- Latest available (Revised)
- Original (As enacted)
Data Protection Act 2018, PART 2 is up to date with all changes known to be in force on or before 27 July 2024. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
2(1)In this Part of this Schedule—U.K.
“the appropriate health professional”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—
the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,
where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or
a health professional who has the necessary experience and qualifications to provide an opinion on the question, where—
there is no health professional available falling within paragraph (a) or (b), or
the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State's functions in relation to social security or war pensions, or
the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));
“war pension” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).
(2)For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to data concerning health if the application of Article 15 of the [F1UK GDPR] to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.
Textual Amendments
F1Words in Sch. 3 para. 2(2) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(5) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
3(1)The listed GDPR provisions do not apply to data concerning health if—U.K.
(a)it is processed by a court,
(b)it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and
(c)in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.
(2)Those rules are—
(a)the Magistrates' Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);
(b)the Magistrates' Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));
(c)the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);
(d)the Magistrates' Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);
(e)the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));
(f)the Sheriff Court Adoption Rules 2009;
(g)the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));
(h)the Children's Hearings (Scotland) Act 2011 (Rules of Procedure in Children's Hearings) Rules 2013 (S.S.I. 2013/194).
4(1)This paragraph applies where a request for data concerning health is made in exercise of a power conferred by an enactment or rule of law and—U.K.
(a)in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,
(b)in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or
(c)the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.
(2)The listed GDPR provisions do not apply to data concerning health to the extent that complying with the request would disclose information—
(a)which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,
(b)which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or
(c)which the data subject has expressly indicated should not be so disclosed.
(3)The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.
Textual Amendments
F2Words in Sch. 3 para. 5 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(6) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
5(1)Article 15(1) to (3) of the [F3UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not apply to data concerning health to the extent that the serious harm test is met with respect to the data.U.K.
(2)A controller who is not a health professional may not rely on sub-paragraph (1) to withhold data concerning health unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is met with respect to the data.
(3)An opinion does not count for the purposes of sub-paragraph (2) if—
(a)it was obtained before the beginning of the relevant period, or
(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.
Textual Amendments
F3Words in Sch. 3 para. 5(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(7) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
Textual Amendments
F4Words in Sch. 3 para. 6 cross-heading substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(8) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
6(1)Article 15(1) to (3) of the [F5UK GDPR] (confirmation of processing, access to data and safeguards for third country transfers) do not permit the disclosure of data concerning health by a controller who is not a health professional unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is not met with respect to the data.U.K.
(2)Sub-paragraph (1) does not apply to the extent that the controller is satisfied that the data concerning health has already been seen by, or is within the knowledge of, the data subject.
(3)An opinion does not count for the purposes of sub-paragraph (1) if—
(a)it was obtained before the beginning of the relevant period, or
(b)it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.
(4)In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.
Textual Amendments
F5Words in Sch. 3 para. 6(1) substituted (31.12.2020) by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (S.I. 2019/419), reg. 1(2), Sch. 2 para. 93(9) (with reg. 5); 2020 c. 1, Sch. 5 para. 1(1)
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different points in time where a change occurred. The dates will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. The first date in the timeline will usually be the earliest date when the provision came into force. In some cases the first date is 01/02/1991 (or for Northern Ireland legislation 01/01/2006). This date is our basedate. No versions before this date are available. For further information see the Editorial Practice Guide and Glossary under Help.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: