Search Legislation

Data Protection Act 2018

What Version

 Help about what version

Advanced Features

 Help about advanced features

Changes to legislation:

There are outstanding changes not yet made by the legislation.gov.uk editorial team to Data Protection Act 2018. Any changes that have already been made by the team appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.

Changes and effects yet to be applied to :

 Help about changes and effects
Close

Changes and effects

This section lists the changes and effects yet to be applied to the specific provision you are viewing.

SCHEDULES

Prospective

Section 10

SCHEDULE 1E+W+S+N.I.Special categories of personal data and criminal convictions etc data

PART 1 E+W+S+N.I.Conditions relating to employment, health and research etc

Employment, social security and social protectionE+W+S+N.I.

1(1)This condition is met if—E+W+S+N.I.

(a)the processing is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment, social security or social protection, and

(b)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)See also the additional safeguards in Part 4 of this Schedule.

(3)In this paragraph—

  • social security” includes any of the branches of social security listed in Article 3(1) of Regulation (EC) No. 883/2004 of the European Parliament and of the Council on the co-ordination of social security systems (as amended from time to time);

  • social protection” includes an intervention described in Article 2(b) of Regulation (EC) 458/2007 of the European Parliament and of the Council of 25 April 2007 on the European system of integrated social protection statistics (ESSPROS) (as amended from time to time).

Health or social care purposesE+W+S+N.I.

2(1)This condition is met if the processing is necessary for health or social care purposes.E+W+S+N.I.

(2)In this paragraph “health or social care purposes” means the purposes of—

(a)preventive or occupational medicine,

(b)the assessment of the working capacity of an employee,

(c)medical diagnosis,

(d)the provision of health care or treatment,

(e)the provision of social care, or

(f)the management of health care systems or services or social care systems or services.

(3)See also the conditions and safeguards in Article 9(3) of the GDPR (obligations of secrecy) and section 11(1).

Public healthE+W+S+N.I.

3This condition is met if the processing—E+W+S+N.I.

(a)is necessary for reasons of public interest in the area of public health, and

(b)is carried out—

(i)by or under the responsibility of a health professional, or

(ii)by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Research etcE+W+S+N.I.

4This condition is met if the processing—E+W+S+N.I.

(a)is necessary for archiving purposes, scientific or historical research purposes or statistical purposes,

(b)is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and

(c)is in the public interest.

PART 2 E+W+S+N.I.Substantial public interest conditions

Requirement for an appropriate policy document when relying on conditions in this PartE+W+S+N.I.

5(1)Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).E+W+S+N.I.

(2)See also the additional safeguards in Part 4 of this Schedule.

Statutory etc and government purposesE+W+S+N.I.

6(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for a purpose listed in sub-paragraph (2), and

(b)is necessary for reasons of substantial public interest.

(2)Those purposes are—

(a)the exercise of a function conferred on a person by an enactment or rule of law;

(b)the exercise of a function of the Crown, a Minister of the Crown or a government department.

Administration of justice and parliamentary purposesE+W+S+N.I.

7This condition is met if the processing is necessary—E+W+S+N.I.

(a)for the administration of justice, or

(b)for the exercise of a function of either House of Parliament.

Equality of opportunity or treatmentE+W+S+N.I.

8(1)This condition is met if the processing—E+W+S+N.I.

(a)is of a specified category of personal data, and

(b)is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,

subject to the exceptions in sub-paragraphs (3) to (5).

(2)In sub-paragraph (1), “specified” means specified in the following table—

Category of personal dataGroups of people (in relation to a category of personal data)
Personal data revealing racial or ethnic originPeople of different racial or ethnic origins
Personal data revealing religious or philosophical beliefsPeople holding different religious or philosophical beliefs
Data concerning healthPeople with different states of physical or mental health
Personal data concerning an individual's sexual orientationPeople of different sexual orientation

(3)Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.

(4)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(5)Processing does not meet the condition in sub-paragraph (1) if—

(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)the notice gave the controller a reasonable period in which to stop processing such data, and

(c)that period has ended.

Racial and ethnic diversity at senior levels of organisationsE+W+S+N.I.

9(1)This condition is met if the processing—E+W+S+N.I.

(a)is of personal data revealing racial or ethnic origin,

(b)is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,

(c)is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and

(d)can reasonably be carried out without the consent of the data subject,

subject to the exception in sub-paragraph (3).

(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(3)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.

(4)For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—

(a)holds a position listed in sub-paragraph (5), or

(b)does not hold such a position but is a senior manager of the organisation.

(5)Those positions are—

(a)a director, secretary or other similar officer of a body corporate;

(b)a member of a limited liability partnership;

(c)a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.

(6)In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—

(a)the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or

(b)the actual managing or organising of the whole or a substantial part of those activities.

(7)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Preventing or detecting unlawful actsE+W+S+N.I.

10(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purposes of the prevention or detection of an unlawful act,

(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)is necessary for reasons of substantial public interest.

(2)If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(3)In this paragraph—

  • act” includes a failure to act;

  • competent authority” has the same meaning as in Part 3 of this Act (see section 30).

Protecting the public against dishonesty etcE+W+S+N.I.

11(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the exercise of a protective function,

(b)must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and

(c)is necessary for reasons of substantial public interest.

(2)In this paragraph, “protective function” means a function which is intended to protect members of the public against—

(a)dishonesty, malpractice or other seriously improper conduct,

(b)unfitness or incompetence,

(c)mismanagement in the administration of a body or association, or

(d)failures in services provided by a body or association.

Regulatory requirements relating to unlawful acts and dishonesty etcE+W+S+N.I.

12(1)This condition is met if—E+W+S+N.I.

(a)the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—

(i)committed an unlawful act, or

(ii)been involved in dishonesty, malpractice or other seriously improper conduct,

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and

(c)the processing is necessary for reasons of substantial public interest.

(2)In this paragraph—

  • act” includes a failure to act;

  • regulatory requirement” means—

    (a)

    a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or

    (b)

    a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.

Journalism etc in connection with unlawful acts and dishonesty etcE+W+S+N.I.

13(1)This condition is met if—E+W+S+N.I.

(a)the processing consists of the disclosure of personal data for the special purposes,

(b)it is carried out in connection with a matter described in sub-paragraph (2),

(c)it is necessary for reasons of substantial public interest,

(d)it is carried out with a view to the publication of the personal data by any person, and

(e)the controller reasonably believes that publication of the personal data would be in the public interest.

(2)The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—

(a)the commission of an unlawful act by a person;

(b)dishonesty, malpractice or other seriously improper conduct of a person;

(c)unfitness or incompetence of a person;

(d)mismanagement in the administration of a body or association;

(e)a failure in services provided by a body or association.

(3)The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

(4)In this paragraph—

  • act” includes a failure to act;

  • the special purposes” means—

    (a)

    the purposes of journalism;

    (b)

    academic purposes;

    (c)

    artistic purposes;

    (d)

    literary purposes.

Preventing fraudE+W+S+N.I.

14(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b)consists of—

(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,

(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or

(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).

(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Suspicion of terrorist financing or money launderingE+W+S+N.I.

15This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—E+W+S+N.I.

(a)section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);

(b)section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).

Support for individuals with a particular disability or medical conditionE+W+S+N.I.

16(1)This condition is met if the processing—E+W+S+N.I.

(a)is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,

(b)is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),

(c)is necessary for the purposes of—

(i)raising awareness of the disability or medical condition, or

(ii)providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,

(d)can reasonably be carried out without the consent of the data subject, and

(e)is necessary for reasons of substantial public interest.

(2)The following types of personal data fall within this sub-paragraph—

(a)personal data revealing racial or ethnic origin;

(b)genetic data or biometric data;

(c)data concerning health;

(d)personal data concerning an individual's sex life or sexual orientation.

(3)An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—

(a)has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or

(b)is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.

(4)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(5)In this paragraph—

  • carer” means an individual who provides or intends to provide care for another individual other than—

    (a)

    under or by virtue of a contract, or

    (b)

    as voluntary work;

  • disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).

(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Counselling etcE+W+S+N.I.

17(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,

(b)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(c)is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(b) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).

Safeguarding of children and of individuals at riskE+W+S+N.I.

18(1)This condition is met if—E+W+S+N.I.

(a)the processing is necessary for the purposes of—

(i)protecting an individual from neglect or physical, mental or emotional harm, or

(ii)protecting the physical, mental or emotional well-being of an individual,

(b)the individual is—

(i)aged under 18, or

(ii)aged 18 or over and at risk,

(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)the processing is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a)has needs for care and support,

(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Safeguarding of economic well-being of certain individualsE+W+S+N.I.

19(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,

(b)is of data concerning health,

(c)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.

InsuranceE+W+S+N.I.

20(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for an insurance purpose,

(b)is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and

(c)is necessary for reasons of substantial public interest,

subject to sub-paragraphs (2) and (3).

(2)Sub-paragraph (3) applies where—

(a)the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and

(b)the data subject does not have and is not expected to acquire—

(i)rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or

(ii)other rights or obligations in connection with such a contract.

(3)Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.

(4)For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(5)In this paragraph—

  • insurance contract” means a contract of general insurance or long-term insurance;

  • insurance purpose” means—

    (a)

    advising on, arranging, underwriting or administering an insurance contract,

    (b)

    administering a claim under an insurance contract, or

    (c)

    exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.

(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

(7)Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.

Occupational pensionsE+W+S+N.I.

21(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,

(b)is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,

(c)is not carried out for the purposes of measures or decisions with respect to the data subject, and

(d)can reasonably be carried out without the consent of the data subject.

(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—

(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and

(b)the controller is not aware of the data subject withholding consent.

(3)In this paragraph—

  • occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;

  • member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.

(4)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.

Political partiesE+W+S+N.I.

22(1)This condition is met if the processing—E+W+S+N.I.

(a)is of personal data revealing political opinions,

(b)is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and

(c)is necessary for the purposes of the person's or organisation's political activities,

subject to the exceptions in sub-paragraphs (2) and (3).

(2)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.

(3)Processing does not meet the condition in sub-paragraph (1) if—

(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),

(b)the notice gave the controller a reasonable period in which to stop processing such data, and

(c)that period has ended.

(4)In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.

Elected representatives responding to requestsE+W+S+N.I.

23(1)This condition is met if—E+W+S+N.I.

(a)the processing is carried out—

(i)by an elected representative or a person acting with the authority of such a representative,

(ii)in connection with the discharge of the elected representative's functions, and

(iii)in response to a request by an individual that the elected representative take action on behalf of the individual, and

(b)the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,

subject to sub-paragraph (2).

(2)Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)In this paragraph, “elected representative” means—

(a)a member of the House of Commons;

(b)a member of the National Assembly for Wales;

(c)a member of the Scottish Parliament;

(d)a member of the Northern Ireland Assembly;

(e)a member of the European Parliament elected in the United Kingdom;

(f)an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—

(i)in England, a county council, a district council, a London borough council or a parish council;

(ii)in Wales, a county council, a county borough council or a community council;

(g)an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;

(h)a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;

(i)the Mayor of London or an elected member of the London Assembly;

(j)an elected member of—

(i)the Common Council of the City of London, or

(ii)the Council of the Isles of Scilly;

(k)an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;

(l)an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));

(m)a police and crime commissioner.

(4)For the purposes of sub-paragraph (3), a person who is—

(a)a member of the House of Commons immediately before Parliament is dissolved,

(b)a member of the National Assembly for Wales immediately before that Assembly is dissolved,

(c)a member of the Scottish Parliament immediately before that Parliament is dissolved, or

(d)a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,

is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.

(5)For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.

Disclosure to elected representativesE+W+S+N.I.

24(1)This condition is met if—E+W+S+N.I.

(a)the processing consists of the disclosure of personal data—

(i)to an elected representative or a person acting with the authority of such a representative, and

(ii)in response to a communication to the controller from that representative or person which was made in response to a request from an individual,

(b)the personal data is relevant to the subject matter of that communication, and

(c)the disclosure is necessary for the purpose of responding to that communication,

subject to sub-paragraph (2).

(2)Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;

(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.

(3)In this paragraph, “elected representative” has the same meaning as in paragraph 23.

Informing elected representatives about prisonersE+W+S+N.I.

25(1)This condition is met if—E+W+S+N.I.

(a)the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and

(b)the member is under an obligation not to further disclose the personal data.

(2)The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.

(3)In this paragraph—

  • prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;

  • prisoner” means a person detained in a prison.

Publication of legal judgmentsE+W+S+N.I.

26This condition is met if the processing—E+W+S+N.I.

(a)consists of the publication of a judgment or other decision of a court or tribunal, or

(b)is necessary for the purposes of publishing such a judgment or decision.

Anti-doping in sportE+W+S+N.I.

27(1)This condition is met if the processing is necessary—E+W+S+N.I.

(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or

(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.

(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.

(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).

Standards of behaviour in sportE+W+S+N.I.

28(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,

(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and

(c)is necessary for reasons of substantial public interest.

(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—

(a)dishonesty, malpractice or other seriously improper conduct, or

(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.

PART 3 E+W+S+N.I.Additional conditions relating to criminal convictions etc

ConsentE+W+S+N.I.

29This condition is met if the data subject has given consent to the processing.E+W+S+N.I.

Protecting individual's vital interestsE+W+S+N.I.

30This condition is met if—E+W+S+N.I.

(a)the processing is necessary to protect the vital interests of an individual, and

(b)the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodiesE+W+S+N.I.

31This condition is met if the processing is carried out—E+W+S+N.I.

(a)in the course of its legitimate activities with appropriate safeguards by a foundation, association or other not-for-profit body with a political, philosophical, religious or trade union aim, and

(b)on condition that—

(i)the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes, and

(ii)the personal data is not disclosed outside that body without the consent of the data subjects.

Personal data in the public domainE+W+S+N.I.

32This condition is met if the processing relates to personal data which is manifestly made public by the data subject.E+W+S+N.I.

Legal claimsE+W+S+N.I.

33This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Judicial actsE+W+S+N.I.

34This condition is met if the processing is necessary when a court or tribunal is acting in its judicial capacity.E+W+S+N.I.

Administration of accounts used in commission of indecency offences involving childrenE+W+S+N.I.

35(1)This condition is met if—E+W+S+N.I.

(a)the processing is of personal data about a conviction or caution for an offence listed in sub-paragraph (2),

(b)the processing is necessary for the purpose of administering an account relating to the payment card used in the commission of the offence or cancelling that payment card, and

(c)when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).

(2)Those offences are an offence under—

(a)section 1 of the Protection of Children Act 1978 (indecent photographs of children),

(b)Article 3 of the Protection of Children (Northern Ireland) Order 1978 (S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),

(c)section 52 of the Civic Government (Scotland) Act 1982 (indecent photographs etc of children),

(d)section 160 of the Criminal Justice Act 1988 (possession of indecent photograph of child),

(e)Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland) Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent photograph of child), or

(f)section 62 of the Coroners and Justice Act 2009 (possession of prohibited images of children),

or incitement to commit an offence under any of those provisions.

(3)See also the additional safeguards in Part 4 of this Schedule.

(4)In this paragraph—

  • caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;

  • conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));

  • payment card” includes a credit card, a charge card and a debit card.

Extension of conditions in Part 2 of this Schedule referring to substantial public interestE+W+S+N.I.

36This condition is met if the processing would meet a condition in Part 2 of this Schedule but for an express requirement for the processing to be necessary for reasons of substantial public interest.E+W+S+N.I.

Extension of insurance conditionsE+W+S+N.I.

37This condition is met if the processing—E+W+S+N.I.

(a)would meet the condition in paragraph 20 in Part 2 of this Schedule (the “insurance condition”), or

(b)would meet the condition in paragraph 36 by virtue of the insurance condition,

but for the requirement for the processing to be processing of a category of personal data specified in paragraph 20(1)(b).

PART 4 E+W+S+N.I.Appropriate policy document and additional safeguards

Application of this Part of this ScheduleE+W+S+N.I.

38This Part of this Schedule makes provision about the processing of personal data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule which requires the controller to have an appropriate policy document in place when the processing is carried out.E+W+S+N.I.

Requirement to have an appropriate policy document in placeE+W+S+N.I.

39The controller has an appropriate policy document in place in relation to the processing of personal data in reliance on a condition described in paragraph 38 if the controller has produced a document which—E+W+S+N.I.

(a)explains the controller's procedures for securing compliance with the principles in Article 5 of the GDPR (principles relating to processing of personal data) in connection with the processing of personal data in reliance on the condition in question, and

(b)explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the condition, giving an indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy documentE+W+S+N.I.

40(1)Where personal data is processed in reliance on a condition described in paragraph 38, the controller must during the relevant period—E+W+S+N.I.

(a)retain the appropriate policy document,

(b)review and (if appropriate) update it from time to time, and

(c)make it available to the Commissioner, on request, without charge.

(2)Relevant period”, in relation to the processing of personal data in reliance on a condition described in paragraph 38, means a period which—

(a)begins when the controller starts to carry out processing of personal data in reliance on that condition, and

(b)ends at the end of the period of 6 months beginning when the controller ceases to carry out such processing.

Additional safeguard: record of processingE+W+S+N.I.

41A record maintained by the controller, or the controller's representative, under Article 30 of the GDPR in respect of the processing of personal data in reliance on a condition described in paragraph 38 must include the following information—E+W+S+N.I.

(a)which condition is relied on,

(b)how the processing satisfies Article 6 of the GDPR (lawfulness of processing), and

(c)whether the personal data is retained and erased in accordance with the policies described in paragraph 39(b) and, if it is not, the reasons for not following those policies.

Section 15

SCHEDULE 2E+W+S+N.I.Exemptions etc from the GDPR

Prospective

PART 1 E+W+S+N.I.Adaptations and restrictions based on Articles 6(3) and 23(1)

GDPR provisions to be adapted or restricted: “the listed GDPR provisions”E+W+S+N.I.

1In this Part of this Schedule, “the listed GDPR provisions” means—E+W+S+N.I.

(a)the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(x)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and

(b)the following provisions of the GDPR (the application of which may be adapted by virtue of Article 6(3) of the GDPR)—

(i)Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;

(ii)Article 5(1)(b) (purpose limitation).

Crime and taxation: generalE+W+S+N.I.

2(1)The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—E+W+S+N.I.

(a)the prevention or detection of crime,

(b)the apprehension or prosecution of offenders, or

(c)the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).

(2)Sub-paragraph (3) applies where—

(a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.

(3)Controller 2 is exempt from the obligations in the following provisions of the GDPR—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Crime and taxation: risk assessment systemsE+W+S+N.I.

3(1)The GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.E+W+S+N.I.

(2)A risk assessment system falls within this sub-paragraph if—

(a)it is operated by a government department, a local authority or another authority administering housing benefit, and

(b)it is operated for the purposes of—

(i)the assessment or collection of a tax or duty or an imposition of a similar nature, or

(ii)the prevention or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.

(3)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

ImmigrationE+W+S+N.I.

4(1)The GDPR provisions listed in sub-paragraph (2) do not apply to personal data processed for any of the following purposes—E+W+S+N.I.

(a)the maintenance of effective immigration control, or

(b)the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

(2)The GDPR provisions referred to in sub-paragraph (1) are the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 17(1) and (2) (right to erasure);

(e)Article 18(1) (restriction of processing);

(f)Article 21(1) (objections to processing);

(g)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

(3)Sub-paragraph (4) applies where—

(a)personal data is processed by a person (“Controller 1”), and

(b)another person (“Controller 2”) obtains the data from Controller 1 for any of the purposes mentioned in sub-paragraph (1)(a) and (b) and processes it for any of those purposes.

(4)Controller 1 is exempt from the obligations in the following provisions of the GDPR—

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 2 is exempt from those obligations by virtue of sub-paragraph (1).

Information required to be disclosed by law etc or in connection with legal proceedingsE+W+S+N.I.

5(1)The listed GDPR provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of those provisions would prevent the controller from complying with that obligation.E+W+S+N.I.

(2)The listed GDPR provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or an order of a court or tribunal, to the extent that the application of those provisions would prevent the controller from making the disclosure.

(3)The listed GDPR provisions do not apply to personal data where disclosure of the data—

(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of those provisions would prevent the controller from making the disclosure.

PART 2 E+W+S+N.I.Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34

Prospective

GDPR provisions to be restricted: “the listed GDPR provisions”E+W+S+N.I.

6In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—E+W+S+N.I.

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 16 (right to rectification);

(e)Article 17(1) and (2) (right to erasure);

(f)Article 18(1) (restriction of processing);

(g)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(h)Article 20(1) and (2) (right to data portability);

(i)Article 21(1) (objections to processing);

(j)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).

Prospective

Functions designed to protect the public etcE+W+S+N.I.

7The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—E+W+S+N.I.

(a)is designed as described in column 1 of the Table, and

(b)meets the condition relating to the function specified in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE
Description of function designCondition

1. The function is designed to protect members of the public against—

(a)

financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or

(b)

financial loss due to the conduct of discharged or undischarged bankrupts.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

2. The function is designed to protect members of the public against—

(a)

dishonesty, malpractice or other seriously improper conduct, or

(b)

unfitness or incompetence.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

3. The function is designed—

(a)

to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration,

(b)

to protect the property of charities or community interest companies from loss or misapplication, or

(c)

to recover the property of charities or community interest companies.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

4. The function is designed—

(a)

to secure the health, safety and welfare of persons at work, or

(b)

to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work.

The function is—

(a)

conferred on a person by an enactment,

(b)

a function of the Crown, a Minister of the Crown or a government department, or

(c)

of a public nature, and is exercised in the public interest.

5. The function is designed to protect members of the public against—

(a)

maladministration by public bodies,

(b)

failures in services provided by public bodies, or

(c)

a failure of a public body to provide a service which it is a function of the body to provide.

The function is conferred by any enactment on—

(a)

the Parliamentary Commissioner for Administration,

(b)

the Commissioner for Local Administration in England,

(c)

the Health Service Commissioner for England,

(d)

the Public Services Ombudsman for Wales,

(e)

the Northern Ireland Public Services Ombudsman,

(f)

the Prison Ombudsman for Northern Ireland, or

(g)

the Scottish Public Services Ombudsman.

6. The function is designed—

(a)

to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business,

(b)

to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

(c)

to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market.

The function is conferred on the Competition and Markets Authority by an enactment.

Prospective

Audit functionsE+W+S+N.I.

8(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.E+W+S+N.I.

(2)The functions are any function that is conferred by an enactment on—

(a)the Comptroller and Auditor General;

(b)the Auditor General for Scotland;

(c)the Auditor General for Wales;

(d)the Comptroller and Auditor General for Northern Ireland.

Prospective

Functions of the Bank of EnglandE+W+S+N.I.

9(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.E+W+S+N.I.

(2)Relevant function of the Bank of England” means—

(a)a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);

(b)a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;

(c)a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.

Prospective

Regulatory functions relating to legal services, the health service and children's servicesE+W+S+N.I.

10(1)The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.E+W+S+N.I.

(2)The functions are—

(a)a function of the Legal Services Board;

(b)the function of considering a complaint under the scheme established under Part 6 of the Legal Services Act 2007 (legal complaints);

(c)the function of considering a complaint under—

(i)section 14 of the NHS Redress Act 2006,

(ii)section 113(1) or (2) or section 114(1) or (3) of the Health and Social Care (Community Health and Standards) Act 2003,

(iii)section 24D or 26 of the Children Act 1989, or

(iv)Part 2A of the Public Services Ombudsman (Wales) Act 2005;

(d)the function of considering a complaint or representations under Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act 2014 (anaw 4).

Prospective

Regulatory functions of certain other personsE+W+S+N.I.

11The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—E+W+S+N.I.

(a)is a function of a person described in column 1 of the Table, and

(b)is conferred on that person as described in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE
Person on whom function is conferredHow function is conferred
1. The Commissioner.

By or under—

(a)

the data protection legislation;

(b)

the Freedom of Information Act 2000;

(c)

section 244 of the Investigatory Powers Act 2016;

(d)

the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

(e)

the Environmental Information Regulations 2004 (S.I. 2004/3391);

(f)

the INSPIRE Regulations 2009 (S.I. 2009/3157);

(g)

Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

(h)

the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415);

(i)

the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

2. The Scottish Information Commissioner.

By or under—

(a)

the Freedom of Information (Scotland) Act 2002 (asp 13);

(b)

the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);

(c)

the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).

3. The Pensions Ombudsman.By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.
4. The Board of the Pension Protection Fund.By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
5. The Ombudsman for the Board of the Pension Protection Fund.By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.
6. The Pensions Regulator.By an enactment.
7. The Financial Conduct Authority.By or under the Financial Services and Markets Act 2000 or by another enactment.
8. The Financial Ombudsman.By or under Part 16 of the Financial Services and Markets Act 2000.
9. The investigator of complaints against the financial regulators.By or under Part 6 of the Financial Services Act 2012.
10. A consumer protection enforcer, other than the Competition and Markets Authority.By or under the CPC Regulation.
11. The monitoring officer of a relevant authority.By or under the Local Government and Housing Act 1989.
12. The monitoring officer of a relevant Welsh authority.By or under the Local Government Act 2000.
13. The Public Services Ombudsman for Wales.By or under the Local Government Act 2000.
14. The Charity Commission.

By or under—

(a)

the Charities Act 1992;

(b)

the Charities Act 2006;

(c)

the Charities Act 2011.

12In the Table in paragraph 11—E+W+S+N.I.

  • consumer protection enforcer” has the same meaning as “CPC enforcer” in section 213(5A) of the Enterprise Act 2002;

  • the “CPC Regulation” has the meaning given in section 235A of the Enterprise Act 2002;

  • the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);

  • the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;

  • relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;

  • relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.

Prospective

Parliamentary privilegeE+W+S+N.I.

13The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.E+W+S+N.I.

Prospective

Judicial appointments, judicial independence and judicial proceedingsE+W+S+N.I.

14(1)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for judicial office or the office of Queen's Counsel.E+W+S+N.I.

(2)The listed GDPR provisions do not apply to personal data processed by—

(a)an individual acting in a judicial capacity, or

(b)a court or tribunal acting in its judicial capacity.

(3)As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointmentsE+W+S+N.I.

15(1)The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.E+W+S+N.I.

(2)The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person's suitability for any of the following offices—

(a)archbishops and diocesan and suffragan bishops in the Church of England;

(b)deans of cathedrals of the Church of England;

(c)deans and canons of the two Royal Peculiars;

(d)the First and Second Church Estates Commissioners;

(e)lord-lieutenants;

(f)Masters of Trinity College and Churchill College, Cambridge;

(g)the Provost of Eton;

(h)the Poet Laureate;

(i)the Astronomer Royal.

(3)The Secretary of State may by regulations amend the list in sub-paragraph (2) to—

(a)remove an office, or

(b)add an office to which appointments are made by Her Majesty.

(4)Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.

Annotations: Help about Annotation
Close

Annotations are used to give authority for changes and other effects on the legislation you are viewing and to convey editorial information. They appear at the foot of the relevant provision or under the associated heading. Annotations are categorised by annotation type, such as F-notes for textual amendments and I-notes for commencement information (a full list can be found in the Editorial Practice Guide). Each annotation is identified by a sequential reference number. For F-notes, M-notes and X-notes, the number also appears in bold superscript at the relevant location in the text. All annotations contain links to the affecting legislation.

Commencement Information

I1Sch. 2 para. 15 in force at Royal Assent for specified purposes, see s. 212(2)(f)

Prospective

PART 3 E+W+S+N.I.Restriction based on Article 23(1): protection of rights of others

Protection of the rights of others: generalE+W+S+N.I.

16(1)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.E+W+S+N.I.

(2)Sub-paragraph (1) does not remove the controller's obligation where—

(a)the other individual has consented to the disclosure of the information to the data subject, or

(b)it is reasonable to disclose the information to the data subject without the consent of the other individual.

(3)In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—

(a)the type of information that would be disclosed,

(b)any duty of confidentiality owed to the other individual,

(c)any steps taken by the controller with a view to seeking the consent of the other individual,

(d)whether the other individual is capable of giving consent, and

(e)any express refusal of consent by the other individual.

(4)For the purposes of this paragraph—

(a)information relating to another individual” includes information identifying the other individual as the source of information;

(b)an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—

(i)that information, or

(ii)that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.

Assumption of reasonableness for health workers, social workers and education workersE+W+S+N.I.

17(1)For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—E+W+S+N.I.

(a)the health data test is met,

(b)the social work data test is met, or

(c)the education data test is met.

(2)The health data test is met if—

(a)the information in question is contained in a health record, and

(b)the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.

(3)The social work data test is met if—

(a)the other individual is—

(i)a children's court officer,

(ii)a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or

(iii)a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and

(b)the information relates to the other individual in an official capacity or the other individual supplied the information—

(i)in an official capacity, or

(ii)in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).

(4)The education data test is met if—

(a)the other individual is an education-related worker, or

(b)the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—

(i)the information relates to the other individual in his or her capacity as such an employee, or

(ii)the other individual supplied the information in his or her capacity as such an employee.

(5)In this paragraph—

  • children's court officer” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;

  • education-related worker” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);

  • relevant social services functions” means functions specified in paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.

Prospective

PART 4 E+W+S+N.I.Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15

GDPR provisions to be restricted: “the listed GDPR provisions”E+W+S+N.I.

18In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—E+W+S+N.I.

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).

Legal professional privilegeE+W+S+N.I.

19The listed GDPR provisions do not apply to personal data that consists of—E+W+S+N.I.

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

Self incriminationE+W+S+N.I.

20(1)A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.E+W+S+N.I.

(2)The reference to an offence in sub-paragraph (1) does not include an offence under—

(a)this Act,

(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(3)Information disclosed by any person in compliance with Article 15 of the GDPR is not admissible against the person in proceedings for an offence under this Act.

Corporate financeE+W+S+N.I.

21(1)The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.E+W+S+N.I.

(2)Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.

(3)Condition B is that—

(a)the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—

(i)whether to deal in, subscribe for or issue an instrument, or

(ii)whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and

(b)the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.

(4)In this paragraph—

  • corporate finance service” means a service consisting in—

    (a)

    underwriting in respect of issues of, or the placing of issues of, any instrument,

    (b)

    services relating to such underwriting, or

    (c)

    advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;

  • instrument” means an instrument listed in section C of Annex 1 to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;

  • price” includes value;

  • relevant person” means—

    (a)

    a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;

    (b)

    an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;

    (c)

    a person who is exempt from the general prohibition in respect of any corporate finance service—

    (i)

    as a result of an exemption order made under section 38(1) of that Act, or

    (ii)

    by reason of section 39(1) of that Act (appointed representatives);

    (d)

    a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;

    (e)

    a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;

    (f)

    a partner who provides to other partners in the partnership a service falling within either of those paragraphs.

(5)In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.

Management forecastsE+W+S+N.I.

22The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.E+W+S+N.I.

NegotiationsE+W+S+N.I.

23The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.E+W+S+N.I.

Confidential referencesE+W+S+N.I.

24The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—E+W+S+N.I.

(a)the education, training or employment (or prospective education, training or employment) of the data subject,

(b)the placement (or prospective placement) of the data subject as a volunteer,

(c)the appointment (or prospective appointment) of the data subject to any office, or

(d)the provision (or prospective provision) by the data subject of any service.

Exam scripts and exam marksE+W+S+N.I.

25(1)The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.E+W+S+N.I.

(2)Where personal data consists of marks or other information processed by a controller—

(a)for the purposes of determining the results of an exam, or

(b)in consequence of the determination of the results of an exam,

the duty in Article 12(3) or (4) of the GDPR for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the GDPR (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in sub-paragraph (3).

(3)Where a question arises as to whether the controller is obliged by Article 15 of the GDPR to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—

(a)before the end of the period of 5 months beginning when the question arises, or

(b)if earlier, before the end of the period of 40 days beginning with the announcement of the results.

(4)In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity.

(5)For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

PART 5 E+W+S+N.I.Exemptions etc based on Article 85(2) for reasons of freedom of expression and information

Journalistic, academic, artistic and literary purposesE+W+S+N.I.

26(1)In this paragraph, “the special purposes” means one or more of the following—E+W+S+N.I.

(a)the purposes of journalism;

(b)academic purposes;

(c)artistic purposes;

(d)literary purposes.

(2)Sub-paragraph (3) applies to the processing of personal data carried out for the special purposes if—

(a)the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and

(b)the controller reasonably believes that the publication of the material would be in the public interest.

(3)The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.

(4)In determining whether publication would be in the public interest the controller must take into account the special importance of the public interest in the freedom of expression and information.

(5)In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to any of the codes of practice or guidelines listed in sub-paragraph (6) that is relevant to the publication in question.

(6)The codes of practice and guidelines are—

(a)BBC Editorial Guidelines;

(b)Ofcom Broadcasting Code;

(c)Editors' Code of Practice.

(7)The Secretary of State may by regulations amend the list in sub-paragraph (6).

(8)Regulations under sub-paragraph (7) are subject to the affirmative resolution procedure.

(9)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (which may be exempted or derogated from by virtue of Article 85(2) of the GDPR)—

(a)in Chapter II of the GDPR (principles)—

(i)Article 5(1)(a) to (e) (principles relating to processing);

(ii)Article 6 (lawfulness);

(iii)Article 7 (conditions for consent);

(iv)Article 8(1) and (2) (child's consent);

(v)Article 9 (processing of special categories of data);

(vi)Article 10 (data relating to criminal convictions etc);

(vii)Article 11(2) (processing not requiring identification);

(b)in Chapter III of the GDPR (rights of the data subject)—

(i)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)Article 16 (right to rectification);

(v)Article 17(1) and (2) (right to erasure);

(vi)Article 18(1)(a), (b) and (d) (restriction of processing);

(vii)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)Article 20(1) and (2) (right to data portability);

(ix)Article 21(1) (objections to processing);

(c)in Chapter IV of the GDPR (controller and processor)—

(i)Article 34(1) and (4) (communication of personal data breach to the data subject);

(ii)Article 36 (requirement for controller to consult Commissioner prior to high risk processing);

(d)in Chapter V of the GDPR (transfers of data to third countries etc), Article 44 (general principles for transfers);

(e)in Chapter VII of the GDPR (co-operation and consistency)—

(i)Articles 60 to 62 (co-operation);

(ii)Articles 63 to 67 (consistency).

Annotations: Help about Annotation
Close

Annotations are used to give authority for changes and other effects on the legislation you are viewing and to convey editorial information. They appear at the foot of the relevant provision or under the associated heading. Annotations are categorised by annotation type, such as F-notes for textual amendments and I-notes for commencement information (a full list can be found in the Editorial Practice Guide). Each annotation is identified by a sequential reference number. For F-notes, M-notes and X-notes, the number also appears in bold superscript at the relevant location in the text. All annotations contain links to the affecting legislation.

Commencement Information

I2Sch. 2 para. 26 in force at Royal Assent for specified purposes, see s. 212(2)(f)

Prospective

PART 6 E+W+S+N.I.Derogations etc based on Article 89 for research, statistics and archiving

Research and statisticsE+W+S+N.I.

27(1)The listed GDPR provisions do not apply to personal data processed for—E+W+S+N.I.

(a)scientific or historical research purposes, or

(b)statistical purposes,

to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.

(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (the rights in which may be derogated from by virtue of Article 89(2) of the GDPR)—

(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)Article 16 (right to rectification);

(c)Article 18(1) (restriction of processing);

(d)Article 21(1) (objections to processing).

(3)The exemption in sub-paragraph (1) is available only where—

(a)the personal data is processed in accordance with Article 89(1) of the GDPR (as supplemented by section 19), and

(b)as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.

Archiving in the public interestE+W+S+N.I.

28(1)The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.E+W+S+N.I.

(2)For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the GDPR (the rights in which may be derogated from by virtue of Article 89(3) of the GDPR)—

(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)Article 16 (right to rectification);

(c)Article 18(1) (restriction of processing);

(d)Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(e)Article 20(1) (right to data portability);

(f)Article 21(1) (objections to processing).

(3)The exemption in sub-paragraph (1) is available only where the personal data is processed in accordance with Article 89(1) of the GDPR (as supplemented by section 19).

Prospective

Section 15

SCHEDULE 3E+W+S+N.I.Exemptions etc from the GDPR: health, social work, education and child abuse data

PART 1 E+W+S+N.I.GDPR provisions to be restricted

1In this Schedule “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—E+W+S+N.I.

(a)Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)Article 16 (right to rectification);

(e)Article 17(1) and (2) (right to erasure);

(f)Article 18(1) (restriction of processing);

(g)Article 20(1) and (2) (right to data portability);

(h)Article 21(1) (objections to processing);

(i)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (h).

PART 2 E+W+S+N.I.Health data

DefinitionsE+W+S+N.I.

2(1)In this Part of this Schedule—E+W+S+N.I.

  • the appropriate health professional”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—

    (a)

    the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,

    (b)

    where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or

    (c)

    a health professional who has the necessary experience and qualifications to provide an opinion on the question, where—

    (i)

    there is no health professional available falling within paragraph (a) or (b), or

    (ii)

    the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State's functions in relation to social security or war pensions, or

    (iii)

    the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));

  • war pension” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).

(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to data concerning health if the application of Article 15 of the GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a courtE+W+S+N.I.

3(1)The listed GDPR provisions do not apply to data concerning health if—E+W+S+N.I.

(a)it is processed by a court,

(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)Those rules are—

(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)the Sheriff Court Adoption Rules 2009;

(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject's expectations and wishesE+W+S+N.I.

4(1)This paragraph applies where a request for data concerning health is made in exercise of a power conferred by an enactment or rule of law and—E+W+S+N.I.

(a)in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,

(b)in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or

(c)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)The listed GDPR provisions do not apply to data concerning health to the extent that complying with the request would disclose information—

(a)which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,

(b)which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or

(c)which the data subject has expressly indicated should not be so disclosed.

(3)The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the GDPR: serious harmE+W+S+N.I.

5(1)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to data concerning health to the extent that the serious harm test is met with respect to the data.E+W+S+N.I.

(2)A controller who is not a health professional may not rely on sub-paragraph (1) to withhold data concerning health unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is met with respect to the data.

(3)An opinion does not count for the purposes of sub-paragraph (2) if—

(a)it was obtained before the beginning of the relevant period, or

(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.

(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

Restriction of Article 15 of the GDPR: prior opinion of appropriate health professionalE+W+S+N.I.

6(1)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the disclosure of data concerning health by a controller who is not a health professional unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is not met with respect to the data.E+W+S+N.I.

(2)Sub-paragraph (1) does not apply to the extent that the controller is satisfied that the data concerning health has already been seen by, or is within the knowledge of, the data subject.

(3)An opinion does not count for the purposes of sub-paragraph (1) if—

(a)it was obtained before the beginning of the relevant period, or

(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.

(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

PART 3 E+W+S+N.I.Social work data

DefinitionsE+W+S+N.I.

7(1)In this Part of this Schedule—E+W+S+N.I.

  • education data” has the meaning given by paragraph 17 of this Schedule;

  • Health and Social Care trust” means a Health and Social Care trust established under the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1));

  • Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;

  • social work data” means personal data which—

    (a)

    is data to which paragraph 8 applies, but

    (b)

    is not education data or data concerning health.

(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to social work data if the application of Article 15 of the GDPR to the data would be likely to prejudice carrying out social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

(3)In sub-paragraph (2), “carrying out social work” is to be taken to include doing any of the following—

(a)the exercise of any functions mentioned in paragraph 8(1)(a), (d), (f) to (j), (m), (p), (s), (t), (u), (v) or (w);

(b)the provision of any service mentioned in paragraph 8(1)(b), (c) or (k);

(c)the exercise of the functions of a body mentioned in paragraph 8(1)(e) or a person mentioned in paragraph 8(1)(q) or (r).

(4)In this Part of this Schedule, a reference to a local authority, in relation to data processed or formerly processed by it, includes a reference to the Council of the Isles of Scilly, in relation to data processed or formerly processed by the Council in connection with any functions mentioned in paragraph 8(1)(a)(ii) which are or have been conferred on the Council by an enactment.

8(1)This paragraph applies to personal data falling within any of the following descriptions—E+W+S+N.I.

(a)data processed by a local authority—

(i)in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the Social Services and Well-being (Wales) Act 2014 (anaw 4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or

(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with any of the functions mentioned in sub-paragraph (i);

(b)data processed by the Regional Health and Social Care Board—

(i)in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)), or

(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;

(c)data processed by a Health and Social Care trust—

(i)in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)) on behalf of the Regional Health and Social Care Board by virtue of an authorisation made under Article 3(1) of the Health and Personal Social Services (Northern Ireland) Order 1994 (S.I. 1994/429 (N.I. 2)), or

(ii)in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;

(d)data processed by a council in the exercise of its functions under Part 2 of Schedule 9 to the Health and Social Services and Social Security Adjudications Act 1983;

(e)data processed by—

(i)a probation trust established under section 5 of the Offender Management Act 2007, or

(ii)the Probation Board for Northern Ireland established by the Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10));

(f)data processed by a local authority in the exercise of its functions under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the Education Act 1996, so far as those functions relate to ensuring that children of compulsory school age (within the meaning of section 8 of the Education Act 1996) receive suitable education whether by attendance at school or otherwise;

(g)data processed by the Education Authority in the exercise of its functions under Article 55 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 45 of, and Schedule 13 to, the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;

(h)data processed by an education authority in the exercise of its functions under sections 35 to 42 of the Education (Scotland) Act 1980 so far as those functions relate to ensuring that children of school age (within the meaning of section 31 of the Education (Scotland) Act 1980) receive efficient education suitable to their age, ability and aptitude, whether by attendance at school or otherwise;

(i)data relating to persons detained in a hospital at which high security psychiatric services are provided under section 4 of the National Health Service Act 2006 and processed by a Special Health Authority established under section 28 of that Act in the exercise of any functions similar to any social services functions of a local authority;

(j)data relating to persons detained in special accommodation provided under Article 110 of the Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4)) and processed by a Health and Social Care trust in the exercise of any functions similar to any social services functions of a local authority;

(k)data which—

(i)is processed by the National Society for the Prevention of Cruelty to Children, or by any other voluntary organisation or other body designated under this paragraph by the Secretary of State or the Department of Health in Northern Ireland, and

(ii)appears to the Secretary of State or the Department, as the case may be, to be processed for the purposes of the provision of any service similar to a service provided in the exercise of any functions specified in paragraph (a), (b), (c) or (d);

(l)data processed by a body mentioned in sub-paragraph (2)—

(i)which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (k) or from a government department, and

(ii)in the case of data obtained, or consisting of information obtained, from an authority or body mentioned in any of paragraphs (a) to (k), fell within any of those paragraphs while processed by the authority or body;

(m)data processed by a National Health Service trust first established under section 25 of the National Health Service Act 2006, section 18 of the National Health Service (Wales) Act 2006 or section 5 of the National Health Service and Community Care Act 1990 in the exercise of any functions similar to any social services functions of a local authority;

(n)data processed by an NHS foundation trust in the exercise of any functions similar to any social services functions of a local authority;

(o)data processed by a government department—

(i)which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (n), and

(ii)which fell within any of those paragraphs while processed by that authority or body;

(p)data processed for the purposes of the functions of the Secretary of State pursuant to section 82(5) of the Children Act 1989;

(q)data processed by—

(i)a children's guardian appointed under Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)),

(ii)a guardian ad litem appointed under Article 60 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), or

(iii)a safeguarder appointed under section 30(2) or 31(3) of the Children's Hearings (Scotland) Act 2011 (asp 1);

(r)data processed by the Principal Reporter;

(s)data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer's functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(t)data processed by the Welsh family proceedings officer for the purposes of the functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010;

(u)data processed by an officer of the service appointed as guardian ad litem under Part 16 of the Family Procedure Rules 2010;

(v)data processed by the Children and Family Court Advisory and Support Service for the purpose of its functions under section 12(1) and (2) and section 13(1), (2) and (4) of the Criminal Justice and Court Services Act 2000;

(w)data processed by the Welsh Ministers for the purposes of their functions under section 35(1) and (2) and section 36(1), (2), (4), (5) and (6) of the Children Act 2004;

(x)data processed for the purposes of the functions of the appropriate Minister pursuant to section 12 of the Adoption and Children Act 2002 (independent review of determinations).

(2)The bodies referred to in sub-paragraph (1)(l) are—

(a)a National Health Service trust first established under section 25 of the National Health Service Act 2006 or section 18 of the National Health Service (Wales) Act 2006;

(b)a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;

(c)an NHS foundation trust;

(d)a clinical commissioning group established under section 14D of the National Health Service Act 2006;

(e)the National Health Service Commissioning Board;

(f)a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;

(g)a Health Board established under section 2 of the National Health Service (Scotland) Act 1978.

Exemption from the listed GDPR provisions: data processed by a courtE+W+S+N.I.

9(1)The listed GDPR provisions do not apply to data that is not education data or data concerning health if—E+W+S+N.I.

(a)it is processed by a court,

(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)in accordance with any of those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)Those rules are—

(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)the Sheriff Court Adoption Rules 2009;

(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject's expectations and wishesE+W+S+N.I.

10(1)This paragraph applies where a request for social work data is made in exercise of a power conferred by an enactment or rule of law and—E+W+S+N.I.

(a)in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,

(b)in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or

(c)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)The listed GDPR provisions do not apply to social work data to the extent that complying with the request would disclose information—

(a)which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,

(b)which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or

(c)which the data subject has expressly indicated should not be so disclosed.

(3)The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the GDPR: serious harmE+W+S+N.I.

11Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to social work data to the extent that the serious harm test is met with respect to the data.E+W+S+N.I.

Restriction of Article 15 of the GDPR: prior opinion of Principal ReporterE+W+S+N.I.

12(1)This paragraph applies where—E+W+S+N.I.

(a)a question arises as to whether a controller who is a social work authority is obliged by Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) to disclose social work data, and

(b)the data—

(i)originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and

(ii)is not data which the data subject is entitled to receive from the Principal Reporter.

(2)The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.

(3)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.

(4)In this paragraph “social work authority” means a local authority for the purposes of the Social Work (Scotland) Act 1968.

PART 4 E+W+S+N.I.Education data

Educational recordsE+W+S+N.I.

13In this Part of this Schedule “educational record” means a record to which paragraph 14, 15 or 16 applies.E+W+S+N.I.

14(1)This paragraph applies to a record of information which—E+W+S+N.I.

(a)is processed by or on behalf of the proprietor of, or a teacher at, a school in England and Wales specified in sub-paragraph (3),

(b)relates to an individual who is or has been a pupil at the school, and

(c)originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).

(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.

(3)The schools referred to in sub-paragraph (1)(a) are—

(a)a school maintained by a local authority;

(b)an Academy school;

(c)an alternative provision Academy;

(d)an independent school that is not an Academy school or an alternative provision Academy;

(e)a non-maintained special school.

(4)The persons referred to in sub-paragraph (1)(c) are—

(a)an employee of the local authority which maintains the school;

(b)in the case of—

(i)a voluntary aided, foundation or foundation special school (within the meaning of the School Standards and Framework Act 1998),

(ii)an Academy school,

(iii)an alternative provision Academy,

(iv)an independent school that is not an Academy school or an alternative provision Academy, or

(v)a non-maintained special school,

a teacher or other employee at the school (including an educational psychologist engaged by the proprietor under a contract for services);

(c)the pupil to whom the record relates;

(d)a parent, as defined by section 576(1) of the Education Act 1996, of that pupil.

(5)In this paragraph—

  • independent school” has the meaning given by section 463 of the Education Act 1996;

  • local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);

  • non-maintained special school” has the meaning given by section 337A of that Act;

  • proprietor” has the meaning given by section 579(1) of that Act.

15(1)This paragraph applies to a record of information which is processed—E+W+S+N.I.

(a)by an education authority in Scotland, and

(b)for the purpose of the relevant function of the authority.

(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.

(3)For the purposes of this paragraph, information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—

(a)who is or has been a pupil in a school provided by the authority, or

(b)who receives, or has received, further education provided by the authority.

(4)In this paragraph “the relevant function” means, in relation to each education authority, its function under section 1 of the Education (Scotland) Act 1980 and section 7(1) of the Self-Governing Schools etc. (Scotland) Act 1989.

16(1)This paragraph applies to a record of information which—E+W+S+N.I.

(a)is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),

(b)relates to an individual who is or has been a pupil at the school, and

(c)originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).

(2)But this paragraph does not apply to information which is processed by a teacher solely for the teacher's own use.

(3)The schools referred to in sub-paragraph (1)(a) are—

(a)a grant-aided school;

(b)an independent school.

(4)The persons referred to in sub-paragraph (1)(c) are—

(a)a teacher at the school;

(b)an employee of the Education Authority, other than a teacher at the school;

(c)an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;

(d)the pupil to whom the record relates;

(e)a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

(5)In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

Other definitionsE+W+S+N.I.

17(1)In this Part of this Schedule—E+W+S+N.I.

  • education authority” and “further education” have the same meaning as in the Education (Scotland) Act 1980;

  • education data” means personal data consisting of information which—

    (a)

    constitutes an educational record, but

    (b)

    is not data concerning health;

  • Principal Reporter” means the Principal Reporter appointed under the Children's Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children's Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;

  • pupil” means—

    (a)

    in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996,

    (b)

    in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, and

    (c)

    in relation to a school in Northern Ireland, a registered pupil within the meaning of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3));

  • “school”—

    (a)

    in relation to England and Wales, has the same meaning as in the Education Act 1996,

    (b)

    in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and

    (c)

    in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;

  • teacher” includes—

    (a)

    in Great Britain, head teacher, and

    (b)

    in Northern Ireland, the principal of a school.

(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to education data if the application of Article 15 of the GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a courtE+W+S+N.I.

18(1)The listed GDPR provisions do not apply to education data if—E+W+S+N.I.

(a)it is processed by a court,

(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)Those rules are—

(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)the Sheriff Court Adoption Rules 2009;

(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from Article 15 of the GDPR: serious harmE+W+S+N.I.

19Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to education data to the extent that the serious harm test is met with respect to the data.E+W+S+N.I.

Restriction of Article 15 of the GDPR: prior opinion of Principal ReporterE+W+S+N.I.

20(1)This paragraph applies where—E+W+S+N.I.

(a)a question arises as to whether a controller who is an education authority is obliged by Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) to disclose education data, and

(b)the controller believes that the data—

(i)originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter's statutory duties, and

(ii)is not data which the data subject is entitled to receive from the Principal Reporter.

(2)The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.

(3)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.

PART 5 E+W+S+N.I.Child abuse data

Exemption from Article 15 of the GDPR: child abuse dataE+W+S+N.I.

21(1)This paragraph applies where a request for child abuse data is made in exercise of a power conferred by an enactment or rule of law and—E+W+S+N.I.

(a)the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject, or

(b)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)Article 15(1) to (3) of the GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to child abuse data to the extent that the application of that provision would not be in the best interests of the data subject.

(3)“Child abuse data” is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse.

(4)For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.

(5)This paragraph does not apply in relation to Scotland.

Prospective

Section 15

SCHEDULE 4E+W+S+N.I.Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment

GDPR provisions to be restricted: “the listed GDPR provisions”E+W+S+N.I.

