Data (Use And Access) Act 2025

Part 5: Data Protection and Privacy

Chapter 1: Data Protection

Terms used in this Chapter

Section 66: The 2018 Act and the UK GDPR

551. Section 66 sets out the meaning of "the 2018 Act" and "the UK GDPR" in Chapter 1 of Part 5 of the Act.

Definitions in the UK GDPR and the 2018 Act

Section 67: Meaning of research and statistical purposes

552. Section 67 amends Article 4 of the UK GDPR. It inserts a definition of processing for the purposes of scientific research. Only processing for the purposes of research that can reasonably be described as scientific research falls under the definition. Provided that is the case, it does not matter whether the research is privately or publicly funded or whether it is carried out as a commercial or non-commercial activity.
553. New Article 4(3)(a) gives examples of the types of scientific research that can fall under the definition, provides examples of types of scientific such as applied or fundamental research. However, this list is non-exhaustive and scientific research is not restricted to exclusively these types.
554. Section 67 also inserts a new paragraph 4 into Article 4 which clarifies that processing for genealogical research is to be considered as processing for historical research under the UK GDPR.
555. This section also inserts a definition of what constitutes processing for statistical purposes under the UK GDPR as new paragraph 5 of Article 4, along with two conditions for meeting the definition.

Section 68: Consent to processing for the purposes of scientific research

556. Section 68 amends Article 4 of the UK GDPR by clarifying how the lawful basis of consent may be used in scientific research when the controller is unable to identify fully the purposes of a study at its start. It does this by stating when consent in such cases meets the existing definition under the UK GDPR. To rely on consent in these cases, controllers must satisfy the conditions in new Article 4(6)(a)-(d).

Section 69: Consent to law enforcement processing

557. Section 69 introduces a definition of consent into Part 3 of the DPA 2018 to mirror the definition under the UK GDPR.
558. Consent should only be used as the grounds for processing where it would be inappropriate to use one of the law enforcement purposes. For example, where a police officer wishes to take the fingerprints of a victim of a burglary, in order to eliminate them from any prints found at the crime scene, it would clearly be inappropriate to insist that the victim provide them.
559. For consent to be a valid ground for processing it must be freely given, informed and an unambiguous indication of the data subject's wishes. A lack of response by the data subject, or the use of pre-ticked boxes, cannot be understood to indicate consent by the data subject. Where processing has multiple purposes, consent must be given for each of them.
560. If the data subject is unable to withdraw their consent without suffering a negative consequence, it cannot be regarded as freely given and should not be used as the legal basis for processing.
561. Where competent authorities rely upon consent to process personal data, they should be able to demonstrate that this has been freely given by the data subject in a clear, comprehensible and easily accessible manner. Pre-written declarations of consent by the controller must use clear and understandable language.
562. When using consent, competent authorities must at least make the data subject aware of the identity of the competent authority, their purposes for processing and the types of processing that they carry out.

