Data Protection Act 2018

CHAPTER 6U.K.Exemptions

110National securityU.K.

(1)A provision mentioned in subsection (2) does not apply to personal data to which this Part applies if exemption from the provision is required for the purpose of safeguarding national security.

(2)The provisions are—

(a)Chapter 2 (the data protection principles), except section 86(1)(a) and (2) and Schedules 9 and 10;

(b)Chapter 3 (rights of data subjects);

(c)in Chapter 4 , section 108 (communication of a personal data breach to the Commissioner);

(d)in Part 5—

(i)section 119 (inspection in accordance with international obligations);

(ii)in Schedule 13 (other general functions of the Commissioner), paragraphs 1(a) and (g) and 2;

(e)in Part 6—

(i)sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);

(ii)sections 170 to 173 (offences relating to personal data);

(iii)sections 174 to 176 (provision relating to the special purposes).

111National security: certificateU.K.

(1)Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions mentioned in section 110(2) is, or at any time was, required for the purpose of safeguarding national security in respect of any personal data is conclusive evidence of that fact.

(2)A certificate under subsection (1)—

(a)may identify the personal data to which it applies by means of a general description, and

(b)may be expressed to have prospective effect.

(3)Any person directly affected by the issuing of a certificate under subsection (1) may appeal to the Tribunal against the certificate.

(4)If on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may—

(a)allow the appeal, and

(b)quash the certificate.

(5)Where, in any proceedings under or by virtue of this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.

(6)But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.

(7)On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.

(8)A document purporting to be a certificate under subsection (1) is to be—

(a)received in evidence, and

(b)deemed to be such a certificate unless the contrary is proved.

(9)A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—

(a)in any legal proceedings, evidence of that certificate, and

(b)in any legal proceedings in Scotland, sufficient evidence of that certificate.

(10)The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—

(a)a Minister who is a member of the Cabinet, or

(b)the Attorney General or the Advocate General for Scotland.

112Other exemptionsU.K.

Schedule 11 provides for further exemptions.

113Power to make further exemptionsU.K.

(1)The Secretary of State may by regulations amend Schedule 11—

(a)by adding exemptions from any provision of this Part;

(b)by omitting exemptions added by regulations under paragraph (a).

(2)Regulations under this section are subject to the affirmative resolution procedure.