Data Protection Act 2018

CHAPTER 6U.K.Supplementary

[F178ANational security exemptionU.K.

(1)A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.

(2)The provisions are—

(a)Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);

(b)Chapter 3 of this Part (rights of the data subject);

(c)in Chapter 4 of this Part—

(i)section 67 (notification of personal data breach to the Commissioner);

(ii)section 68 (communication of personal data breach to the data subject);

(d)Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);

(e)in Part 5—

(i)section 119 (inspection in accordance with international obligations);

(ii)in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;

(f)in Part 6—

(i)sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);

(ii)sections 170 to 173 (offences relating to personal data);

(g)in Part 7, section 187 (representation of data subjects).

(3)The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—

(a)section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;

(b)section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);

(c)section 42 (safeguards: sensitive processing);

(d)Schedule 8 (conditions for sensitive processing).

(4)The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—

(a)the following provisions of section 73—

(i)subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);

(ii)subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);

(b)section 78 (subsequent transfers).]

79National security: certificateU.K.

F2(1). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F2(2). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F2(3). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

[F3(3A)Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.]

(4)A certificate issued under [F4subsection (3A)—

(a)may identify the personal data to which it applies by means of a general description, and

(b)]may be expressed to have prospective effect.

(5)Any person directly affected by the issuing of a certificate under [F5subsection (3A)] may appeal to the Tribunal against the certificate.

(6)If, on an appeal under subsection (5), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may —

(a)allow the appeal, and

(b)quash the certificate.

(7)Where in any proceedings under or by virtue of this Act, it is claimed by a controller that [F6a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data], any other party to the proceedings may appeal to the Tribunal on the ground that [F7the certificate does not apply to the personal data in question].

(8)But, subject to any determination under subsection (9), [F8the certificate] is to be conclusively presumed [F9so to apply].

(9)On an appeal under subsection (7), the Tribunal may determine that the certificate does not so apply.

(10)A document purporting to be a certificate under [F10subsection (3A)] is to be—

(a)received in evidence, and

(b)deemed to be such a certificate unless the contrary is proved.

(11)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under [F11subsection (3A)] is—

(a)in any legal proceedings, evidence of that certificate, and

(b)in any legal proceedings in Scotland, sufficient evidence of that certificate.

(12)The power conferred by [F12subsection (3A)] on a Minister of the Crown is exercisable only by—

(a)a Minister who is a member of the Cabinet, or

(b)the Attorney General or the Advocate General for Scotland.

F13(13). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80Special processing restrictionsU.K.

(1)Subsections (3) and (4) apply where, for a law enforcement purpose, a controller transmits or otherwise makes available personal data to [F14a non-UK recipient].

(2)In this section—

• F15...

• “[F16non-UK recipient]” means—

  (a)

  a recipient in a third country, or

  (b)

  an international organisation.

(3)The controller must consider whether, if the personal data had instead been transmitted or otherwise made available within the United Kingdom to another competent authority, processing of the data by the other competent authority would have been subject to any restrictions by virtue of any enactment or rule of law.

(4)Where that would be the case, the controller must inform [F17the non-UK recipient] that the data is transmitted or otherwise made available subject to compliance by that person with the same restrictions (which must be set out in the information given to that person).

F18(5). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F18(6). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F18(7). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

81Reporting of infringementsU.K.

(1)Each controller must implement effective mechanisms to encourage the reporting of an infringement of this Part.

(2)The mechanisms implemented under subsection (1) must provide that an infringement may be reported to any of the following persons—

(a)the controller;

(b)the Commissioner.

(3)The mechanisms implemented under subsection (1) must include—

(a)raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and

(b)such other protections for a person who reports an infringement of this Part as the controller considers appropriate.

(4)A person who reports an infringement of this Part does not breach—

(a)an obligation of confidence owed by the person, or

(b)any other restriction on the disclosure of information (however imposed).

(5)Subsection (4) does not apply if or to the extent that the report includes a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.

(6)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.