Data protection principles

Section 70: Lawfulness of processing

563. Section 70 amends Article 6 of the UK GDPR which is concerned with the lawful grounds for processing personal data. The section makes some clarifications to the public tasks lawful ground in Article 6(1)(e) and introduces a new lawful ground: new Article 6(1)(ea) of the UK GDPR. It also sets out examples of activities which may be in the legitimate interest of the data controller when relying on Article 6(1)(f).
564. Article 6(1)(e) UK GDPR provides a lawful basis for processing where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Subsection (2)(a) makes it clear that the task carried out in the public interest referred to in A6(1)(e) must be that of the controller. This means that a controller cannot process personal data in reliance on another controller’s tasks carried out in the public interest under A6(1)(e). Section 8 of the DPA 2018 and regulation 41(7) of The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 provide additional clarity on the sorts of activities that constitute tasks carried out in the public interest for the purposes of Article 6(1)(e). These should be read consistently with these changes so that tasks arising from the activities are read as being those of the relevant controller.
565. Subsection (2)(b) creates a new lawful ground for processing personal data by inserting new Article 6(1)(ea) into the UK GDPR. New Article 6(1)(ea) provides that processing will be lawful where it is necessary for the purposes of a recognised legitimate interest.
566. Subsection (2)(c) prevents new Article 6(1)(ea) of the UK GDPR from being relied on by public authorities in the performance of their tasks, consistent with the existing restriction in respect of Article 6(1)(f) of the UK GDPR.
567. Subsection (3) mirrors the amendments made by subsection (2)(a) by similarly restricting references to "tasks" in Article 6(3) UK GDPR to those of the controller.
568. Subsection (4) inserts new paragraphs into Article 6 UK GDPR. New Article 6(5) defines processing necessary for a recognised legitimate interest for the purposes of new Article 6(1)(ea) as processing that meets a condition in new Annex 1 to the UK GDPR (inserted by subsection (64) and Schedule 4). Under new Article 6(6) to (10) the Secretary of State may make regulations to add to, vary or (in certain cases) omit recognised legitimate interest activities in Annex 1. Before laying regulations, the Secretary of State must have regard to the effects of any changes on the interests and fundamental rights and freedoms of data subjects, and the fact that children (where relevant) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing. The Secretary of State can only add a new processing activity to Annex 1 if it is necessary to safeguard a public objective listed in Article 23(1)(c) to (j) of UK GDPR. The regulations must be made by statutory instrument and are subject to the affirmative procedure.
569. New Article 6(11) sets out examples of activities which may constitute legitimate interests for the purposes of Article 6(1)(f) of the UK GDPR. Processing of personal data for these activities must be necessary, and the data controller is required to make sure that its interests in processing the data without consent are not outweighed by the individual’s rights and interests. The examples given in subsection (11) are illustrative only and non-exhaustive. Data controllers may rely on Article 6(1)(f) to process personal data for other legitimate activities, providing the processing is necessary for the activity and appropriate consideration is given to the potential impact of the processing on the rights and interests of data subjects. New Article 6(12) defines the meaning of "intra-group transmission" and "security of network and information systems", expressions used in subsection (11).
570. Subsection (5) ensures that the right to object in Article 21 UK GDPR applies to new Article 6(1)(ea).
571. Subsection (6) introduces Schedule 4, which inserts new Annex 1 into the UK GDPR. New Annex 1 to the UK GDPR lists those processing activities that will be regarded as ‘recognised legitimate interests’ for the purposes of the new lawful ground in Article 6(1)(ea).
572. Subsection (7) removes the words "the controller’s" from section 8 of the DPA 2018 to improve the clarity of that provision.
573. Subsections (8) and (9) set out minor and consequential amendments that are needed because of the creation of the new lawful ground in Article 6(1)(ea).

