xmlns:atom="http://www.w3.org/2005/Atom" xmlns:atom="http://www.w3.org/2005/Atom"
5(1)Except as otherwise provided, a condition in this Part of this Schedule is met only if, when the processing is carried out, the controller has an appropriate policy document in place (see paragraph 39 in Part 4 of this Schedule).U.K.
(2)See also the additional safeguards in Part 4 of this Schedule.
6(1)This condition is met if the processing—U.K.
(a)is necessary for a purpose listed in sub-paragraph (2), and
(b)is necessary for reasons of substantial public interest.
(2)Those purposes are—
(a)the exercise of a function conferred on a person by an enactment or rule of law;
(b)the exercise of a function of the Crown, a Minister of the Crown or a government department.
7U.K.This condition is met if the processing is necessary—
(a)for the administration of justice, or
(b)for the exercise of a function of either House of Parliament.
8(1)This condition is met if the processing—U.K.
(a)is of a specified category of personal data, and
(b)is necessary for the purposes of identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained,
subject to the exceptions in sub-paragraphs (3) to (5).
(2)In sub-paragraph (1), “specified” means specified in the following table—
Category of personal data | Groups of people (in relation to a category of personal data) |
---|---|
Personal data revealing racial or ethnic origin | People of different racial or ethnic origins |
Personal data revealing religious or philosophical beliefs | People holding different religious or philosophical beliefs |
Data concerning health | People with different states of physical or mental health |
Personal data concerning an individual's sexual orientation | People of different sexual orientation |
(3)Processing does not meet the condition in sub-paragraph (1) if it is carried out for the purposes of measures or decisions with respect to a particular data subject.
(4)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(5)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
9(1)This condition is met if the processing—U.K.
(a)is of personal data revealing racial or ethnic origin,
(b)is carried out as part of a process of identifying suitable individuals to hold senior positions in a particular organisation, a type of organisation or organisations generally,
(c)is necessary for the purposes of promoting or maintaining diversity in the racial and ethnic origins of individuals who hold senior positions in the organisation or organisations, and
(d)can reasonably be carried out without the consent of the data subject,
subject to the exception in sub-paragraph (3).
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to an individual.
(4)For the purposes of this paragraph, an individual holds a senior position in an organisation if the individual—
(a)holds a position listed in sub-paragraph (5), or
(b)does not hold such a position but is a senior manager of the organisation.
(5)Those positions are—
(a)a director, secretary or other similar officer of a body corporate;
(b)a member of a limited liability partnership;
(c)a partner in a partnership within the Partnership Act 1890, a limited partnership registered under the Limited Partnerships Act 1907 or an entity of a similar character formed under the law of a country or territory outside the United Kingdom.
(6)In this paragraph, “senior manager”, in relation to an organisation, means a person who plays a significant role in—
(a)the making of decisions about how the whole or a substantial part of the organisation's activities are to be managed or organised, or
(b)the actual managing or organising of the whole or a substantial part of those activities.
(7)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
10(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of the prevention or detection of an unlawful act,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)If the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(3)In this paragraph—
“act” includes a failure to act;
“competent authority” has the same meaning as in Part 3 of this Act (see section 30).
11(1)This condition is met if the processing—U.K.
(a)is necessary for the exercise of a protective function,
(b)must be carried out without the consent of the data subject so as not to prejudice the exercise of that function, and
(c)is necessary for reasons of substantial public interest.
(2)In this paragraph, “protective function” means a function which is intended to protect members of the public against—
(a)dishonesty, malpractice or other seriously improper conduct,
(b)unfitness or incompetence,
(c)mismanagement in the administration of a body or association, or
(d)failures in services provided by a body or association.
12(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of complying with, or assisting other persons to comply with, a regulatory requirement which involves a person taking steps to establish whether another person has—
(i)committed an unlawful act, or
(ii)been involved in dishonesty, malpractice or other seriously improper conduct,
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing, and
(c)the processing is necessary for reasons of substantial public interest.
(2)In this paragraph—
“act” includes a failure to act;
“regulatory requirement” means—
a requirement imposed by legislation or by a person in exercise of a function conferred by legislation, or
a requirement forming part of generally accepted principles of good practice relating to a type of body or an activity.