1In this Schedule “the listed GDPR provisions” means the following provisions of the GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the GDPR)—E+W+S+N.I.

(a)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3).

Human fertilisation and embryology informationE+W+S+N.I.

2The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of sections 31, 31ZA to 31ZE and 33A to 33D of the Human Fertilisation and Embryology Act 1990.E+W+S+N.I.

Adoption records and reportsE+W+S+N.I.

3(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).E+W+S+N.I.

(2)The enactments extending to England and Wales are—

(a)regulation 14 of the Adoption Agencies Regulations 1983 (S.I. 1983/1964);

(b)regulation 41 of the Adoption Agencies Regulations 2005 (S.I. 2005/389);

(c)regulation 42 of the Adoption Agencies (Wales) Regulations 2005 (S.I. 2005/1313 (W. 95));

(d)rules 5, 6, 9, 17, 18, 21, 22 and 53 of the Adoption Rules 1984 (S.I. 1984/265);

(e)rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the Family Procedure (Adoption) Rules 2005 (S.I. 2005/2795 (L. 22));

(f)in the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)), rules 14.6, 14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a children's guardian appointed in proceedings to which Part 14 of those Rules applies), 16.32 and 16.33 (so far as it applies to a children and family reporter in proceedings to which Part 14 of those Rules applies).

(3)The enactments extending to Scotland are—

(a)regulation 23 of the Adoption Agencies (Scotland) Regulations 1996 (S.I. 1996/3266 (S. 254));

(b)rule 67.3 of the Act of Sederunt (Rules of the Court of Session 1994) 1994 (S.I. 1994/1443 (S. 69));

(c)rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2 and 47 of the Act of Sederunt (Sheriff Court Rules Amendment) (Adoption and Children (Scotland) Act 2007) 2009 (S.S.I. 2009/284);

(d)sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4);

(e)regulation 28 of the Adoption Agencies (Scotland) Regulations 2009 (S.S.I. 2009/154);

(f)regulation 3 of the Adoption (Disclosure of Information and Medical Information about Natural Parents) (Scotland) Regulations 2009 (S.S.I. 2009/268).

(4)The enactments extending to Northern Ireland are—

(a)Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22));

(b)rule 53 of Order 84 of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);

(c)rules 4A.4(5), 4A.5(1), 4A.6(6), 4A.22(5) and 4C.7 of Part IVA of the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322).

Statements of special educational needsE+W+S+N.I.

4(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2).E+W+S+N.I.

(2)The enactments are—

(a)regulation 17 of the Special Educational Needs and Disability Regulations 2014 (S.I. 2014/1530);

(b)regulation 10 of the Additional Support for Learning (Co-ordinated Support Plan) (Scotland) Amendment Regulations 2005 (S.S.I. 2005/518);

(c)regulation 22 of the Education (Special Educational Needs) Regulations (Northern Ireland) 2005 (S.R. (N.I.) 2005 No. 384).

Parental order records and reportsE+W+S+N.I.

5(1)The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by an enactment listed in sub-paragraph (2), (3) or (4).E+W+S+N.I.

(2)The enactments extending to England and Wales are—

(a)sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—

(i)section 30 of the Human Fertilisation and Embryology Act 1990, or

(ii)section 54 of the Human Fertilisation and Embryology Act 2008;

(b)rules made under section 144 of the Magistrates' Courts Act 1980 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of and Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010, so far as the rules relate to—

(i)the appointment and duties of the parental order reporter, and

(ii)the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings;

(c)rules made under section 75 of the Courts Act 2003 by virtue of section 141(1) of the Adoption and Children Act 2002, as applied with modifications by regulation 2 of Schedule 1 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985), so far as the rules relate to—

(i)the appointment and duties of the parental order reporter, and

(ii)the keeping of registers and the custody, inspection and disclosure of documents and information relating to parental order proceedings or related proceedings.

(3)The enactments extending to Scotland are—

(a)sections 53 and 55 of the Adoption and Children (Scotland) Act 2007 (asp 4), as applied with modifications by regulation 4 of and Schedule 3 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 (S.I. 2010/985) in relation to parental orders made under—

(i)section 30 of the Human Fertilisation and Embryology Act 1990, or

(ii)section 54 of the Human Fertilisation and Embryology Act 2008;

(b)rules 2.47 and 2.59 of the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(c)rules 21 and 25 of the Sheriff Court Adoption Rules 2009.

(4)The enactments extending to Northern Ireland are—

(a)Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), as applied with modifications by regulation 3 of and Schedule 2 to the Human Fertilisation and Embryology (Parental Orders) Regulations 2010 in respect of parental orders made under—

(i)section 30 of the Human Fertilisation and Embryology Act 1990, or

(ii)section 54 of the Human Fertilisation and Embryology Act 2008;

(b)rules 4, 5 and 16 of Order 84A of the Rules of the Court of Judicature (Northern Ireland) 1980 (S.R. (N.I.) 1980 No. 346);

(c)rules 3, 4 and 15 of Order 50A of the County Court Rules (Northern Ireland) 1981 (S.R. (N.I.) 1981 No. 225).

Information provided by Principal Reporter for children's hearingE+W+S+N.I.

6The listed GDPR provisions do not apply to personal data consisting of information the disclosure of which is prohibited or restricted by any of the following enactments—E+W+S+N.I.

(a)section 178 of the Children's Hearings (Scotland) Act 2011 (asp 1);

(b)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).

Prospective

Section 17

SCHEDULE 5E+W+S+N.I.Accreditation of certification providers: reviews and appeals

IntroductionE+W+S+N.I.

1(1)This Schedule applies where—E+W+S+N.I.

(a)a person (“the applicant”) applies to an accreditation authority for accreditation as a certification provider, and

(b)is dissatisfied with the decision on that application.

(2)In this Schedule—

  • accreditation authority” means—

    (a)

    the Commissioner, or

    (b)

    the national accreditation body;

  • certification provider” and “national accreditation body” have the same meaning as in section 17.

ReviewE+W+S+N.I.

2(1)The applicant may ask the accreditation authority to review the decision.E+W+S+N.I.

(2)The request must be made in writing before the end of the period of 28 days beginning with the day on which the person receives written notice of the accreditation authority's decision.

(3)The request must specify—

(a)the decision to be reviewed, and

(b)the reasons for asking for the review.

(4)The request may be accompanied by additional documents which the applicant wants the accreditation authority to take into account for the purposes of the review.

(5)If the applicant makes a request in accordance with sub-paragraphs (1) to (4), the accreditation authority must—

(a)review the decision, and

(b)inform the applicant of the outcome of the review in writing before the end of the period of 28 days beginning with the day on which the request for a review is received.

Right to appealE+W+S+N.I.

3(1)If the applicant is dissatisfied with the decision on the review under paragraph 2, the applicant may ask the accreditation authority to refer the decision to an appeal panel constituted in accordance with paragraph 4.E+W+S+N.I.

(2)The request must be made in writing before the end of the period of 3 months beginning with the day on which the person receives written notice of the decision on the review.

(3)A request must specify—

(a)the decision to be referred to the appeal panel, and

(b)the reasons for asking for it to be referred.

(4)The request may be accompanied by additional documents which the applicant wants the appeal panel to take into account.

(5)The applicant may discontinue an appeal at any time by giving notice in writing to the accreditation authority.

Appeal panelE+W+S+N.I.

4(1)If the applicant makes a request in accordance with paragraph 3, an appeal panel must be established in accordance with this paragraph.E+W+S+N.I.

(2)An appeal panel must consist of a chair and at least two other members.

(3)Where the request relates to a decision of the Commissioner—

(a)the Secretary of State may appoint one person to be a member of the appeal panel other than the chair, and

(b)subject to paragraph (a), the Commissioner must appoint the members of the appeal panel.

(4)Where the request relates to a decision of the national accreditation body—

(a)the Secretary of State—

(i)may appoint one person to be a member of the appeal panel other than the chair, or

(ii)may direct the Commissioner to appoint one person to be a member of the appeal panel other than the chair, and

(b)subject to paragraph (a), the chair of the national accreditation body must appoint the members of the appeal panel.

(5)A person may not be a member of an appeal panel if the person—

(a)has a commercial interest in the decision referred to the panel,

(b)has had any prior involvement in any matters relating to the decision, or

(c)is an employee or officer of the accreditation authority.

(6)The Commissioner may not be a member of an appeal panel to which a decision of the Commissioner is referred.

(7)The applicant may object to all or any of the members of the appeal panel appointed under sub-paragraph (3) or (4).

(8)If the applicant objects to a member of the appeal panel under sub-paragraph (7), the person who appointed that member must appoint a replacement.

(9)The applicant may not object to a member of the appeal panel appointed under sub-paragraph (8).

HearingE+W+S+N.I.

5(1)If the appeal panel considers it necessary, a hearing must be held at which both the applicant and the accreditation authority may be represented.E+W+S+N.I.

(2)Any additional documents which the applicant or the accreditation authority want the appeal panel to take into account must be submitted to the chair of the appeal panel at least 5 working days before the hearing.

(3)The appeal panel may allow experts and witnesses to give evidence at a hearing.

Decision following referral to appeal panelE+W+S+N.I.

6(1)The appeal panel must, before the end of the period of 28 days beginning with the day on which the appeal panel is established in accordance with paragraph 4—E+W+S+N.I.

(a)make a reasoned recommendation in writing to the accreditation authority, and

(b)give a copy of the recommendation to the applicant.

(2)For the purposes of sub-paragraph (1), where there is an objection under paragraph 4(7), an appeal panel is not to be taken to be established in accordance with paragraph 4 until the replacement member is appointed (or, if there is more than one objection, until the last replacement member is appointed).

(3)The accreditation authority must, before the end of the period of 3 working days beginning with the day on which the authority receives the recommendation—

(a)make a reasoned final decision in writing, and

(b)give a copy of the decision to the applicant.

(4)Where the accreditation authority is the national accreditation body, the recommendation must be given to, and the final decision must be made by, the chief executive of that body.

Meaning of “working day”E+W+S+N.I.

7In this Schedule, “working day” means any day other than—E+W+S+N.I.

(a)Saturday or Sunday,

(b)Christmas Day or Good Friday, or

(c)a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.

Prospective

Section 22

SCHEDULE 6E+W+S+N.I.The applied GDPR and the applied Chapter 2

PART 1 E+W+S+N.I.Modifications to the GDPR

IntroductoryE+W+S+N.I.

1In its application by virtue of section 22(1), the GDPR has effect as if it were modified as follows.E+W+S+N.I.

References to the GDPR and its provisionsE+W+S+N.I.

2(1)References to “this Regulation” and to provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR.E+W+S+N.I.

(2)But sub-paragraph (1) does not have effect—

(a)in the case of the references which are modified or inserted by paragraphs 9(f)(ii), 15(b), 16(a)(ii), 35, 36(a) and (e)(ii) and 38(a)(i);

(b)in relation to the references in points (a) and (b) of paragraph 2 of Article 61, as inserted by paragraph 49.

References to Union law and Member State lawE+W+S+N.I.

3(1)References to “Union law”, “Member State law”, “the law of a Member State” and “Union or Member State law” have effect as references to domestic law.E+W+S+N.I.

(2)Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule.

(3)In this paragraph, “domestic law” means the law of the United Kingdom, or of a part of the United Kingdom, and includes law in the form of an enactment, an instrument made under Her Majesty's prerogative or a rule of law.

References to the Union and to Member StatesE+W+S+N.I.

4(1)References to “the Union”, “a Member State” and “Member States” have effect as references to the United Kingdom.E+W+S+N.I.

(2)Sub-paragraph (1) is subject to the specific modifications made in this Part of this Schedule (including paragraph 3(1)).

References to supervisory authoritiesE+W+S+N.I.

5(1)References to a “supervisory authority”, a “competent supervisory authority” or “supervisory authorities”, however expressed, have effect as references to the Commissioner.E+W+S+N.I.

(2)Sub-paragraph (1) does not apply to the references in—

(a)Article 4(21) as modified by paragraph 9(f);

(b)Article 57(1)(h);

(c)Article 61(1) inserted by paragraph 49.

(3)Sub-paragraph (1) is also subject to the specific modifications made in this Part of this Schedule.

References to the national parliamentE+W+S+N.I.

6References to “the national parliament” have effect as references to both Houses of Parliament.E+W+S+N.I.

Chapter I of the GDPR (general provisions)E+W+S+N.I.

7For Article 2 (material scope) substitute—E+W+S+N.I.

2This Regulation applies to the processing of personal data to which Chapter 3 of Part 2 of the 2018 Act applies (see section 21 of that Act).

8For Article 3 substitute—E+W+S+N.I.

Article 3E+W+S+N.I.Territorial application

Subsections (1), (2) and (7) of section 207 of the 2018 Act have effect for the purposes of this Regulation as they have effect for the purposes of that Act but as if the following were omitted—

(a)in subsection (1), the reference to subsection (3), and

(b)in subsection (7), the words following paragraph (d).

9In Article 4 (definitions)—E+W+S+N.I.

(a)in paragraph (7) (meaning of “controller”), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “ , subject to section 6 of the 2018 Act (meaning of “controller”) ”;

(b)after paragraph (7) insert—

(7A)the 2018 Act” means the Data Protection Act 2018 as applied by section 22 of that Act and further modified by section 3 of that Act.;

(c)omit paragraph (16) (meaning of “main establishment”);

(d)omit paragraph (17) (meaning of “representative”);

(e)in paragraph (20) (meaning of “binding corporate rules”), for “on the territory of a Member State” substitute “ in the United Kingdom ”;

(f)in paragraph (21) (meaning of “supervisory authority”)—

(i)after “a Member State” insert “ (other than the United Kingdom) ”;

(ii)for “Article 51” substitute “ Article 51 of the GDPR ”;

(g)after paragraph (21) insert—

(21A)the Commissioner” means the Information Commissioner (see section 114 of the 2018 Act);;

(h)omit paragraph (22) (meaning of “supervisory authority concerned”);

(i)omit paragraph (23) (meaning of “cross-border processing”);

(j)omit paragraph (24) (meaning of “relevant and reasoned objection”);

(k)after paragraph (26) insert—

(27)the GDPR” has the meaning given in section 3(10) of the 2018 Act.

(28)domestic law” has the meaning given in paragraph 3(3) of Schedule 6 to the 2018 Act.

Chapter II of the GDPR (principles)E+W+S+N.I.

10In Article 6 (lawfulness of processing)—E+W+S+N.I.

(a)omit paragraph 2;

(b)in paragraph 3, for the first subparagraph substitute—

In addition to the provision made in section 15 of and Part 1 of Schedule 2 to the 2018 Act, a legal basis for the processing referred to in point (c) and (e) of paragraph 1 may be laid down by the Secretary of State in regulations (see section 16 of the 2018 Act).;

(c)in paragraph 3, in the second subparagraph, for “The Union or the Member State law shall” substitute “ The regulations must ”.

11In Article 8 (conditions applicable to child's consent in relation to information society services)—E+W+S+N.I.

(a)in paragraph 1, for the second subparagraph substitute—

This paragraph is subject to section 9 of the 2018 Act.;

(b)in paragraph 3, for “the general contract law of Member States” substitute “ the general law of contract as it operates in domestic law ”.

12In Article 9 (processing of special categories of personal data)—E+W+S+N.I.

(a)in paragraph 2(a), omit “, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject”;

(b)in paragraph 2(b), for “Union or Member State law” substitute “ domestic law (see section 10 of the 2018 Act) ”;

(c)in paragraph 2, for point (g) substitute—

(g)processing is necessary for reasons of substantial public interest and is authorised by domestic law (see section 10 of the 2018 Act);;

(d)in paragraph 2(h), for “Union or Member State law” substitute “ domestic law (see section 10 of the 2018 Act) ”;

(e)in paragraph 2(i), for “Union or Member State law” insert “ domestic law (see section 10 of the 2018 Act); ”;

(f)in paragraph 2, for point (j) substitute—

(j)processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) (as supplemented by section 19 of the 2018 Act) and is authorised by domestic law (see section 10 of that Act).;

(g)in paragraph 3, for “national competent bodies”, in both places, substitute “ a national competent body of the United Kingdom ”;

(h)omit paragraph 4.

13In Article 10 (processing of personal data relating to criminal convictions and offences), in the first sentence, for “Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects” substitute “ domestic law (see section 10 of the 2018 Act) ”.E+W+S+N.I.

Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)E+W+S+N.I.

14In Article 12 (transparent information etc for the exercise of the rights of the data subject), omit paragraph 8.E+W+S+N.I.

Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to personal data)E+W+S+N.I.

15In Article 13 (personal data collected from data subject: information to be provided), in paragraph 1—E+W+S+N.I.

(a)in point (a), omit “and, where applicable, of the controller's representative”;

(b)in point (f), after “the Commission” insert “ pursuant to Article 45(3) of the GDPR ”.

16In Article 14 (personal data collected other than from data subject: information to be provided)—E+W+S+N.I.

(a)in paragraph 1—

(i)in point (a), omit “and, where applicable, of the controller's representative”;

(ii)in point (f), after “the Commission” insert “ pursuant to Article 45(3) of the GDPR ”;

(b)in paragraph 5(c), for “Union or Member State law to which the controller is subject” substitute “ a rule of domestic law ”.

Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)E+W+S+N.I.

17In Article 17 (right to erasure (‘right to be forgotten’))—E+W+S+N.I.

(a)in paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “ under domestic law ”;

(b)in paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “ under domestic law ”.

18In Article 18 (right to restriction of processing), in paragraph 2, for “of the Union or of a Member State” substitute “ of the United Kingdom ”.E+W+S+N.I.

Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)E+W+S+N.I.

19In Article 21 (right to object), in paragraph 5, omit “, and notwithstanding Directive 2002/58/EC,”.E+W+S+N.I.

20In Article 22 (automated individual decision-making, including profiling), for paragraph 2(b) substitute—E+W+S+N.I.

(b)is a qualifying significant decision for the purposes of section 14 of the 2018 Act; or.

Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)E+W+S+N.I.

21In Article 23 (restrictions), in paragraph 1—E+W+S+N.I.

(a)for “Union or Member State law to which the data controller or processor is subject” substitute “ In addition to the provision made by section 15 of and Schedules 2, 3 and 4 to the 2018 Act, the Secretary of State ”;

(b)in point (e), for “of the Union or of a Member State”, in both places, substitute “ of the United Kingdom ”;

(c)after point (j) insert—

See section 16 of the 2018 Act.

Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)E+W+S+N.I.

22In Article 26 (joint controllers), in paragraph 1, for “Union or Member State law to which the controllers are subject” substitute “ domestic law ”.E+W+S+N.I.

23Omit Article 27 (representatives of controllers or processors not established in the Union).E+W+S+N.I.

24In Article 28 (processor)—E+W+S+N.I.

(a)in paragraph 3, in point (a), for “Union or Member State law to which the processor is subject” substitute “ domestic law ”;

(b)in paragraph 3, in the second subparagraph, for “other Union or Member State data protection provisions” substitute “ any other rule of domestic law relating to data protection ”;

(c)in paragraph 6, for “paragraphs 7 and 8” substitute “ paragraph 8 ”;

(d)omit paragraph 7;

(e)in paragraph 8, omit “and in accordance with the consistency mechanism referred to in Article 63”.

25In Article 30 (records of processing activities)—E+W+S+N.I.

(a)in paragraph 1, in the first sentence, omit “and, where applicable, the controller's representative,”;

(b)in paragraph 1, in point (a), omit “, the controller's representative”;

(c)in paragraph 1, in point (g), after “32(1)” insert “ or section 28(3) of the 2018 Act ”;

(d)in paragraph 2, in the first sentence, omit “and, where applicable, the processor's representative”;

(e)in paragraph 2, in point (a), omit “the controller's or the processor's representative, and”;

(f)in paragraph 2, in point (d), after “32(1)” insert “ or section 28(3) of the 2018 Act ”;

(g)in paragraph 4, omit “and, where applicable, the controller's or the processor's representative,”.

26In Article 31 (co-operation with the supervisory authority), omit “and, where applicable, their representatives,”.E+W+S+N.I.

Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact assessment and prior consultation)E+W+S+N.I.

27In Article 35 (data protection impact assessment), omit paragraphs 4, 5, 6 and 10.E+W+S+N.I.

28In Article 36 (prior consultation)—E+W+S+N.I.

(a)for paragraph 4 substitute—

4The Secretary of State must consult the Commissioner during the preparation of any proposal for a legislative measure which relates to processing.;

(b)omit paragraph 5.

Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)E+W+S+N.I.

29In Article 37 (designation of data protection officers), omit paragraph 4.E+W+S+N.I.

30In Article 39 (tasks of the data protection officer), in paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “ other rules of domestic law relating to data protection ”.E+W+S+N.I.

Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)E+W+S+N.I.

31In Article 40 (codes of conduct)—E+W+S+N.I.

(a)in paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission shall” substitute “ The Commissioner must ”;

(b)omit paragraph 3;

(c)in paragraph 6, omit “, and where the code of conduct concerned does not relate to processing activities in several Member States”;

(d)omit paragraphs 7 to 11.

32In Article 41 (monitoring of approved codes of conduct), omit paragraph 3.E+W+S+N.I.

33In Article 42 (certification)—E+W+S+N.I.

(a)in paragraph 1—

(i)for “The Member States, the supervisory authorities, the Board and the Commission” substitute “ The Commissioner ”;

(ii)omit “, in particular at Union level,”;

(b)omit paragraph 2;

(c)in paragraph 5, omit “or by the Board pursuant to Article 63. Where the criteria are approved by the Board, this may result in a common certification, the European Data Protection Seal”;

(d)omit paragraph 8.

34In Article 43 (certification bodies)—E+W+S+N.I.

(a)in paragraph 1, in the second sentence, for “Member States shall ensure that those certification bodies are” substitute “ Those certification bodies must be ”;

(b)in paragraph 2, in point (b), omit “or by the Board pursuant to Article 63”;

(c)in paragraph 3, omit “or by the Board pursuant to Article 63”;

(d)in paragraph 6, omit the second and third sentences;

(e)omit paragraphs 8 and 9.

Chapter V of the GDPR (transfers of data to third countries or international organisations)E+W+S+N.I.

35In Article 45 (transfers on the basis of an adequacy decision)—E+W+S+N.I.

(a)in paragraph 1, after “decided” insert “ in accordance with Article 45 of the GDPR ”;

(b)after paragraph 1 insert—

1ABut a transfer of personal data to a third country or international organisation must not take place under paragraph 1, if the Commission's decision in relation to the third country (including a territory or sector within it) or the international organisation—

(a)is suspended,

(b)has been amended, or

(c)has been repealed,

by the Commission under Article 45(5) of the GDPR.;

(c)omit paragraphs 2 to 8;

(d)in paragraph 9, for “of this Article” substitute “ of Article 45 of the GDPR ”.

36In Article 46 (transfers subject to appropriate safeguards)—E+W+S+N.I.

(a)in paragraph 1, for “Article 45(3)” substitute “ Article 45(3) of the GDPR ”;

(b)in paragraph 2, omit point (c);

(c)in paragraph 2, in point (d), omit “and approved by the Commission pursuant to the examination procedure referred to in Article 93(2)”;

(d)omit paragraph 4;

(e)in paragraph 5—

(i)in the first sentence, for “a Member State or supervisory authority” substitute “ the Commissioner ”;

(ii)in the second sentence, for “this Article” substitute “ Article 46 of the GDPR ”.

37In Article 47 (binding corporate rules)—E+W+S+N.I.

(a)in paragraph 1, in the first sentence, omit “in accordance with the consistency mechanism set out in Article 63”;

(b)in paragraph 2, in point (e), for “the competent courts of the Member States” substitute “ a court ”;

(c)in paragraph 2, in point (f), for “on the territory of a Member State” substitute “ in the United Kingdom ”;

(d)omit paragraph 3.

38In Article 49 (derogations for specific situations)—E+W+S+N.I.

(a)in paragraph 1, in the first sentence—

(i)for “Article 45(3)” substitute “ Article 45(3) of the GDPR ”;

(ii)for “Article 46” substitute “ Article 46 of this Regulation ”;

(b)in paragraph 4, for “Union law or in the law of the Member State to which the controller is subject” substitute “ domestic law (see section 18 of the 2018 Act which makes certain provision about the public interest) ”;

(c)for paragraph 5 substitute—

5Paragraph 1 is subject to any regulations made under section 18(2) of the 2018 Act.

39In Article 50 (international co-operation for the protection of personal data), omit “the Commission and”.E+W+S+N.I.

Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)E+W+S+N.I.

40In Article 51 (supervisory authority)—E+W+S+N.I.

(a)in paragraph 1—

(i)for “Each Member State shall provide for one or more independent public authorities to be” substitute “ The Commissioner is ”;

(ii)omit “and to facilitate the free flow of personal data within the Union (‘supervisory authority’)”;

(b)omit paragraphs 2 to 4.

41In Article 52 (independence)—E+W+S+N.I.

(a)in paragraph 2—

(i)for “The member or members of each supervisory authority” substitute “ The Commissioner ”;

(ii)for “their”, in both places, substitute “the Commissioner's”;

(b)in paragraph 3—

(i)for “Member or members of each supervisory authority” substitute “ The Commissioner ”;

(ii)for “their”, in both places, substitute “the Commissioner's”;

(c)omit paragraphs 4 to 6.

42Omit Article 53 (general conditions for the members of the supervisory authority).E+W+S+N.I.

43Omit Article 54 (rules on the establishment of the supervisory authority).E+W+S+N.I.

Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks and powers)E+W+S+N.I.

44In Article 55 (competence)—E+W+S+N.I.

(a)in paragraph 1, omit “on the territory of its own Member State”;

(b)omit paragraph 2.

45Omit Article 56 (competence of the lead supervisory authority).E+W+S+N.I.

46In Article 57 (tasks)—E+W+S+N.I.

(a)in paragraph 1, in the first sentence, for “each supervisory authority shall on its territory” substitute “ the Commissioner is to ”;

(b)in paragraph 1, in point (e), omit “and, if appropriate, cooperate with the supervisory authorities in other Member States to that end”;

(c)in paragraph 1, in point (f), omit “or coordination with another supervisory authority”;

(d)in paragraph 1, omit points (g), (k) and (t);

(e)after paragraph 1 insert—

1AIn this Article and Article 58, references to “this Regulation” have effect as references to this Regulation and section 28(3) of the 2018 Act.

47In Article 58 (powers)—E+W+S+N.I.

(a)in paragraph 1, in point (a), omit “, and, where applicable, the controller's or the processor's representative”;

(b)in paragraph 1, in point (f), for “Union or Member State procedural law” substitute “ domestic law ”;

(c)in paragraph 3, in point (b), for “the Member State government” substitute “ the Secretary of State ”;

(d)in paragraph 3, omit point (c);

(e)omit paragraphs 4 to 6.

48In Article 59 (activity reports)—E+W+S+N.I.

(a)for “, the government and other authorities as designated by Member State law” substitute “ and the Secretary of State ”;

(b)omit “, to the Commission and to the Board”.

Chapter VII of the GDPR (co-operation and consistency)E+W+S+N.I.

49For Articles 60 to 76 substitute—E+W+S+N.I.

Article 61E+W+S+N.I.Co-operation with other supervisory authorities etc

1The Commissioner may, in connection with carrying out the Commissioner's functions under this Regulation—

(a)co-operate with, provide assistance to and seek assistance from other supervisory authorities;

(b)conduct joint operations with other supervisory authorities, including joint investigations and joint enforcement measures.

2The Commissioner must, in carrying out the Commissioner's functions under this Regulation, have regard to—

(a)decisions, advice, guidelines, recommendations and best practices issued by the European Data Protection Board established under Article 68 of the GDPR;

(b)any implementing acts adopted by the Commission under Article 67 of the GDPR (exchange of information).

Chapter VIII of the GDPR (remedies, liability and penalties)E+W+S+N.I.

50In Article 77 (right to lodge a complaint with a supervisory authority)—E+W+S+N.I.

(a)in paragraph 1, omit “in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement”;

(b)in paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “ The Commissioner ”.

51In Article 78 (right to an effective judicial remedy against a supervisory authority)—E+W+S+N.I.

(a)omit paragraph 2;

(b)for paragraph 3 substitute—

3Proceedings against the Commissioner are to be brought before a court in the United Kingdom.;

(c)omit paragraph 4.

52In Article 79 (right to an effective judicial remedy against a controller or processor), for paragraph 2 substitute—E+W+S+N.I.

2Proceedings against a controller or a processor are to be brought before a court (see section 180 of the 2018 Act).

53In Article 80 (representation of data subjects)—E+W+S+N.I.

(a)in paragraph 1, omit “where provided for by Member State law”;

(b)in paragraph 2, for “Member States” substitute “ The Secretary of State ”;

(c)after that paragraph insert—

3The power under paragraph 2 may only be exercised by making regulations under section 190 of the 2018 Act.

54Omit Article 81 (suspension of proceedings).E+W+S+N.I.

55In Article 82 (right to compensation and liability), for paragraph 6 substitute—E+W+S+N.I.

6Proceedings for exercising the right to receive compensation are to be brought before a court (see section 180 of the 2018 Act).

56In Article 83 (general conditions for imposing administrative fines)—E+W+S+N.I.

(a)in paragraph 5, in point (d), for “pursuant to Member State law adopted under Chapter IX” substitute “ under Part 5 or 6 of Schedule 2 to the 2018 Act or under regulations made under section 16 of that Act ”;

(b)in paragraph 7—

(i)for “each Member State” substitute “ the Secretary of State ”;

(ii)for “that Member State” substitute “ the United Kingdom ”;

(c)for paragraph 8 substitute—

8Section 115(9) of the 2018 Act makes provision about the exercise of the Commissioner's powers under this Article.;

(d)omit paragraph 9.

57In Article 84 (penalties)—E+W+S+N.I.

(a)for paragraph 1 substitute—

1The rules on other penalties applicable to infringements of this Regulation are set out in the 2018 Act (see in particular Part 6 (enforcement)).;

(b)omit paragraph 2.

Chapter IX of the GDPR (provisions relating to specific processing situations)E+W+S+N.I.

58In Article 85 (processing and freedom of expression and information)—E+W+S+N.I.

(a)omit paragraph 1;

(b)in paragraph 2, for “Member States shall” substitute “ the Secretary of State, in addition to the relevant provisions, may by way of regulations (see section 16 of the 2018 Act), ”;

(c)in paragraph 2, at the end insert—

In this paragraph, “the relevant provisions” means section 15 of and Part 5 of Schedule 2 to the 2018 Act.;

(d)omit paragraph 3.

59In Article 86 (processing and public access to official documents), for “Union or Member State law to which the public authority or body is subject” substitute “ domestic law ”.E+W+S+N.I.

60Omit Article 87 (processing of national identification number).E+W+S+N.I.

61Omit Article 88 (processing in the context of employment).E+W+S+N.I.

62In Article 89 (safeguards and derogations relating to processing for archiving purposes etc)—E+W+S+N.I.

(a)in paragraph 2, for “Union or Member State law may” substitute “ the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act) ”;

(b)in paragraph 3, for “Union or Member State law may” substitute “ the Secretary of State, in addition to the relevant provisions, may in regulations (see section 16 of the 2018 Act) ”;

(c)after paragraph 3 insert—

3AIn this Article “the relevant provisions” means section 15 of and Part 6 of Schedule 2 to the 2018 Act.

63Omit Article 90 (obligations of secrecy).E+W+S+N.I.

64Omit Article 91 (existing data protection rules of churches and religious associations).E+W+S+N.I.

Chapter X of the GDPR (delegated acts and implementing acts)E+W+S+N.I.

65Omit Article 92 (exercise of the delegation).E+W+S+N.I.

66Omit Article 93 (committee procedure).E+W+S+N.I.

Chapter XI of the GDPR (final provisions)E+W+S+N.I.

67Omit Article 94 (repeal of Directive 95/46/EC).E+W+S+N.I.

68Omit Article 95 (relationship with Directive 2002/58/EC).E+W+S+N.I.

69In Article 96 (relationship with previously concluded Agreements), for “by Member States” substitute “ by the United Kingdom or the Commissioner ”.E+W+S+N.I.

70Omit Article 97 (Commission reports).E+W+S+N.I.

71Omit Article 98 (Commission reviews).E+W+S+N.I.

72Omit Article 99 (entry into force and application).E+W+S+N.I.

PART 2 E+W+S+N.I.Modifications to Chapter 2 of Part 2

IntroductoryE+W+S+N.I.

73In its application by virtue of section 22(2), Chapter 2 of Part 2 has effect as if it were modified as follows.E+W+S+N.I.

General modificationsE+W+S+N.I.

74(1)References to Chapter 2 of Part 2 and the provisions of that Chapter have effect as references to the applied Chapter 2 and the provisions of the applied Chapter 2 .E+W+S+N.I.

(2)References to the GDPR and to the provisions of the GDPR have effect as references to the applied GDPR and to the provisions of the applied GDPR, except in section 18(2)(a).

(3)References to the processing of personal data to which Chapter 2 applies have effect as references to the processing of personal data to which Chapter 3 applies.

ExemptionsE+W+S+N.I.

75In section 16 (power to make further exemptions etc by regulations), in subsection (1)(a), for “Member State law” substitute “ the Secretary of State ”.E+W+S+N.I.

Prospective

Section 30

SCHEDULE 7E+W+S+N.I.Competent authorities

1Any United Kingdom government department other than a non-ministerial government department.E+W+S+N.I.

2The Scottish Ministers.E+W+S+N.I.

3Any Northern Ireland department.E+W+S+N.I.

4The Welsh Ministers.E+W+S+N.I.

Chief officers of police and other policing bodiesE+W+S+N.I.

5The chief constable of a police force maintained under section 2 of the Police Act 1996.E+W+S+N.I.

6The Commissioner of Police of the Metropolis.E+W+S+N.I.

7The Commissioner of Police for the City of London.E+W+S+N.I.

8The Chief Constable of the Police Service of Northern Ireland.E+W+S+N.I.

9The chief constable of the Police Service of Scotland.E+W+S+N.I.