Section 71: The purpose limitation

574. Section 71 sets out the conditions for determining whether the reuse of personal data (otherwise known as "further processing") is permitted in compliance with the purpose limitation principle outlined in Article 5(1)(b) of the UK GDPR. This principle prohibits further processing that is not compatible with the original purpose for which the personal data was collected.
575. The conditions are made by way of a series of amendments to the UK GDPR (subsection (1)).
576. Subsection (2) amends Article 5(1)(b) of the UK GDPR. It includes a clarification that the rules around further processing apply to personal data collected from a data subject or from a third party. This means that if one controller shares personal data with another, the controller disclosing the data may be conducting further processing but the controller receiving the personal data for the first time is not regarded as conducting further processing.
577. Subsection (3) clarifies that meeting a condition under Article 8A for further processing does not permit controllers to continue relying on the same lawful basis under Article 6(1) that they relied on for their original purpose if that basis is no longer valid for the new purpose. However, the work undergone for satisfying the conditions under the new Article 8A may assist controllers with establishing a basis under Article 6(1) for the new purpose.
578. Subsection (4) removes Article 6(4) from the UK GDPR, since the provisions for further processing have now been set out in the new Article 8A.
579. Subsection (5) inserts a new Article 8A into the UK GDPR in order to set out the conditions under which further processing of personal data complies with the purpose limitation principle in Article 5(1)(b) of the UK GDPR.
580. New Article 8A(2) sets out factors which must be considered when evaluating whether processing is compatible with its original purpose. Factors to be taken into account include any link with the original processing and the effects on the data subject.
581. New Article 8A(3) lists the circumstances in which a purpose is to be treated as compatible with the controller’s original purpose. If one of these circumstances applies, the controller does not need to evaluate compatibility under Article 8A(2). The list of circumstances are:
     • When a data subject has given fresh consent for the new purpose (Article 8A(3)(a));
     • When the processing is for research (historical and scientific), archiving in the public interest or statistical purposes (Article 8A(3)(b)) and is carried out in accordance with Article 84B UK GDPR;
     • When the processing of personal data is carried out for the purposes of ensuring that it complies with Article 5(1) of the UK GDPR, or demonstrating that it does (Article 8A(3)(c)). For example, if a controller is seeking to pseudonymise personal data (and
     • this was not anticipated or notified at the point of data collection), then this is permitted through Article 8A(3)(c). Pseudonymisation or other data security measures will be compatible through Article 8A(2) in most cases, or will have been signalled at the point of collection. However, where the original lawful basis for the collection of personal data was consent, the compatibility route would not be available.
     • When the controller’s purpose is among the purposes outlined in Annex 2 UK GDPR (Article 8A(3)(d)); or
     • Where the processing is necessary to safeguard an interest in Articles 23(1)(c) to (j) (for example, important objectives of public interest, in particular an important economic or financial interest of the UK, including monetary, budgetary and taxation matters, public health and social security (Article 23(1)(e)) and is authorised by legislation or a rule of law (Article 8A(3)(e)).

582. New Article 8A(4) outlines the additional restrictions placed on further processing of personal data that was originally collected on the basis of consent (through Article 6(1)(a) UK GDPR). Further processing of such data is only permitted in four circumstances (and the final two can only be relied upon in situations where the controller cannot reasonably be expected to obtain the data subject’s consent):
     • If fresh consent is sought and obtained under Article 8A(3)(a);
     • If the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) of the UK GDPR, or demonstrating that it does;
     • If the processing meets a condition in Annex 2 (see Article 8A(3)(d)); or
     • If it is necessary to meet a safeguard in Articles 23(1)(c) to (j) and is authorised by an enactment or a rule of law (see Article 8A(3)(e)).

583. The Secretary of State has the power under new Article 8A(5) to amend the list of conditions in Annex 2 that are to be treated as compatible with the original purpose. The power enables the Secretary to add to or vary the conditions or omit conditions added by regulations. Any conditions added to the Annex by primary legislation cannot be removed through use of this power. Pursuant to Article 8A(6), a new condition can only be added to Annex 2 where it meets one of the important public interest objectives outlined in Article 23(1)(c)-(j) UK GDPR. Article 8A(7) sets out ways in which regulations can identify processing. The power is subject to the affirmative procedure by virtue of new Article 8A(8).
584. Subsection (6) of section 71 introduces Schedule 5, which inserts new Annex 2 into the UK GDPR.
585. Subsections (7) to (9) make amendments equivalent to those made to Article 5(1)(b) UK GDPR by section 71 (2) to sections 36(1) and 87(1) of the DPA 2018. These sections set out the purpose limitation rules for law enforcement processing (section 36(1)) and for Intelligence Services processing (section 87(1)). The amendments clarify that the rules around further processing apply to personal data collected from a data subject or otherwise by the controller or a processor currently processing that data.
586. Subsection (10) removes the purpose limitation limb of paragraph 5(1)(b) from the definition of "the listed GDPR provisions" in Part 1 of Schedule 2 to the DPA 2018 as the exemptions from the purpose limitation in that Part have now been added to new Annex 2 to the UK GDPR by virtue of Schedule 5.