13(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data for the special purposes,
(b)it is carried out in connection with a matter described in sub-paragraph (2),
(c)it is necessary for reasons of substantial public interest,
(d)it is carried out with a view to the publication of the personal data by any person, and
(e)the controller reasonably believes that publication of the personal data would be in the public interest.
(2)The matters mentioned in sub-paragraph (1)(b) are any of the following (whether alleged or established)—
(a)the commission of an unlawful act by a person;
(b)dishonesty, malpractice or other seriously improper conduct of a person;
(c)unfitness or incompetence of a person;
(d)mismanagement in the administration of a body or association;
(e)a failure in services provided by a body or association.
(3)The condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
(4)In this paragraph—
“act” includes a failure to act;
“the special purposes” means—
the purposes of journalism;
academic purposes;
artistic purposes;
literary purposes.
14(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of preventing fraud or a particular kind of fraud, and
(b)consists of—
(i)the disclosure of personal data by a person as a member of an anti-fraud organisation,
(ii)the disclosure of personal data in accordance with arrangements made by an anti-fraud organisation, or
(iii)the processing of personal data disclosed as described in sub-paragraph (i) or (ii).
(2)In this paragraph, “anti-fraud organisation” has the same meaning as in section 68 of the Serious Crime Act 2007.
15U.K.This condition is met if the processing is necessary for the purposes of making a disclosure in good faith under either of the following—
(a)section 21CA of the Terrorism Act 2000 (disclosures between certain entities within regulated sector in relation to suspicion of commission of terrorist financing offence or for purposes of identifying terrorist property);
(b)section 339ZB of the Proceeds of Crime Act 2002 (disclosures within regulated sector in relation to suspicion of money laundering).
16(1)This condition is met if the processing—U.K.
(a)is carried out by a not-for-profit body which provides support to individuals with a particular disability or medical condition,
(b)is of a type of personal data falling within sub-paragraph (2) which relates to an individual falling within sub-paragraph (3),
(c)is necessary for the purposes of—
(i)raising awareness of the disability or medical condition, or
(ii)providing support to individuals falling within sub-paragraph (3) or enabling such individuals to provide support to each other,
(d)can reasonably be carried out without the consent of the data subject, and
(e)is necessary for reasons of substantial public interest.
(2)The following types of personal data fall within this sub-paragraph—
(a)personal data revealing racial or ethnic origin;
(b)genetic data or biometric data;
(c)data concerning health;
(d)personal data concerning an individual's sex life or sexual orientation.
(3)An individual falls within this sub-paragraph if the individual is or has been a member of the body mentioned in sub-paragraph (1)(a) and—
(a)has the disability or condition mentioned there, has had that disability or condition or has a significant risk of developing that disability or condition, or
(b)is a relative or carer of an individual who satisfies paragraph (a) of this sub-paragraph.
(4)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“carer” means an individual who provides or intends to provide care for another individual other than—
under or by virtue of a contract, or
as voluntary work;
“disability” has the same meaning as in the Equality Act 2010 (see section 6 of, and Schedule 1 to, that Act).
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
17(1)This condition is met if the processing—U.K.
(a)is necessary for the provision of confidential counselling, advice or support or of another similar service provided confidentially,
(b)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(c)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(b) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the service mentioned in sub-paragraph (1)(a).
18(1)This condition is met if—U.K.
(a)the processing is necessary for the purposes of—
(i)protecting an individual from neglect or physical, mental or emotional harm, or
(ii)protecting the physical, mental or emotional well-being of an individual,
(b)the individual is—
(i)aged under 18, or
(ii)aged 18 or over and at risk,
(c)the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)the processing is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual—
(a)has needs for care and support,
(b)is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
(c)as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
(4)In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual.
19(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of protecting the economic well-being of an individual at economic risk who is aged 18 or over,
(b)is of data concerning health,
(c)is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
(d)is necessary for reasons of substantial public interest.
(2)The reasons mentioned in sub-paragraph (1)(c) are—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a).
(3)In this paragraph, “individual at economic risk” means an individual who is less able to protect his or her economic well-being by reason of physical or mental injury, illness or disability.
20(1)This condition is met if the processing—U.K.
(a)is necessary for an insurance purpose,
(b)is of personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health, and
(c)is necessary for reasons of substantial public interest,
subject to sub-paragraphs (2) and (3).