10The chief constable of the British Transport Police.E+W+S+N.I.

11The chief constable of the Civil Nuclear Constabulary.E+W+S+N.I.

12The chief constable of the Ministry of Defence Police.E+W+S+N.I.

13The Provost Marshal of the Royal Navy Police.E+W+S+N.I.

14The Provost Marshal of the Royal Military Police.E+W+S+N.I.

15The Provost Marshal of the Royal Air Force Police.E+W+S+N.I.

16The chief officer of—E+W+S+N.I.

(a)a body of constables appointed under provision incorporating section 79 of the Harbours, Docks, and Piers Clauses Act 1847;

(b)a body of constables appointed under an order made under section 14 of the Harbours Act 1964;

(c)the body of constables appointed under section 154 of the Port of London Act 1968 (c.xxxii).

17A body established in accordance with a collaboration agreement under section 22A of the Police Act 1996.E+W+S+N.I.

18The Director General of the Independent Office for Police Conduct.E+W+S+N.I.

19The Police Investigations and Review Commissioner.E+W+S+N.I.

20The Police Ombudsman for Northern Ireland.E+W+S+N.I.

Other authorities with investigatory functionsE+W+S+N.I.

21The Commissioners for Her Majesty's Revenue and Customs.E+W+S+N.I.

22The Welsh Revenue Authority.E+W+S+N.I.

23Revenue Scotland.E+W+S+N.I.

24The Director General of the National Crime Agency.E+W+S+N.I.

25The Director of the Serious Fraud Office.E+W+S+N.I.

26The Director of Border Revenue.E+W+S+N.I.

27The Financial Conduct Authority.E+W+S+N.I.

28The Health and Safety Executive.E+W+S+N.I.

29The Competition and Markets Authority.E+W+S+N.I.

30The Gas and Electricity Markets Authority.E+W+S+N.I.

31The Food Standards Agency.E+W+S+N.I.

32Food Standards Scotland.E+W+S+N.I.

33Her Majesty's Land Registry.E+W+S+N.I.

34The Criminal Cases Review Commission.E+W+S+N.I.

35The Scottish Criminal Cases Review Commission.E+W+S+N.I.

Authorities with functions relating to offender managementE+W+S+N.I.

36A provider of probation services (other than the Secretary of State), acting in pursuance of arrangements made under section 3(2) of the Offender Management Act 2007.E+W+S+N.I.

37The Youth Justice Board for England and Wales.E+W+S+N.I.

38The Parole Board for England and Wales.E+W+S+N.I.

39The Parole Board for Scotland.E+W+S+N.I.

40The Parole Commissioners for Northern Ireland.E+W+S+N.I.

41The Probation Board for Northern Ireland.E+W+S+N.I.

42The Prisoner Ombudsman for Northern Ireland.E+W+S+N.I.

43A person who has entered into a contract for the running of, or part of—E+W+S+N.I.

(a)a prison or young offender institution under section 84 of the Criminal Justice Act 1991, or

(b)a secure training centre under section 7 of the Criminal Justice and Public Order Act 1994.

44A person who has entered into a contract with the Secretary of State—E+W+S+N.I.

(a)under section 80 of the Criminal Justice Act 1991 for the purposes of prisoner escort arrangements, or

(b)under paragraph 1 of Schedule 1 to the Criminal Justice and Public Order Act 1994 for the purposes of escort arrangements.

45A person who is, under or by virtue of any enactment, responsible for securing the electronic monitoring of an individual.E+W+S+N.I.

46A youth offending team established under section 39 of the Crime and Disorder Act 1998.E+W+S+N.I.

Other authoritiesE+W+S+N.I.

47The Director of Public Prosecutions.E+W+S+N.I.

48The Director of Public Prosecutions for Northern Ireland.E+W+S+N.I.

49The Lord Advocate.E+W+S+N.I.

50A Procurator Fiscal.E+W+S+N.I.

51The Director of Service Prosecutions.E+W+S+N.I.

52The Information Commissioner.E+W+S+N.I.

53The Scottish Information Commissioner.E+W+S+N.I.

54The Scottish Courts and Tribunal Service.E+W+S+N.I.

55The Crown agent.E+W+S+N.I.

56A court or tribunal.E+W+S+N.I.

Prospective

Section 35(5)

SCHEDULE 8E+W+S+N.I.Conditions for sensitive processing under Part 3

Statutory etc purposesE+W+S+N.I.

1This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and

(b)is necessary for reasons of substantial public interest.

Administration of justiceE+W+S+N.I.

2This condition is met if the processing is necessary for the administration of justice.E+W+S+N.I.

Protecting individual's vital interestsE+W+S+N.I.

3This condition is met if the processing is necessary to protect the vital interests of the data subject or of another individual.E+W+S+N.I.

Safeguarding of children and of individuals at riskE+W+S+N.I.

4(1)This condition is met if—E+W+S+N.I.

(a)the processing is necessary for the purposes of—

(i)protecting an individual from neglect or physical, mental or emotional harm, or

(ii)protecting the physical, mental or emotional well-being of an individual,

(b)the individual is—

(i)aged under 18, or

(ii)aged 18 or over and at risk,

(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)the processing is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a)has needs for care and support,

(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Personal data already in the public domainE+W+S+N.I.

5This condition is met if the processing relates to personal data which is manifestly made public by the data subject.E+W+S+N.I.

Legal claimsE+W+S+N.I.

6This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Judicial actsE+W+S+N.I.

7This condition is met if the processing is necessary when a court or other judicial authority is acting in its judicial capacity.E+W+S+N.I.

Preventing fraudE+W+S+N.I.

8(1)This condition is met if the processing—E+W+S+N.I.

(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and

(b)consists of—

(i)the disclosure of personal data by a competent authority as a member of an anti-fraud organisation,

(ii)the disclosure of personal data by a competent authority in accordance with arrangements made by an anti-fraud organisation, or

(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).

(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.

Archiving etcE+W+S+N.I.

9This condition is met if the processing is necessary—E+W+S+N.I.

(a)for archiving purposes in the public interest,

(b)for scientific or historical research purposes, or

(c)for statistical purposes.

Prospective

Section 86

SCHEDULE 9E+W+S+N.I.Conditions for processing under Part 4

1The data subject has given consent to the processing.E+W+S+N.I.

2The processing is necessary—E+W+S+N.I.

(a)for the performance of a contract to which the data subject is a party, or

(b)in order to take steps at the request of the data subject prior to entering into a contract.

3The processing is necessary for compliance with a legal obligation to which the controller is subject, other than an obligation imposed by contract.E+W+S+N.I.

4The processing is necessary in order to protect the vital interests of the data subject or of another individual.E+W+S+N.I.

5The processing is necessary—E+W+S+N.I.

(a)for the administration of justice,

(b)for the exercise of any functions of either House of Parliament,

(c)for the exercise of any functions conferred on a person by an enactment or rule of law,

(d)for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(e)for the exercise of any other functions of a public nature exercised in the public interest by a person.

6(1)The processing is necessary for the purposes of legitimate interests pursued by—E+W+S+N.I.

(a)the controller, or

(b)the third party or parties to whom the data is disclosed.

(2)Sub-paragraph (1) does not apply where the processing is unwarranted in any particular case because of prejudice to the rights and freedoms or legitimate interests of the data subject.

(3)In this paragraph, “third party”, in relation to personal data, means a person other than the data subject, the controller or a processor or other person authorised to process personal data for the controller or processor.

Prospective

Section 86

SCHEDULE 10E+W+S+N.I.Conditions for sensitive processing under Part 4

Consent to particular processingE+W+S+N.I.

1The data subject has given consent to the processing.E+W+S+N.I.

Right or obligation relating to employmentE+W+S+N.I.

2The processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by an enactment or rule of law on the controller in connection with employment.E+W+S+N.I.

Vital interests of a personE+W+S+N.I.

3The processing is necessary—E+W+S+N.I.

(a)in order to protect the vital interests of the data subject or of another person, in a case where—

(i)consent cannot be given by or on behalf of the data subject, or

(ii)the controller cannot reasonably be expected to obtain the consent of the data subject, or

(b)in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.

Safeguarding of children and of individuals at riskE+W+S+N.I.

4(1)This condition is met if—E+W+S+N.I.

(a)the processing is necessary for the purposes of—

(i)protecting an individual from neglect or physical, mental or emotional harm, or

(ii)protecting the physical, mental or emotional well-being of an individual,

(b)the individual is—

(i)aged under 18, or

(ii)aged 18 or over and at risk,

(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and

(d)the processing is necessary for reasons of substantial public interest.

(2)The reasons mentioned in sub-paragraph (1)(c) are—

(a)in the circumstances, consent to the processing cannot be given by the data subject;

(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;

(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).

(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—

(a)has needs for care and support,

(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and

(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.

(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.

Data already published by data subjectE+W+S+N.I.

5The information contained in the personal data has been made public as a result of steps deliberately taken by the data subject.E+W+S+N.I.

Legal proceedings etcE+W+S+N.I.

6The processing—E+W+S+N.I.

(a)is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights.

Administration of justice, parliamentary, statutory etc and government purposesE+W+S+N.I.

7The processing is necessary—E+W+S+N.I.

(a)for the administration of justice,

(b)for the exercise of any functions of either House of Parliament,

(c)for the exercise of any functions conferred on any person by an enactment or rule of law, or

(d)for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

Medical purposesE+W+S+N.I.

8(1)The processing is necessary for medical purposes and is undertaken by—E+W+S+N.I.

(a)a health professional, or

(b)a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

(2)In this paragraph, “medical purposes” includes the purposes of preventative medicine, medical diagnosis, medical research, the provision of care and treatment and the management of healthcare services.

EqualityE+W+S+N.I.

9(1)The processing—E+W+S+N.I.

(a)is of sensitive personal data consisting of information as to racial or ethnic origin,

(b)is necessary for the purpose of identifying or keeping under review the existence or absence of equality of opportunity or treatment between persons of different racial or ethnic origins, with a view to enabling such equality to be promoted or maintained, and

(c)is carried out with appropriate safeguards for the rights and freedoms of data subjects.

(2)In this paragraph, “sensitive personal data” means personal data the processing of which constitutes sensitive processing (see section 86(7)).

Prospective

Section 112

SCHEDULE 11E+W+S+N.I.Other exemptions under Part 4

PreliminaryE+W+S+N.I.

1In this Schedule, “the listed provisions” means—E+W+S+N.I.

(a)Chapter 2 of Part 4 (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;

(b)Chapter 3 of Part 4 (rights of data subjects);

(c)in Chapter 4 of Part 4 , section 108 (communication of personal data breach to the Commissioner).

CrimeE+W+S+N.I.

2The listed provisions do not apply to personal data processed for any of the following purposes—E+W+S+N.I.

(a)the prevention and detection of crime, or

(b)the apprehension and prosecution of offenders,

to the extent that the application of the listed provisions would be likely to prejudice any of the matters mentioned in paragraph (a) or (b).

Information required to be disclosed by law etc or in connection with legal proceedingsE+W+S+N.I.

3(1)The listed provisions do not apply to personal data consisting of information that the controller is obliged by an enactment to make available to the public, to the extent that the application of the listed provisions would prevent the controller from complying with that obligation.E+W+S+N.I.

(2)The listed provisions do not apply to personal data where disclosure of the data is required by an enactment, a rule of law or the order of a court, to the extent that the application of the listed provisions would prevent the controller from making the disclosure.

(3)The listed provisions do not apply to personal data where disclosure of the data—

(a)is necessary for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings),

(b)is necessary for the purpose of obtaining legal advice, or

(c)is otherwise necessary for the purposes of establishing, exercising or defending legal rights,

to the extent that the application of the listed provisions would prevent the controller from making the disclosure.

Parliamentary privilegeE+W+S+N.I.

4The listed provisions do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.E+W+S+N.I.

Judicial proceedingsE+W+S+N.I.

5The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice judicial proceedings.E+W+S+N.I.

Crown honours and dignitiesE+W+S+N.I.

6The listed provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.E+W+S+N.I.

Armed forcesE+W+S+N.I.

7The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the combat effectiveness of any of the armed forces of the Crown.E+W+S+N.I.

Economic well-beingE+W+S+N.I.

8The listed provisions do not apply to personal data to the extent that the application of the listed provisions would be likely to prejudice the economic well-being of the United Kingdom.E+W+S+N.I.

Legal professional privilegeE+W+S+N.I.

9The listed provisions do not apply to personal data that consists of—E+W+S+N.I.

(a)information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications, could be maintained in legal proceedings, or

(b)information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.

NegotiationsE+W+S+N.I.

10The listed provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of the listed provisions would be likely to prejudice the negotiations.E+W+S+N.I.

Confidential references given by the controllerE+W+S+N.I.

11The listed provisions do not apply to personal data consisting of a reference given (or to be given) in confidence by the controller for the purposes of—E+W+S+N.I.

(a)the education, training or employment (or prospective education, training or employment) of the data subject,

(b)the appointment (or prospective appointment) of the data subject to any office, or

(c)the provision (or prospective provision) by the data subject of any service.

Exam scripts and marksE+W+S+N.I.

12(1)The listed provisions do not apply to personal data consisting of information recorded by candidates during an exam.E+W+S+N.I.

(2)Where personal data consists of marks or other information processed by a controller—

(a)for the purposes of determining the results of an exam, or

(b)in consequence of the determination of the results of an exam,

section 94 has effect subject to sub-paragraph (3).

(3)Where the relevant time falls before the results of the exam are announced, the period mentioned in section 94(10)(b) is extended until the earlier of—

(a)the end of the period of 5 months beginning with the relevant time, and

(b)the end of the period of 40 days beginning with the announcement of the results.

(4)In this paragraph—

  • exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate's performance while undertaking work or any other activity;

  • the relevant time” has the same meaning as in section 94.

(5)For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

Research and statisticsE+W+S+N.I.

13(1)The listed provisions do not apply to personal data processed for—E+W+S+N.I.

(a)scientific or historical research purposes, or

(b)statistical purposes,

to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.

(2)The exemption in sub-paragraph (1) is available only where—

(a)the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects, and

(b)the results of the research or any resulting statistics are not made available in a form which identifies a data subject.

Archiving in the public interestE+W+S+N.I.

14(1)The listed provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.E+W+S+N.I.

(2)The exemption in sub-paragraph (1) is available only where the personal data is processed subject to appropriate safeguards for the rights and freedoms of data subjects.

Prospective

Section 114

SCHEDULE 12E+W+S+N.I.The Information Commissioner

Status and capacityE+W+S+N.I.

1(1)The Commissioner is to continue to be a corporation sole.E+W+S+N.I.

(2)The Commissioner and the Commissioner's officers and staff are not to be regarded as servants or agents of the Crown.

AppointmentE+W+S+N.I.

2(1)The Commissioner is to be appointed by Her Majesty by Letters Patent.E+W+S+N.I.

(2)No recommendation may be made to Her Majesty for the appointment of a person as the Commissioner unless the person concerned has been selected on merit on the basis of fair and open competition.

(3)The Commissioner is to hold office for such term not exceeding 7 years as may be determined at the time of the Commissioner's appointment, subject to paragraph 3.

(4)A person cannot be appointed as the Commissioner more than once.

Resignation and removalE+W+S+N.I.

3(1)The Commissioner may be relieved of office by Her Majesty at the Commissioner's own request.E+W+S+N.I.

(2)The Commissioner may be removed from office by Her Majesty on an Address from both Houses of Parliament.

(3)No motion is to be made in either House of Parliament for such an Address unless a Minister of the Crown has presented a report to that House stating that the Minister is satisfied that one or both of the following grounds is made out—

(a)the Commissioner is guilty of serious misconduct;

(b)the Commissioner no longer fulfils the conditions required for the performance of the Commissioner's functions.

Salary etcE+W+S+N.I.

4(1)The Commissioner is to be paid such salary as may be specified by a resolution of the House of Commons.E+W+S+N.I.

(2)There is to be paid in respect of the Commissioner such pension as may be specified by a resolution of the House of Commons.

(3)A resolution for the purposes of this paragraph may—

(a)specify the salary or pension,

(b)specify the salary or pension and provide for it to be increased by reference to such variables as may be specified in the resolution, or

(c)provide that the salary or pension is to be the same as, or calculated on the same basis as, that payable to, or in respect of, a person employed in a specified office under, or in a specified capacity in the service of, the Crown.

(4)A resolution for the purposes of this paragraph may take effect from—

(a)the date on which it is passed, or

(b)from an earlier date or later date specified in the resolution.

(5)A resolution for the purposes of this paragraph may make different provision in relation to the pension payable to, or in respect of, different holders of the office of Commissioner.

(6)A salary or pension payable under this paragraph is to be charged on and issued out of the Consolidated Fund.

(7)In this paragraph, “pension” includes an allowance or gratuity and a reference to the payment of a pension includes a reference to the making of payments towards the provision of a pension.

Officers and staffE+W+S+N.I.

5(1)The Commissioner—E+W+S+N.I.

(a)must appoint one or more deputy commissioners, and

(b)may appoint other officers and staff.

(2)The Commissioner is to determine the remuneration and other conditions of service of people appointed under this paragraph.

(3)The Commissioner may pay pensions, allowances or gratuities to, or in respect of, people appointed under this paragraph, including pensions, allowances or gratuities paid by way of compensation in respect of loss of office or employment.

(4)The references in sub-paragraph (3) to paying pensions, allowances or gratuities includes making payments towards the provision of pensions, allowances or gratuities.

(5)In making appointments under this paragraph, the Commissioner must have regard to the principle of selection on merit on the basis of fair and open competition.

(6)The Employers' Liability (Compulsory Insurance) Act 1969 does not require insurance to be effected by the Commissioner.

Carrying out of the Commissioner's functions by officers and staffE+W+S+N.I.

6(1)The functions of the Commissioner are to be carried out by the deputy commissioner or deputy commissioners if—E+W+S+N.I.

(a)there is a vacancy in the office of the Commissioner, or

(b)the Commissioner is for any reason unable to act.

(2)When the Commissioner appoints a second or subsequent deputy commissioner, the Commissioner must specify which deputy commissioner is to carry out which of the Commissioner's functions in the circumstances referred to in sub-paragraph (1).

(3)A function of the Commissioner may, to the extent authorised by the Commissioner, be carried out by any of the Commissioner's officers or staff.

Authentication of the seal of the CommissionerE+W+N.I.

7The application of the seal of the Commissioner is to be authenticated by—E+W+N.I.

(a)the Commissioner's signature, or

(b)the signature of another person authorised for the purpose.

Presumption of authenticity of documents issued by the CommissionerE+W+N.I.

8A document purporting to be an instrument issued by the Commissioner and to be—E+W+N.I.

(a)duly executed under the Commissioner's seal, or

(b)signed by or on behalf of the Commissioner,

is to be received in evidence and is to be deemed to be such an instrument unless the contrary is shown.

MoneyE+W+S+N.I.

9The Secretary of State may make payments to the Commissioner out of money provided by Parliament.E+W+S+N.I.

Fees etc and other sumsE+W+S+N.I.

10(1)All fees, charges, penalties and other sums received by the Commissioner in carrying out the Commissioner's functions are to be paid by the Commissioner to the Secretary of State.E+W+S+N.I.

(2)Sub-paragraph (1) does not apply where the Secretary of State, with the consent of the Treasury, otherwise directs.

(3)Any sums received by the Secretary of State under sub-paragraph (1) are to be paid into the Consolidated Fund.

AccountsE+W+S+N.I.

11(1)The Commissioner must—E+W+S+N.I.

(a)keep proper accounts and other records in relation to the accounts, and

(b)prepare in respect of each financial year a statement of account in such form as the Secretary of State may direct.

(2)The Commissioner must send a copy of the statement to the Comptroller and Auditor General—

(a)on or before 31 August next following the end of the year to which the statement relates, or

(b)on or before such earlier date after the end of that year as the Treasury may direct.

(3)The Comptroller and Auditor General must examine, certify and report on the statement.

(4)The Commissioner must arrange for copies of the statement and the Comptroller and Auditor General's report to be laid before Parliament.

(5)In this paragraph, “financial year” means a period of 12 months beginning with 1 April.

ScotlandE+W+S+N.I.

12Paragraphs 1(1), 7 and 8 do not extend to Scotland.E+W+S+N.I.

Prospective

Section 116

SCHEDULE 13E+W+S+N.I.Other general functions of the Commissioner

General tasksE+W+S+N.I.

1(1)The Commissioner must—E+W+S+N.I.

(a)monitor and enforce Parts 3 and 4 of this Act;

(b)promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing of personal data to which those Parts apply;

(c)advise Parliament, the government and other institutions and bodies on legislative and administrative measures relating to the protection of individuals' rights and freedoms with regard to processing of personal data to which those Parts apply;

(d)promote the awareness of controllers and processors of their obligations under Parts 3 and 4 of this Act;

(e)on request, provide information to a data subject concerning the exercise of the data subject's rights under Parts 3 and 4 of this Act and, if appropriate, co-operate with LED supervisory authorities and foreign designated authorities to provide such information;

(f)co-operate with LED supervisory authorities and foreign designated authorities with a view to ensuring the consistency of application and enforcement of the Law Enforcement Directive and the Data Protection Convention, including by sharing information and providing mutual assistance;

(g)conduct investigations on the application of Parts 3 and 4 of this Act, including on the basis of information received from an LED supervisory authority, a foreign designated authority or another public authority;

(h)monitor relevant developments to the extent that they have an impact on the protection of personal data, including the development of information and communication technologies;

(i)contribute to the activities of the European Data Protection Board established by the GDPR in connection with the processing of personal data to which the Law Enforcement Directive applies.

(2)Section 3(14)(c) does not apply to the reference to personal data in sub-paragraph (1)(h).

General powersE+W+S+N.I.

2The Commissioner has the following investigative, corrective, authorisation and advisory powers in relation to processing of personal data to which Part 3 or 4 of this Act applies—E+W+S+N.I.

(a)to notify the controller or the processor of an alleged infringement of Part 3 or 4 of this Act;

(b)to issue warnings to a controller or processor that intended processing operations are likely to infringe provisions of Part 3 or 4 of this Act;

(c)to issue reprimands to a controller or processor where processing operations have infringed provisions of Part 3 or 4 of this Act;

(d)to issue, on the Commissioner's own initiative or on request, opinions to Parliament, the government or other institutions and bodies as well as to the public on any issue related to the protection of personal data.

DefinitionsE+W+S+N.I.

3In this Schedule—E+W+S+N.I.

  • foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Convention;

  • LED supervisory authority” means a supervisory authority for the purposes of Article 41 of the Law Enforcement Directive in a member State other than the United Kingdom.

Prospective

Section 118

SCHEDULE 14E+W+S+N.I.Co-operation and mutual assistance

PART 1 E+W+S+N.I.Law Enforcement Directive

Co-operationE+W+S+N.I.

1(1)The Commissioner may provide information or assistance to an LED supervisory authority to the extent that, in the opinion of the Commissioner, providing that information or assistance is necessary for the performance of the recipient's data protection functions.E+W+S+N.I.

(2)The Commissioner may ask an LED supervisory authority to provide information or assistance which the Commissioner requires for the performance of the Commissioner's data protection functions.

(3)In this paragraph, “data protection functions” means functions relating to the protection of individuals with respect to the processing of personal data.

Requests for information and assistance from LED supervisory authoritiesE+W+S+N.I.

2(1)This paragraph applies where the Commissioner receives a request from an LED supervisory authority for information or assistance referred to in Article 41 of the Law Enforcement Directive and the request—E+W+S+N.I.

(a)explains the purpose of and reasons for the request, and

(b)contains all other information necessary to enable the Commissioner to respond.

(2)The Commissioner must—

(a)take all appropriate measures required to reply to the request without undue delay and, in any event, before the end of the period of 1 month beginning with receipt of the request, and

(b)inform the LED supervisory authority of the results or, as the case may be, of the progress of the measures taken in order to respond to the request.

(3)The Commissioner must not refuse to comply with the request unless—

(a)the Commissioner does not have power to do what is requested, or

(b)complying with the request would infringe the Law Enforcement Directive, EU legislation or the law of the United Kingdom or a part of the United Kingdom.

(4)If the Commissioner refuses to comply with a request from an LED supervisory authority, the Commissioner must inform the authority of the reasons for the refusal.

(5)As a general rule, the Commissioner must provide information requested by LED supervisory authorities by electronic means using a standardised format.

FeesE+W+S+N.I.

3(1)Subject to sub-paragraph (2), any information or assistance that is required to be provided by this Part of this Schedule must be provided free of charge.E+W+S+N.I.

(2)The Commissioner may enter into agreements with other LED supervisory authorities for the Commissioner and other authorities to indemnify each other for expenditure arising from the provision of assistance in exceptional circumstances.

Restrictions on use of informationE+W+S+N.I.

4Where the Commissioner receives information from an LED supervisory authority as a result of a request under paragraph 1(2), the Commissioner may use the information only for the purposes specified in the request.E+W+S+N.I.

LED supervisory authorityE+W+S+N.I.

5In this Part of this Schedule, “LED supervisory authority” means a supervisory authority for the purposes of Article 41 of the Law Enforcement Directive in a member State other than the United Kingdom.E+W+S+N.I.

PART 2 E+W+S+N.I.Data Protection Convention

Co-operation between the Commissioner and foreign designated authoritiesE+W+S+N.I.

6(1)The Commissioner must, at the request of a foreign designated authority—E+W+S+N.I.

(a)provide that authority with such information referred to in Article 13(3)(a) of the Data Protection Convention (information on law and administrative practice in the field of data protection) as is the subject of the request, and

(b)take appropriate measures in accordance with Article 13(3)(b) of the Data Protection Convention for providing that authority with information relating to the processing of personal data in the United Kingdom.

(2)The Commissioner may ask a foreign designated authority—

(a)to provide the Commissioner with information referred to in Article 13(3) of the Data Protection Convention, or

(b)to take appropriate measures to provide such information.

Assisting persons resident outside the UK with requests under Article 14 of the ConventionE+W+S+N.I.

7(1)This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in the United Kingdom is made by a person resident outside the United Kingdom, including where the request is forwarded to the Commissioner through the Secretary of State or a foreign designated authority.E+W+S+N.I.

(2)The Commissioner must take appropriate measures to assist the person to exercise those rights.

Assisting UK residents with requests under Article 8 of the ConventionE+W+S+N.I.

8(1)This paragraph applies where a request for assistance in exercising any of the rights referred to in Article 8 of the Data Protection Convention in a country or territory (other than the United Kingdom) specified in the request is—E+W+S+N.I.

(a)made by a person resident in the United Kingdom, and

(b)submitted through the Commissioner under Article 14(2) of the Convention.

(2)If the Commissioner is satisfied that the request contains all necessary particulars referred to in Article 14(3) of the Data Protection Convention, the Commissioner must send the request to the foreign designated authority in the specified country or territory.

(3)Otherwise, the Commissioner must, where practicable, notify the person making the request of the reasons why the Commissioner is not required to assist.

Restrictions on use of informationE+W+S+N.I.

9Where the Commissioner receives information from a foreign designated authority as a result of—E+W+S+N.I.

(a)a request made by the Commissioner under paragraph 6(2), or

(b)a request received by the Commissioner under paragraph 6(1) or 7,

the Commissioner may use the information only for the purposes specified in the request.

Foreign designated authorityE+W+S+N.I.

10In this Part of this Schedule, “foreign designated authority” means an authority designated for the purposes of Article 13 of the Data Protection Convention by a party, other than the United Kingdom, which is bound by that Data Protection Convention.E+W+S+N.I.

Prospective

Section 154

SCHEDULE 15E+W+S+N.I.Powers of entry and inspection

Issue of warrants in connection with non-compliance and offencesE+W+S+N.I.

1(1)This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that—E+W+S+N.I.

(a)there are reasonable grounds for suspecting that—

(i)a controller or processor has failed or is failing as described in section 149(2), or

(ii)an offence under this Act has been or is being committed, and

(b)there are reasonable grounds for suspecting that evidence of the failure or of the commission of the offence is to be found on premises specified in the information or is capable of being viewed using equipment on such premises.

(2)The judge may grant a warrant to the Commissioner.

Issue of warrants in connection with assessment noticesE+W+S+N.I.

2(1)This paragraph applies if a judge of the High Court, a circuit judge or a District Judge (Magistrates' Courts) is satisfied by information on oath supplied by the Commissioner that a controller or processor has failed to comply with a requirement imposed by an assessment notice.E+W+S+N.I.

(2)The judge may, for the purpose of enabling the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation, grant a warrant to the Commissioner in relation to premises that were specified in the assessment notice.

Restrictions on issuing warrants: processing for the special purposesE+W+S+N.I.

3A judge must not issue a warrant under this Schedule in respect of personal data processed for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.E+W+S+N.I.

Restrictions on issuing warrants: procedural requirementsE+W+S+N.I.

4(1)A judge must not issue a warrant under this Schedule unless satisfied that—E+W+S+N.I.

(a)the conditions in sub-paragraphs (2) to (4) are met,

(b)compliance with those conditions would defeat the object of entry to the premises in question, or

(c)the Commissioner requires access to the premises in question urgently.

(2)The first condition is that the Commissioner has given 7 days' notice in writing to the occupier of the premises in question demanding access to the premises.

(3)The second condition is that—

(a)access to the premises was demanded at a reasonable hour and was unreasonably refused, or

(b)entry to the premises was granted but the occupier unreasonably refused to comply with a request by the Commissioner or the Commissioner's officers or staff to be allowed to do any of the things referred to in paragraph 5.

(4)The third condition is that, since the refusal, the occupier of the premises—

(a)has been notified by the Commissioner of the application for the warrant, and

(b)has had an opportunity to be heard by the judge on the question of whether or not the warrant should be issued.

(5)In determining whether the first condition is met, an assessment notice given to the occupier is to be disregarded.

Content of warrantsE+W+S+N.I.

5(1)A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff—E+W+S+N.I.

(a)to enter the premises,

(b)to search the premises, and

(c)to inspect, examine, operate and test any equipment found on the premises which is used or intended to be used for the processing of personal data.

(2)A warrant issued under paragraph 1 must authorise the Commissioner or any of the Commissioner's officers or staff—

(a)to inspect and seize any documents or other material found on the premises which may be evidence of the failure or offence mentioned in that paragraph,

(b)to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may be evidence of that failure or offence,

(c)to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and

(d)to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has failed or is failing as described in section 149(2).

(3)A warrant issued under paragraph 2 must authorise the Commissioner or any of the Commissioner's officers or staff—

(a)to inspect and seize any documents or other material found on the premises which may enable the Commissioner to determine whether the controller or processor has complied or is complying with the data protection legislation,

(b)to require any person on the premises to provide, in an appropriate form, a copy of information capable of being viewed using equipment on the premises which may enable the Commissioner to make such a determination,

(c)to require any person on the premises to provide an explanation of any document or other material found on the premises and of any information capable of being viewed using equipment on the premises, and

(d)to require any person on the premises to provide such other information as may reasonably be required for the purpose of determining whether the controller or processor has complied or is complying with the data protection legislation.

(4)A warrant issued under this Schedule must authorise the Commissioner or any of the Commissioner's officers or staff to do the things described in sub-paragraphs (1) to (3) at any time in the period of 7 days beginning with the day on which the warrant is issued.

(5)For the purposes of this paragraph, a copy of information is in an “appropriate form” if —

(a)it can be taken away, and

(b)it is visible and legible or it can readily be made visible and legible.

Copies of warrantsE+W+S+N.I.

6A judge who issues a warrant under this Schedule must—E+W+S+N.I.

(a)issue two copies of it, and

(b)certify them clearly as copies.

Execution of warrants: reasonable forceE+W+S+N.I.

7A person executing a warrant issued under this Schedule may use such reasonable force as may be necessary.E+W+S+N.I.

Execution of warrants: time when executedE+W+S+N.I.

8A warrant issued under this Schedule may be executed only at a reasonable hour, unless it appears to the person executing it that there are grounds for suspecting that exercising it at a reasonable hour would defeat the object of the warrant.E+W+S+N.I.

Execution of warrants: occupier of premisesE+W+S+N.I.

9(1)If an occupier of the premises in respect of which a warrant is issued under this Schedule is present when the warrant is executed, the person executing the warrant must—E+W+S+N.I.

(a)show the occupier the warrant, and

(b)give the occupier a copy of it.

(2)Otherwise, a copy of the warrant must be left in a prominent place on the premises.

Execution of warrants: seizure of documents etcE+W+S+N.I.

10(1)This paragraph applies where a person executing a warrant under this Schedule seizes something.E+W+S+N.I.

(2)The person must, on request—

(a)give a receipt for it, and

(b)give an occupier of the premises a copy of it.

(3)Sub-paragraph (2)(b) does not apply if the person executing the warrant considers that providing a copy would result in undue delay.

(4)Anything seized may be retained for so long as is necessary in all the circumstances.

Matters exempt from inspection and seizure: privileged communicationsE+W+S+N.I.

11(1)The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—E+W+S+N.I.

(a)between a professional legal adviser and the adviser's client, and

(b)in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation.

(2)The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable in respect of a communication which is made—

(a)between a professional legal adviser and the adviser's client or between such an adviser or client and another person,

(b)in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and

(c)for the purposes of such proceedings.

(3)Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred by a warrant issued under this Schedule in respect of—

(a)anything in the possession of a person other than the professional legal adviser or the adviser's client, or

(b)anything held with the intention of furthering a criminal purpose.

(4)The references to a communication in sub-paragraphs (1) and (2) include—

(a)a copy or other record of the communication, and

(b)anything enclosed with or referred to in the communication if made as described in sub-paragraph (1)(b) or in sub-paragraph (2)(b) and (c).

(5)In sub-paragraphs (1) to (3), the references to the client of a professional legal adviser include a person acting on behalf of such a client.

Matters exempt from inspection and seizure: Parliamentary privilegeE+W+S+N.I.

12The powers of inspection and seizure conferred by a warrant issued under this Schedule are not exercisable where their exercise would involve an infringement of the privileges of either House of Parliament.E+W+S+N.I.

Partially exempt materialE+W+S+N.I.

13(1)This paragraph applies if a person in occupation of premises in respect of which a warrant is issued under this Schedule objects to the inspection or seizure of any material under the warrant on the grounds that it consists partly of matters in respect of which those powers are not exercisable.E+W+S+N.I.

(2)The person must, if the person executing the warrant so requests, provide that person with a copy of so much of the material as is not exempt from those powers.

Return of warrantsE+W+S+N.I.

14(1)Where a warrant issued under this Schedule is executed—E+W+S+N.I.

(a)it must be returned to the court from which it was issued after being executed, and

(b)the person by whom it is executed must write on the warrant a statement of the powers that have been exercised under the warrant.

(2)Where a warrant issued under this Schedule is not executed, it must be returned to the court from which it was issued within the time authorised for its execution.

OffencesE+W+S+N.I.

15(1)It is an offence for a person—E+W+S+N.I.

(a)intentionally to obstruct a person in the execution of a warrant issued under this Schedule, or

(b)to fail without reasonable excuse to give a person executing such a warrant such assistance as the person may reasonably require for the execution of the warrant.

(2)It is an offence for a person—

(a)to make a statement in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) which the person knows to be false in a material respect, or

(b)recklessly to make a statement in response to such a requirement which is false in a material respect.

Self-incriminationE+W+S+N.I.

16(1)An explanation given, or information provided, by a person in response to a requirement under paragraph 5(2)(c) or (d) or (3)(c) or (d) may only be used in evidence against that person—E+W+S+N.I.

(a)on a prosecution for an offence under a provision listed in sub-paragraph (2), or

(b)on a prosecution for any other offence where—

(i)in giving evidence that person makes a statement inconsistent with that explanation or information, and

(ii)evidence relating to that explanation or information is adduced, or a question relating to it is asked, by that person or on that person's behalf.

(2)Those provisions are—

(a)paragraph 15,

(b)section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(c)section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(d)Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

Vessels, vehicles etcE+W+S+N.I.

17In this Schedule—E+W+S+N.I.

(a)premises” includes a vehicle, vessel or other means of transport, and

(b)references to the occupier of premises include the person in charge of a vehicle, vessel or other means of transport.

ScotlandE+W+S+N.I.

18In the application of this Schedule to Scotland—E+W+S+N.I.

(a)references to a judge of the High Court have effect as if they were references to a judge of the Court of Session,

(b)references to a circuit judge have effect as if they were references to the sheriff or the summary sheriff,

(c)references to information on oath have effect as if they were references to evidence on oath, and

(d)references to the court from which the warrant was issued have effect as if they were references to the sheriff clerk.

Northern IrelandE+W+S+N.I.

19In the application of this Schedule to Northern Ireland—E+W+S+N.I.

(a)references to a circuit judge have effect as if they were references to a county court judge, and

(b)references to information on oath have effect as if they were references to a complaint on oath.

Prospective

Section 155

SCHEDULE 16E+W+S+N.I.Penalties

Meaning of “penalty”E+W+S+N.I.

1In this Schedule, “penalty” means a penalty imposed by a penalty notice.E+W+S+N.I.

Notice of intent to impose penaltyE+W+S+N.I.

2(1)Before giving a person a penalty notice, the Commissioner must, by written notice (a “notice of intent”) inform the person that the Commissioner intends to give a penalty notice.E+W+S+N.I.

(2)The Commissioner may not give a penalty notice to a person in reliance on a notice of intent after the end of the period of 6 months beginning when the notice of intent is given, subject to sub-paragraph (3).

(3)The period for giving a penalty notice to a person may be extended by agreement between the Commissioner and the person.

Contents of notice of intentE+W+S+N.I.

3(1)A notice of intent must contain the following information—E+W+S+N.I.

(a)the name and address of the person to whom the Commissioner proposes to give a penalty notice;

(b)the reasons why the Commissioner proposes to give a penalty notice (see sub-paragraph (2));

(c)an indication of the amount of the penalty the Commissioner proposes to impose, including any aggravating or mitigating factors that the Commissioner proposes to take into account.

(2)The information required under sub-paragraph (1)(b) includes—

(a)a description of the circumstances of the failure, and

(b)where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.

(3)A notice of intent must also—

(a)state that the person may make written representations about the Commissioner's intention to give a penalty notice, and

(b)specify the period within which such representations may be made.

(4)The period specified for making written representations must be a period of not less than 21 days beginning when the notice of intent is given.

(5)If the Commissioner considers that it is appropriate for the person to have an opportunity to make oral representations about the Commissioner's intention to give a penalty notice, the notice of intent must also—

(a)state that the person may make such representations, and

(b)specify the arrangements for making such representations and the time at which, or the period within which, they may be made.

Giving a penalty noticeE+W+S+N.I.

4(1)The Commissioner may not give a penalty notice before a time, or before the end of a period, specified in the notice of intent for making oral or written representations.E+W+S+N.I.

(2)When deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commissioner must consider any oral or written representations made by the person in accordance with the notice of intent.

Contents of penalty noticeE+W+S+N.I.

5(1)A penalty notice must contain the following information—E+W+S+N.I.

(a)the name and address of the person to whom it is addressed;

(b)details of the notice of intent given to the person;

(c)whether the Commissioner received oral or written representations in accordance with the notice of intent;

(d)the reasons why the Commissioner proposes to impose the penalty (see sub-paragraph (2));

(e)the reasons for the amount of the penalty, including any aggravating or mitigating factors that the Commissioner has taken into account;

(f)details of how the penalty is to be paid;

(g)details of the rights of appeal under section 162;

(h)details of the Commissioner's enforcement powers under this Schedule.

(2)The information required under sub-paragraph (1)(d) includes—

(a)a description of the circumstances of the failure, and

(b)where the notice is given in respect of a failure described in section 149(2), the nature of the personal data involved in the failure.

Period for payment of penaltyE+W+S+N.I.

6(1)A penalty must be paid to the Commissioner within the period specified in the penalty notice.E+W+S+N.I.

(2)The period specified must be a period of not less than 28 days beginning when the penalty notice is given.

Variation of penaltyE+W+S+N.I.

7(1)The Commissioner may vary a penalty notice by giving written notice (a “penalty variation notice”) to the person to whom it was given.E+W+S+N.I.

(2)A penalty variation notice must specify—

(a)the penalty notice concerned, and

(b)how it is varied.

(3)A penalty variation notice may not—

(a)reduce the period for payment of the penalty;

(b)increase the amount of the penalty;

(c)otherwise vary the penalty notice to the detriment of the person to whom it was given.

(4)If—

(a)a penalty variation notice reduces the amount of the penalty, and

(b)when that notice is given, an amount has already been paid that exceeds the amount of the reduced penalty,

the Commissioner must repay the excess.

Cancellation of penaltyE+W+S+N.I.

8(1)The Commissioner may cancel a penalty notice by giving written notice to the person to whom it was given.E+W+S+N.I.

(2)If a penalty notice is cancelled, the Commissioner—

(a)may not take any further action under section 155 or this Schedule in relation to the failure to which that notice relates, and

(b)must repay any amount that has been paid in accordance with that notice.

Enforcement of paymentE+W+S+N.I.

9(1)The Commissioner must not take action to recover a penalty unless—E+W+S+N.I.

(a)the period specified in accordance with paragraph 6 has ended,

(b)any appeals against the penalty notice have been decided or otherwise ended,

(c)if the penalty notice has been varied, any appeals against the penalty variation notice have been decided or otherwise ended, and

(d)the period for the person to whom the penalty notice was given to appeal against the penalty, and any variation of it, has ended.

(2)In England and Wales, a penalty is recoverable—

(a)if the county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

(3)In Scotland, a penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland.

(4)In Northern Ireland, a penalty is recoverable—

(a)if a county court so orders, as if it were payable under an order of that court;

(b)if the High Court so orders, as if it were payable under an order of that court.

Valid from 23/07/2018

Section 178

SCHEDULE 17E+W+S+N.I.Review of processing of personal data for the purposes of journalism

InterpretationE+W+S+N.I.

1In this Schedule—E+W+S+N.I.

  • relevant period” means—

    (a)

    the period of 18 months beginning when the Commissioner starts the first review under section 178, and

    (b)

    the period of 12 months beginning when the Commissioner starts a subsequent review under that section;

  • the relevant review”, in relation to a relevant period, means the review under section 178 which the Commissioner must produce a report about by the end of that period.

Information noticesE+W+S+N.I.

2(1)This paragraph applies where the Commissioner gives an information notice during a relevant period.E+W+S+N.I.

(2)If the information notice—

(a)states that, in the Commissioner's opinion, the information is required for the purposes of the relevant review, and

(b)gives the Commissioner's reasons for reaching that opinion,

subsections (5) and (6) of section 142 do not apply but the notice must not require the information to be provided before the end of the period of 24 hours beginning when the notice is given.

Assessment noticesE+W+S+N.I.

3(1)Sub-paragraph (2) applies where the Commissioner gives an assessment notice to a person during a relevant period.E+W+S+N.I.

(2)If the assessment notice—

(a)states that, in the Commissioner's opinion, it is necessary for the controller or processor to comply with a requirement in the notice for the purposes of the relevant review, and

(b)gives the Commissioner's reasons for reaching that opinion,

subsections (6) and (7) of section 146 do not apply but the notice must not require the controller or processor to comply with the requirement before the end of the period of 7 days beginning when the notice is given.

(3)During a relevant period, section 147 has effect as if for subsection (5) there were substituted—

(5)The Commissioner may not give a controller or processor an assessment notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.

Applications in respect of urgent noticesE+W+S+N.I.

4Section 164 applies where an information notice or assessment notice contains a statement under paragraph 2(2)(a) or 3(2)(a) as it applies where such a notice contains a statement under section 142(7)(a) or 146(8)(a).E+W+S+N.I.

Section 184

SCHEDULE 18E+W+S+N.I.Relevant records

Prospective

Relevant recordsE+W+S+N.I.

1(1)In section 184, “relevant record” means—E+W+S+N.I.

(a)a relevant health record (see paragraph 2),

(b)a relevant record relating to a conviction or caution (see paragraph 3), or

(c)a relevant record relating to statutory functions (see paragraph 4).

(2)A record is not a “relevant record” to the extent that it relates, or is to relate, only to personal data which falls within section 21(2) (manual unstructured personal data held by FOI public authorities).

Prospective

Relevant health recordsE+W+S+N.I.

2Relevant health record” means a health record which has been or is to be obtained by a data subject in the exercise of a data subject access right.E+W+S+N.I.

Prospective

Relevant records relating to a conviction or cautionE+W+S+N.I.

3(1)Relevant record relating to a conviction or caution” means a record which—E+W+S+N.I.

(a)has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and

(b)contains information relating to a conviction or caution.

(2)Those persons are—

(a)the chief constable of a police force maintained under section 2 of the Police Act 1996;

(b)the Commissioner of Police of the Metropolis;

(c)the Commissioner of Police for the City of London;

(d)the Chief Constable of the Police Service of Northern Ireland;

(e)the chief constable of the Police Service of Scotland;

(f)the Director General of the National Crime Agency;

(g)the Secretary of State.

(3)In this paragraph—

  • caution” means a caution given to a person in England and Wales or Northern Ireland in respect of an offence which, at the time when the caution is given, is admitted;

  • conviction” has the same meaning as in the Rehabilitation of Offenders Act 1974 or the Rehabilitation of Offenders (Northern Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27)).

Prospective

Relevant records relating to statutory functionsE+W+S+N.I.

4(1)Relevant record relating to statutory functions” means a record which—E+W+S+N.I.

(a)has been or is to be obtained by a data subject in the exercise of a data subject access right from a person listed in sub-paragraph (2), and

(b)contains information relating to a relevant function in relation to that person.

(2)Those persons are—

(a)the Secretary of State;

(b)the Department for Communities in Northern Ireland;

(c)the Department of Justice in Northern Ireland;

(d)the Scottish Ministers;

(e)the Disclosure and Barring Service.

(3)In relation to the Secretary of State, the “relevant functions” are—

(a)the Secretary of State's functions in relation to a person sentenced to detention under—

(i)section 92 of the Powers of Criminal Courts (Sentencing) Act 2000,

(ii)section 205(2) or 208 of the Criminal Procedure (Scotland) Act 1995, or

(iii)Article 45 of the Criminal Justice (Children) (Northern Ireland) Order 1998 (S.I. 1998/1504 (N.I. 9));

(b)the Secretary of State's functions in relation to a person imprisoned or detained under—

(i)the Prison Act 1952,

(ii)the Prisons (Scotland) Act 1989, or

(iii)the Prison Act (Northern Ireland) 1953 (c. 18 (N.I.));

(c)the Secretary of State's functions under—

(i)the Social Security Contributions and Benefits Act 1992,

(ii)the Social Security Administration Act 1992,

(iii)the Jobseekers Act 1995,

(iv)Part 5 of the Police Act 1997,

(v)Part 1 of the Welfare Reform Act 2007, or

(vi)Part 1 of the Welfare Reform Act 2012.

(4)In relation to the Department for Communities in Northern Ireland, the “relevant functions” are its functions under—

(a)the Social Security Contributions and Benefits (Northern Ireland) Act 1992,

(b)the Social Security Administration (Northern Ireland) Act 1992,

(c)the Jobseekers (Northern Ireland) Order 1995 (S.I. 1995/2705 (N.I. 15)), or

(d)Part 1 of the Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.)).

(5)In relation to the Department of Justice in Northern Ireland, the “relevant functions” are its functions under Part 5 of the Police Act 1997.

(6)In relation to the Scottish Ministers, the “relevant functions” are their functions under

(a)Part 5 of the Police Act 1997, or

(b)Parts 1 and 2 of the Protection of Vulnerable Groups (Scotland) Act 2007 (asp 14).

(7)In relation to the Disclosure and Barring Service, the “relevant functions” are its functions under—

(a)Part 5 of the Police Act 1997,

(b)the Safeguarding Vulnerable Groups Act 2006, or

(c)the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 (S.I. 2007/1351 (N.I. 11)).

Prospective

Data subject access rightE+W+S+N.I.

5In this Schedule, “data subject access right” means a right under—E+W+S+N.I.

(a)Article 15 of the GDPR (right of access by the data subject);

(b)Article 20 of the GDPR (right to data portability);

(c)section 45 of this Act (law enforcement processing: right of access by the data subject);

(d)section 94 of this Act (intelligence services processing: right of access by the data subject).

Prospective

Records stating that personal data is not processedE+W+S+N.I.

6For the purposes of this Schedule, a record which states that a controller is not processing personal data relating to a particular matter is to be taken to be a record containing information relating to that matter.E+W+S+N.I.

Power to amendE+W+S+N.I.

7(1)The Secretary of State may by regulations amend this Schedule.E+W+S+N.I.

(2)Regulations under this paragraph are subject to the affirmative resolution procedure.

Annotations: Help about Annotation
Close

Annotations are used to give authority for changes and other effects on the legislation you are viewing and to convey editorial information. They appear at the foot of the relevant provision or under the associated heading. Annotations are categorised by annotation type, such as F-notes for textual amendments and I-notes for commencement information (a full list can be found in the Editorial Practice Guide). Each annotation is identified by a sequential reference number. For F-notes, M-notes and X-notes, the number also appears in bold superscript at the relevant location in the text. All annotations contain links to the affecting legislation.

Commencement Information

I3Sch. 18 para. 7 in force at Royal Assent for specified purposes, see s. 212(2)(f)

Section 211

SCHEDULE 19E+W+S+N.I.Minor and consequential amendments

PART 1 E+W+S+N.I.Amendments of primary legislation

Prospective

Registration Service Act 1953 (c. 37)E+W+S+N.I.

1(1)Section 19AC of the Registration Service Act 1953 (codes of practice) is amended as follows.E+W+S+N.I.

(2)In subsection (2), for “issued under section 52B (data-sharing code) of the Data Protection Act 1998” substitute “ prepared under section 121 of the Data Protection Act 2018 (data-sharing code) and issued under section 125(4) of that Act ”.

(3)In subsection (11), for “section 51(3) of the Data Protection Act 1998” substitute “ section 128 of the Data Protection Act 2018 ”.

Prospective

Veterinary Surgeons Act 1966 (c. 36)E+W+S+N.I.

2(1)Section 1A of the Veterinary Surgeons Act 1966 (functions of the Royal College of Veterinary Surgeons as competent authority) is amended as follows.E+W+S+N.I.

(2)In subsection (8)—

(a)omit “personal data protection legislation in the United Kingdom that implements”,

(b)for paragraph (a) substitute—

(a)the GDPR; and, and

(c)in paragraph (b), at the beginning insert “ legislation in the United Kingdom that implements ”.

(3)In subsection (9), after “section” insert

the GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), read with Chapter 2 of Part 2 of the Data Protection Act 2018;.

Prospective

Parliamentary Commissioner Act 1967 (c. 13)E+W+S+N.I.

3In section 11AA(1) of the Parliamentary Commissioner Act 1967 (disclosure of information by Parliamentary Commissioner to Information Commissioner)—E+W+S+N.I.

(a)in paragraph (a), for sub-paragraph (i) substitute—

(i)sections 142 to 154, 160 to 164 or 174 to 176 of, or Schedule 15 to, the D