Section 72: Processing in reliance on relevant international law

587. Under the UK GDPR, the processing of personal data on grounds of public interest under Articles 6(1)(e) and 9(2)(g) is only lawful if the basis of the processing is set out in "domestic law". Similarly, any processing of personal data relating to criminal offences under Article 10 or under the new exemptions to purpose limitation principle in new Article 8A(3)(e) (inserted by section 71 of this Act) must be authorised by domestic law.
588. Subsections (1) to (6) of section 72 amend these provisions in the UK GDPR to make it clear that relevant international law can also provide the basis for this processing.
589. Subsection (7) inserts new section 9A into the DPA 2018 which provides that the requirement for a basis in or authorisation by relevant international law is met if the processing meets a condition in new Schedule A1 to the DPA 2018.
590. The new Schedule A1 lists as a condition that processing is necessary to respond to a request in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime.
591. Subsection (7) also provides the Secretary of State with powers to add other conditions relating to international treaties to the new Schedule and amend or vary conditions via regulations, which are subject to the affirmative resolution procedure. The power also allows the addition of safeguards to such processing, which could include duties on controllers or processors to have specific policies or procedures in place or to retain or provide information about the processing.

Processing of special categories of personal data

Section 73: Elected representatives responding to requests

592. Section 73 amends paragraph 23 of Schedule 1 to the DPA 2018, which permits elected representatives to process special category data when acting on behalf of individuals in connection with their casework functions. Elected representatives can currently rely on this exemption for up to four days after an election, but this section extends that period to 30 days.

Section 74: Processing of special categories of personal data

593. Article 9(1) of the UK GDPR sets out an exhaustive list of special categories of personal data, sometimes known as "sensitive data". Processing of data in this list is prohibited unless a condition in Article 9(2) is met, together with any associated DPA 2018 Schedule 1 conditions where required. Processing of data in this list is also subject to various obligations or considerations imposed by other provisions in the data protection framework, for example the requirement in Article 37 to designate a data protection officer if certain conditions are met.
594. This section confers regulation-making powers to the Secretary of State to add new special categories of data, tailor the conditions applicable to their use, and add new definitions, if necessary, to enable the Government to rapidly respond to future technological and societal developments.
595. This section provides four regulation-making powers to update the protections in Article 9 and reciprocal provisions in Part 3 and Part 4 of the DPA 2018.
596. Section 74(1) creates a new Article 11A (1) to confer regulation-making powers to the Secretary of State. The powers enable the Secretary of State, by regulations, to:
     • Add new special categories of data to the general prohibition in Article 9(1) UK GDPR. Categories in Article 9(1) may not be processed unless the controller meets a condition in Article 9(2), as supplemented by Schedule 1. This power is set out in new Article 11A(1)(a);
     • Remove any categories of special category data that have been added by such regulations. This power cannot be used to remove any of the pre-existing categories in Article 9(1). This power is set out in new Article 11A(1)(b);
     • Make provision that any of the existing conditions in Article 9(2) may or may not be relied on in relation to any new category added by regulations. This is because the conditions under Article 9(2) were drafted with only the current special categories in Article 9(1) in mind. If a new special category is recognised in the future, it may be necessary to alter which of the existing conditions apply to it in order to provide more specific protection. This power is set out in new Article 11A(1)(c); and
     • Make provision to vary any of the existing conditions in Article 9(2), but only as it relates to any new categories added by regulations. This power cannot be used to remove or vary conditions for existing special categories under Article 9(2). This power is set out in new Article 11A(1)(d).