(2)Sub-paragraph (3) applies where—
(a)the processing is not carried out for the purposes of measures or decisions with respect to the data subject, and
(b)the data subject does not have and is not expected to acquire—
(i)rights against, or obligations in relation to, a person who is an insured person under an insurance contract to which the insurance purpose mentioned in sub-paragraph (1)(a) relates, or
(ii)other rights or obligations in connection with such a contract.
(3)Where this sub-paragraph applies, the processing does not meet the condition in sub-paragraph (1) unless, in addition to meeting the requirements in that sub-paragraph, it can reasonably be carried out without the consent of the data subject.
(4)For the purposes of sub-paragraph (3), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(5)In this paragraph—
“insurance contract” means a contract of general insurance or long-term insurance;
“insurance purpose” means—
advising on, arranging, underwriting or administering an insurance contract,
administering a claim under an insurance contract, or
exercising a right, or complying with an obligation, arising in connection with an insurance contract, including a right or obligation arising under an enactment or rule of law.
(6)The reference in sub-paragraph (4)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
(7)Terms used in the definition of “insurance contract” in sub-paragraph (5) and also in an order made under section 22 of the Financial Services and Markets Act 2000 (regulated activities) have the same meaning in that definition as they have in that order.
21(1)This condition is met if the processing—U.K.
(a)is necessary for the purpose of making a determination in connection with eligibility for, or benefits payable under, an occupational pension scheme,
(b)is of data concerning health which relates to a data subject who is the parent, grandparent, great-grandparent or sibling of a member of the scheme,
(c)is not carried out for the purposes of measures or decisions with respect to the data subject, and
(d)can reasonably be carried out without the consent of the data subject.
(2)For the purposes of sub-paragraph (1)(d), processing can reasonably be carried out without the consent of the data subject only where—
(a)the controller cannot reasonably be expected to obtain the consent of the data subject, and
(b)the controller is not aware of the data subject withholding consent.
(3)In this paragraph—
“occupational pension scheme” has the meaning given in section 1 of the Pension Schemes Act 1993;
“member”, in relation to a scheme, includes an individual who is seeking to become a member of the scheme.
(4)The reference in sub-paragraph (2)(b) to a data subject withholding consent does not include a data subject merely failing to respond to a request for consent.
22(1)This condition is met if the processing—U.K.
(a)is of personal data revealing political opinions,
(b)is carried out by a person or organisation included in the register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and
(c)is necessary for the purposes of the person's or organisation's political activities,
subject to the exceptions in sub-paragraphs (2) and (3).
(2)Processing does not meet the condition in sub-paragraph (1) if it is likely to cause substantial damage or substantial distress to a person.
(3)Processing does not meet the condition in sub-paragraph (1) if—
(a)an individual who is the data subject (or one of the data subjects) has given notice in writing to the controller requiring the controller not to process personal data in respect of which the individual is the data subject (and has not given notice in writing withdrawing that requirement),
(b)the notice gave the controller a reasonable period in which to stop processing such data, and
(c)that period has ended.
(4)In this paragraph, “political activities” include campaigning, fund-raising, political surveys and case-work.
23(1)This condition is met if—U.K.
(a)the processing is carried out—
(i)by an elected representative or a person acting with the authority of such a representative,
(ii)in connection with the discharge of the elected representative's functions, and
(iii)in response to a request by an individual that the elected representative take action on behalf of the individual, and
(b)the processing is necessary for the purposes of, or in connection with, the action reasonably taken by the elected representative in response to that request,
subject to sub-paragraph (2).
(2)Where the request is made by an individual other than the data subject, the condition in sub-paragraph (1) is met only if the processing must be carried out without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” means—
(a)a member of the House of Commons;
(b)a member of the National Assembly for Wales;
(c)a member of the Scottish Parliament;
(d)a member of the Northern Ireland Assembly;
F1(e). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(f)an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely—
(i)in England, a county council, a district council, a London borough council or a parish council;
(ii)in Wales, a county council, a county borough council or a community council;
(g)an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000;
(h)a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009;
[F2(ha)a mayor for the area of a combined county authority established under section 9(1) of the Levelling-up and Regeneration Act 2023;]
(i)the Mayor of London or an elected member of the London Assembly;
(j)an elected member of—
(i)the Common Council of the City of London, or
(ii)the Council of the Isles of Scilly;
(k)an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994;
(l)an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.));
(m)a police and crime commissioner.
(4)For the purposes of sub-paragraph (3), a person who is—
(a)a member of the House of Commons immediately before Parliament is dissolved,
(b)a member of the National Assembly for Wales immediately before that Assembly is dissolved,
(c)a member of the Scottish Parliament immediately before that Parliament is dissolved, or
(d)a member of the Northern Ireland Assembly immediately before that Assembly is dissolved,
is to be treated as if the person were such a member until the end of the fourth day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.
(5)For the purposes of sub-paragraph (3), a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if he or she were such a member until the end of the fourth day after the day on which those Wardmotes are held.
Textual Amendments
F1Sch. 1 para. 23(3)(e) repealed (31.12.2020) by The European Parliamentary Elections Etc. (Repeal, Revocation, Amendment and Saving Provisions) (United Kingdom and Gibraltar) (EU Exit) Regulations 2018 (S.I. 2018/1310), reg. 1, Sch. 1 Pt. 1 (as amended by S.I. 2019/1389, regs. 1, 2(2))
F2Sch. 1 para. 23(3)(ha) inserted (E.W.) (26.12.2023) by Levelling-up and Regeneration Act 2023 (c. 55), s. 255(2)(c), Sch. 4 para. 217 (with s. 247)
24(1)This condition is met if—U.K.
(a)the processing consists of the disclosure of personal data—
(i)to an elected representative or a person acting with the authority of such a representative, and
(ii)in response to a communication to the controller from that representative or person which was made in response to a request from an individual,
(b)the personal data is relevant to the subject matter of that communication, and
(c)the disclosure is necessary for the purpose of responding to that communication,
subject to sub-paragraph (2).
(2)Where the request to the elected representative came from an individual other than the data subject, the condition in sub-paragraph (1) is met only if the disclosure must be made without the consent of the data subject for one of the following reasons—
(a)in the circumstances, consent to the processing cannot be given by the data subject;
(b)in the circumstances, the elected representative cannot reasonably be expected to obtain the consent of the data subject to the processing;
(c)obtaining the consent of the data subject would prejudice the action taken by the elected representative;
(d)the processing is necessary in the interests of another individual and the data subject has withheld consent unreasonably.
(3)In this paragraph, “elected representative” has the same meaning as in paragraph 23.
25(1)This condition is met if—U.K.
(a)the processing consists of the processing of personal data about a prisoner for the purpose of informing a member of the House of Commons, a member of the National Assembly for Wales or a member of the Scottish Parliament about the prisoner, and
(b)the member is under an obligation not to further disclose the personal data.
(2)The references in sub-paragraph (1) to personal data about, and to informing someone about, a prisoner include personal data about, and informing someone about, arrangements for the prisoner's release.
(3)In this paragraph—
“prison” includes a young offender institution, a remand centre, a secure training centre or a secure college;
“prisoner” means a person detained in a prison.
26U.K.This condition is met if the processing—
(a)consists of the publication of a judgment or other decision of a court or tribunal, or
(b)is necessary for the purposes of publishing such a judgment or decision.
27(1)This condition is met if the processing is necessary—U.K.
(a)for the purposes of measures designed to eliminate doping which are undertaken by or under the responsibility of a body or association that is responsible for eliminating doping in a sport, at a sporting event or in sport generally, or
(b)for the purposes of providing information about doping, or suspected doping, to such a body or association.
(2)The reference in sub-paragraph (1)(a) to measures designed to eliminate doping includes measures designed to identify or prevent doping.
(3)If the processing consists of the disclosure of personal data to a body or association described in sub-paragraph (1)(a), or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule).
28(1)This condition is met if the processing—U.K.
(a)is necessary for the purposes of measures designed to protect the integrity of a sport or a sporting event,
(b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and
(c)is necessary for reasons of substantial public interest.
(2)In sub-paragraph (1)(a), the reference to measures designed to protect the integrity of a sport or a sporting event is a reference to measures designed to protect a sport or a sporting event against—
(a)dishonesty, malpractice or other seriously improper conduct, or
(b)failure by a person participating in the sport or event in any capacity to comply with standards of behaviour set by a body or association with responsibility for the sport or event.