpretation), at the appropriate places insert—E+W+S+N.I.

data controller” means a person who is a controller for the purposes of Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);;

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act);.

National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)E+W+S+N.I.

422The National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 are amended as follows.E+W+S+N.I.

423(1)Regulation 1 (citation and commencement) is amended as follows.E+W+S+N.I.

(2)In paragraph (2), omit “Subject to paragraph (3),”.

(3)Omit paragraph (3).

424In regulation 3(1) (interpretation)—E+W+S+N.I.

(a)omit the definition of “the 1998 Act”,

(b)at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);, and

(c)omit the definition of “GDPR”.

425(1)Schedule 6 (other contractual terms) is amended as follows.E+W+S+N.I.

(2)In paragraph 63(2) (interpretation: general), for “the 1998 Act or any directly applicable EU instrument relating to data protection” substitute

(a)the data protection legislation, or

(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection.

(3)For paragraph 64 (meaning of data controller etc.) substitute—

Meaning of controller etc.E+W+S+N.I.

64AFor the purposes of this Part—

  • controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);

  • data protection officer” means a person designated as a data protection officer under the data protection legislation;

  • personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).

(4)In paragraph 65(2)(b) (roles, responsibilities and obligations: general), for “data controllers” substitute “ controllers ”.

(5)In paragraph 69(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute

(i)the data protection legislation, and

(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;.

(6)In paragraph 94(4) (variation of a contract: general)—

(a)omit paragraph (b), and

(b)after paragraph (d) (but before the final “and”) insert—

(da)the data protection legislation;

(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;.

National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)E+W+S+N.I.

426The National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 are amended as follows.E+W+S+N.I.

427(1)Regulation 1 (citation and commencement) is amended as follows.E+W+S+N.I.

(2)In paragraph (2), omit “Subject to paragraph (3),”.

(3)Omit paragraph (3).

428In regulation 3(1) (interpretation)—E+W+S+N.I.

(a)omit the definition of “the 1998 Act”, and

(b)at the appropriate place insert—

the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act);, and

(c)omit the definition of “GDPR”.

429(1)Schedule 1 (content of agreements) is amended as follows.E+W+S+N.I.

(2)In paragraph 34 (interpretation)—

(a)in sub-paragraph (1)—

(i)omit “Subject to sub-paragraph (3),”,

(ii)before paragraph (a) insert—

(za)controller” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(6) and (14) of that Act);

(zb)data protection officer” means a person designated as a data protection officer under the data protection legislation;, and

(iii)for paragraph (d) substitute—

(e)personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act).,

(b)omit sub-paragraphs (2) and (3),

(c)in sub-paragraph (4), for “the 1998 Act and any directly applicable EU instrument relating to data protection” substitute

(a)the data protection legislation, or

(b)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection., and

(d)in sub-paragraph (6)(b), for “data controllers” substitute “ controllers ”.

(3)In paragraph 37(2)(a) (processing and access of data), for “the 1998 Act, and any directly applicable EU instrument relating to data protection;” substitute

(i)the data protection legislation, and

(ii)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;.

(4)In paragraph 61(3) (variation of agreement: general)—

(a)omit paragraph (b), and

(b)after paragraph (d) (but before the final “and”) insert—

(da)the data protection legislation;

(db)any directly applicable EU legislation which is not part of the data protection legislation but which relates to data protection;.

Prospective

PART 3 E+W+S+N.I.Modifications

IntroductionE+W+S+N.I.

430(1)Unless the context otherwise requires, legislation described in sub-paragraph (2) has effect on and after the day on which this Part of this Schedule comes into force as if it were modified in accordance with this Part of this Schedule.E+W+S+N.I.

(2)That legislation is—

(a)subordinate legislation made before the day on which this Part of this Schedule comes into force;

(b)primary legislation that is passed or made before the end of the Session in which this Act is passed.

(3)In this Part of this Schedule—

  • primary legislation” has the meaning given in section 211(7);

  • references” includes any references, however expressed.

General modificationsE+W+S+N.I.

431(1)References to a particular provision of, or made under, the Data Protection Act 1998 have effect as references to the equivalent provision or provisions of, or made under, the data protection legislation.E+W+S+N.I.

(2)Other references to the Data Protection Act 1998 have effect as references to the data protection legislation.

(3)References to disclosure, use or other processing of information that is prohibited or restricted by an enactment which include disclosure, use or other processing of information that is prohibited or restricted by the Data Protection Act 1998 have effect as if they included disclosure, use or other processing of information that is prohibited or restricted by the GDPR or the applied GDPR.

Specific modification of references to terms used in the Data Protection Act 1998E+W+S+N.I.

432(1)References to personal data, and to the processing of such data, as defined in the Data Protection Act 1998, have effect as references to personal data, and to the processing of such data, as defined for the purposes of Parts 5 to 7 of this Act (see section 3(2), (4) and (14)).E+W+S+N.I.

(2)References to processing as defined in the Data Protection Act 1998, in relation to information, have effect as references to processing as defined in section 3(4).

(3)References to a data subject as defined in the Data Protection Act 1998 have effect as references to a data subject as defined in section 3(5).

(4)References to a data controller as defined in the Data Protection Act 1998 have effect as references to a controller as defined for the purposes of Parts 5 to 7 of this Act (see section 3(6) and (14)).

(5)References to the data protection principles set out in the Data Protection Act 1998 have effect as references to the principles set out in—

(a)Article 5(1) of the GDPR and the applied GDPR, and

(b)sections 34(1) and 85(1) of this Act.

(6)References to direct marketing as defined in section 11 of the Data Protection Act 1998 have effect as references to direct marketing as defined in section 122 of this Act.

(7)References to a health professional within the meaning of section 69(1) of the Data Protection Act 1998 have effect as references to a health professional within the meaning of section 204 of this Act.

(8)References to a health record within the meaning of section 68(2) of the Data Protection Act 1998 have effect as references to a health record within the meaning of section 205 of this Act.

PART 4 E+W+S+N.I.Supplementary

Prospective

DefinitionsE+W+S+N.I.

433Section 3(14) does not apply to this Schedule.E+W+S+N.I.

Provision inserted in subordinate legislation by this ScheduleE+W+S+N.I.

434Provision inserted into subordinate legislation by this Schedule may be amended or revoked as if it had been inserted using the power under which the subordinate legislation was originally made.E+W+S+N.I.

Annotations:

Commencement Information

I2Sch. 19 para. 434 in force at Royal Assent for specified purposes, see s. 212(2)(f)