597. New Article 11A (2) clarifies that the regulation-making powers to remove prohibitions from Article 9(1) and to vary the applicability of conditions under Article 9(2) only apply to new descriptions of special categories added under regulations. The powers cannot be used to remove existing special categories from Article 9(1) or to remove or vary conditions for existing special categories under Article 9(2).
598. New Article 11A (3) supplements these provisions, enabling textual amendments to be made to sections 5, 205, and 206 of the DPA 2018, by making a consequential amendment relying on Article 91A(4b). These provisions contain definitions that may need amending if new descriptions of processing are added in the future to the list of special categories of data in Article 9(1).
599. New Article 11A (4) provides that the regulations made under these powers are subject to the affirmative resolution procedure.
600. New Sections 42A and 91A deal with equivalent powers under Part 3 and Part 4 DPA 2018 respectively. Section 35(6) of Part 3 DPA 2018 sets out a list of "sensitive processing", where the processing described is only lawful where a condition in Schedule 8 DPA 2018 can be met, if the data subject has not consented to the processing. Section 86(7) DPA 2018 sets out an equivalent list for Part 4. All processing under Part 4 requires a condition under Schedule 9 to be met, and for sensitive processing a condition under Schedule 10 must also be met.
601. New Section 42A provides powers for the Secretary of State to, by regulations:
     • Add additional categories of sensitive processing to those provided in section 35(6);
     • Remove categories of sensitive processing which have been added under that power;
     • Make provision that any of the existing conditions required for sensitive processing under Schedule 8 may or may not be relied upon for added categories of sensitive processing; and
     • Make provision to vary conditions under Schedule 8 for categories of sensitive processing added under this power.

602. New section 42A (2) clarifies that the regulation-making powers to remove categories of sensitive processing under section 35(6) and vary conditions under Schedule 8 can only be exercised in relation to new categories added by regulations. These powers cannot remove existing categories of sensitive processing under section 35(6) or vary conditions in Schedule 8 in relation to those existing categories.
603. New section 91A provides the same powers for the sensitive processing regime under Part 4 of the DPA 2018. New section 91A provides power to the Secretary of State to, by regulations:
     • Add additional categories of sensitive processing to those already provided in section 86(7);
     • Remove categories of sensitive processing that have been added under that power;
     • Make provision that any of the existing conditions required for sensitive processing under Schedule 10 may or may not be relied upon for added categories of sensitive processing; and
     • Make provision to vary conditions under Schedule 10 for categories of sensitive processing added under this power.

604. New section 91A (2) clarifies that the regulation making powers to remove categories of sensitive processing under section 86(7) and vary conditions under Schedule 10 can only be exercised in relation to new categories added by regulations. The powers cannot remove existing categories of sensitive processing under section 86(7) or vary conditions in Schedule 10 in relation to those existing categories.
605. New section 42A(3) and 91A(3) enable amendments to be made to sections 205 and 206 DPA 2018. This will allow definitions to be amended if new categories of sensitive processing are added in the future to the categories already provided in sections 35(6) or 86(7).
606. New sections 42A(4) and 91A(4) provide that regulations made under these powers are subject to the affirmative procedure.
607. Subsections (4) and (7) of this section amend sections 35(6)(b) and 86(3)(b) DPA 2018 to allow the Secretary of State to vary the conditions required to be met for sensitive processing in Schedule 8 and Schedule 10 respectively, where those conditions have been added by regulations made under sections 35(6)(a) and 86(3)(a) respectively.
608. The section also makes consequential amendments to section 202 Investigatory Powers Act 2016 (IPA 2016). Subsection (11) of the section aligns the language regarding sensitive personal data in section 202 IPA with Part 4 DPA 2018. This clarifies that the existing definition of "sensitive personal data" in section 202(4) IPA corresponds to the processing to be undertaken and the specified categories of "sensitive processing" in section 86(7) DPA 2018.
609. Lastly, new section 202A IPA enables the Secretary of State to, by regulations, add categories of sensitive processing described in Part 4 DPA 2018 to section 202(4) IPA. This is to allow for changes made to the descriptions of sensitive processing contained in section 86(7) to be included in section 202(4) IPA 2016 where appropriate but does not confer powers to remove or amend existing categories referred to in section 202(4) IPA. Regulations under this power are subject to the affirmative procedure.

Data subject’s rights

Section 75: Fees and reasons for responses to data subjects’ requests about law enforcement processing

610. Section 75 introduces new subsection 4A into section 53 of the DPA 2018. Section 53(1) previously provided controllers operating under Part 3 of the DPA 2018 the option to refuse to respond to, or charge a reasonable fee for responding to, requests from data subjects which are determined to be manifestly unfounded or excessive. New subsection 4A provides the Secretary of State with a regulation making power to require controllers to publish guidance on the fees they charge for responding to such requests. This mirrors the power available for general processing under section 12(2) of the DPA 2018.
611. Section 75 also introduces new subsections (6) and (7) in section 53. These new subsections clarify that, when refusing to respond to a data subject request that is manifestly unfounded or excessive, controllers must inform the data subject of the refusal and the data subject’s right to complain to the Information Commissioner. They also confirm that this notification must happen without undue delay.

Section 76: Time limits for responding to data subjects’ requests

612. Section 76 changes the time limits for responding to requests from data subjects.
613. Subsection (2) makes provisions to amend references to time periods across the legislation on the right of access to refer to the ‘applicable time period’.
614. Subsection (3) inserts new Article 12A into the UK GDPR. It sets out what "the applicable time period" is in different circumstances and how to calculate it.
615. New Article 12A (1) and (2) UK GDPR clarifies when the applicable time period must be calculated from the receipt of the request, and when from other relevant time (e.g. payment of a fee).
616. New Article 12A(3) permits extension of the applicable time period by two months where that is necessary due to the complexity of requests made or the number of requests submitted in relation to the data subject.
617. New Article 12A(4) explains how a controller must give the data subject a notice of the extension.
618. New Article 12A(5) allows the controller to request further information from the data subject if they reasonably require it to identify the information or processing activities to which a request under Article 15 relates. In such case the response time to a subject access request will be paused to seek clarification and resumed once the necessary clarification is received, the response time resumes.
619. Subsection (5) of section 76 amends section 45 of Part 3 DPA 2018; section 45 sets out the right of access afforded to data subjects under Part 3 and the information that should be disclosed on request so that the data subject is aware of, and can verify, the lawfulness of the processing. Securing such access would then enable a data subject, if necessary, to exercise the other rights provided for in this Chapter, such as the rights to rectification, erasure or restriction on processing. This section clarifies that controllers must respond to subject access requests before the end of an applicable time period as added to section 54 of the DPA 2018 under section 76(6).
620. Subsection (6) amends section 54 DPA 2018 to make supplementary provisions about the extension of the applicable time period for responding to subject access requests to provide information to the data subject in accordance with section 48 DPA 2018. New subsection (3A) replicates the provision in new Article 12A(3) UK GDPR to allow law enforcement controllers to also extend the applicable time period by two further months where it is necessary to do so for reasons of complexity of the request or on account of the number of requests. The controller is required to give notice to the data subject about the extension under subsection (3B).
621. New subsections (3C) and (3D) of section 54 make amendments to the time requirements controllers are subject to when responding to a subject access request in Part 3 DPA 2018. These subsections replicate the new provision in new Article 12A(5) for a controller to be able to pause the response time if further information is required in order to proceed.
622. Subsection (7) of section 76 makes amendments to section 94 of the DPA 2018; section 94 sets out the right of access accorded to data subjects and the information that should be disclosed on request so that the data subject is aware of, and can verify, the lawfulness of the processing. This subsection makes similar amendments as subsection (6) to allow Part 4 controllers to extend the applicable time period by two further months where it is necessary to do so for reasons of complexity or on account of the number of requests. The controller is required to give notice to the data subject about the extension before the end of one month.

Section 77: Information to be provided to data subjects

623. Section 77 amends Article 13 and Article 14 of the UK GDPR. These two articles specify the information that should be provided to data subjects at the point of data collection, when collected directly from the data subject (Article 13), or within a reasonable period (at the latest within one month) after obtaining the personal data, for personal data obtained indirectly (Article 14).
624. Article 13(3) of the UK GDPR currently provides that when a data controller intends to further process personal data (which is the reuse of personal data for a separate purpose than that for which it was originally collected), they are required to provide additional information to the data subject. These requirements are laid out in Article 13(2). Section 77(1) adds Article 13(5) which creates an exemption from Article 13(3) for processing for research, archiving and statistical (RAS) purposes where there would be a disproportionate effort to provide the required information to data subjects and where the research complies with the safeguards for research found in Article 84B of the new Chapter 8A of the UK GDPR as inserted by section 86.
625. New paragraph 6 of Article 13 provides a non-exhaustive list of factors for the controller to determine what could constitute a disproportionate effort for the purposes of the new exemption.
626. New paragraph 7 of Article 13 outlines that any controller relying on the new paragraph 5 must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information publicly available that would otherwise be provided to the data subject through Article 13. For example, if it is considered disproportionate for a controller to issue individual notices, the information normally required to be provided as part of Article 13 requirements (such as identity and contact details of the data protection officer if applicable) should be made publicly available so that a data subject has this information if they wish to search for it. Subsection (2) of section 77 amends Article 14 of the UK GDPR. Section 77(2)(a)(i),(iii) and (iv) all make minor and technical changes to parts of paragraph 5 of Article 14 to accommodate other amendments to Article 14 made by section 77.
627. Article 14(5)(b) of the UK GDPR is removed and replaced by section 77(2)(a), which splits the current disproportionate effort exemption into two new paragraphs 14(5)(e) and (f) and removes the example of RAS purposes from the non-exhaustive list. This does not materially affect how the current exemption in Article 14 operates, but does make it clearer that the exemption applies to all processing activities.
628. Subsection (2)(b) of section 77 inserts two new paragraphs at the end of Article 14 of the UK GDPR. Paragraph 6 replicates the non-exhaustive list of examples of disproportionate effort being inserted into Article 13 by section 77(1).
629. Paragraph 7 of Article 14 of the UK GDPR adds the same safeguard for the disproportionate effort or impossibility exemption as that currently found in Article 14(5)(b), which is being removed by section 77(2)(a)(ii).

Section 78: Searches in response to data subjects’ requests

630. Section 78 amends the provisions in the UK GDPR and DPA 2018 which set out the right of access to information and personal data across the United Kingdom’s data protection regime to clarify that controllers only have to carry out reasonable and proportionate searches for information and personal data requested. This codifies the principle currently set out in domestic case law.
631. Subsection (5) stipulates that this amendment should be treated as having come into force on 1st January 2024.

Section 79: Data subjects’ rights to information: legal professional privilege exemption

632. Section 79 inserts a new section 45A into the DPA 2018 which mirrors the current exemption for material which is subject to legal professional privilege or, in Scotland, to confidentiality of communications, under the UK GDPR. Legal professional privilege protects all communications between a professional legal advisor and their clients.
633. Subsection 45A(3) disapplies the requirement that competent authorities inform the data subject that they are relying on a claim to legal professional privilege (or duty of confidentiality in Scotland) and their reason for doing so where this would undermine the claim (or duty), thereby allowing them to provide a ’neither confirm nor deny’ response.

Automated decision-making

Section 80: Automated decision-making

634. Section 80 amends the UK GDPR and Data Protection Act 2018 (DPA 2018) to establish new rules governing decisions based solely on automated processing of personal data, including profiling, that produce legal or similarly significant effects for data subjects. Subsection (1) of section 80 repeals Article 22 of the UK GDPR and replaces it with new Articles 22A-D. These provisions remove the conditions that had previously been included in Article 22 for relevant decisions based on processing of non-special category data but retain those conditions for decisions based on processing of special category data. The new provisions require controllers to put in place certain safeguards when making significant decisions based solely on automated processing and provide the Secretary of State with certain regulation-making powers described below. Similar changes are made to equivalent provisions in the data protection regime for law enforcement processing set out in Part 3 of the DPA 2018.
635. Article 22A(1)(a) clarifies that a decision based solely on automated processing is one that involves no meaningful human involvement. Article 22A(1)(b) sets out the meaning of a significant decision as one that produces legal or similarly significant effects for the data subject.
636. Article 22A(2) requires controllers to consider, among other things, the extent to which a decision has been reached by means of profiling when establishing whether or not any human involvement has been meaningful.
637. Article 22B(1)-(3) prohibits the use of special categories of data for significant decisions based solely on automated processing unless one of two conditions is met.
638. The first condition is that the data subject has provided explicit consent to the processing of their personal data on which the decision is based.
639. The second condition, as an alternative, has two requirements: <
     • The first requirement is that the decision is either:
       • Necessary for entering into, or the performance of, a contract between the data subject and a controller; or
       • Required or authorised by law.
     • The second requirement is that Article 9(2)(g) applies to the processing of the special category data; that is, the activity must be necessary for reasons of substantial public interest, which are set out in Schedule 1 to the DPA 2018 (see section 10 of that Act).

640. Article 22B(4) prohibits reliance on new Article 6(1)(ea) as the lawful ground for the processing on which relevant decisions are based.
641. Article 22C(1) and C(2) require controllers to put safeguards in place for any significant decisions in relation to a data subject based either entirely or partly on personal data and solely on automated processing and sets out some measures that the safeguards must consist of or include. The safeguards apply for all significant decisions based solely on automated processing. The safeguards must consist of or include: a requirement for the controller to provide information to the data subject about any significant decisions being taken in relation to them based solely on automated processing, the right of the data subject to contest or make representations about any such decision, and the right of the data subject to require the controller to have a human intervene in the decision.
642. In regard to the information that must be provided to data subjects, controllers can use varying techniques since they have different ways of communicating with their end-users, customers or members, depending on their operation. This could be in-person or digital and through personalised notifications or general notices. The key requirement is that the information is clear, easily accessible, and helps individuals exercise their rights to contest and to obtain human intervention if they are unhappy with the outcome of the solely automated decision-making.
643. Article 22D(1) and D(2), confers powers to the Secretary of State to make secondary legislation, in the form of regulations, to describe:
     • Circumstances that are, or are not, to be taken to have meaningful human involvement; and
     • Decisions that are, or are not, to be taken as a having a significant effect for the data subject

644. The first of these powers enables the Secretary of State to clarify when meaningful human involvement can be said to have taken place in light of constantly emerging technologies. The second power enables the Secretary of State to clarify what constitutes a significant decision in light of changing societal expectations.
645. Article 22D(3) confers a regulation making power on the Secretary of State to make provision in relation to the safeguards controllers are required to put in place when making a significant decision based solely on automated processing, as required by new Article 22C. This power may be exercised: (i) for the safeguards to include measures in addition to those described by Article 22C(2); (ii) to impose requirements which supplement what is currently required for the measures in Article 22C(2); and (iii) to specify measures which are not to be taken to amount to measures required by Article 22C(2). As new technologies emerge, these powers enable the Government to provide legal clarity on the circumstances in which safeguards must apply to ensure individuals are protected and have access to safeguards.
646. Article 22D(4) provides that regulations made under paragraph 3 may not amend Article 22C.
647. Article 22D(5) makes any regulations made under the powers in Article 22D subject to the affirmative resolution procedure.
648. Subsection (3) of section 80 amends equivalent provisions on automated decision making in Part 3 of the DPA 2018, repealing sections 49 and 50 and replacing them with sections 50A to 50D. With some exceptions, these new sections broadly mirror the approach taken under Articles 22A – D of the UK GDPR. These notes highlight where the Government has taken a different approach between the two regimes. 
649. Unlike Article 22A, section 50A(1)(b)(i) and (ii) restricts a significant decision to those that produces an adverse legal or similarly significant adverse effect on a data subject rather than all such decisions. This is because under Part 3, data subjects are unlikely to perceive the majority of decisions taken by competent authorities as positive, whereas the effect of a significant decision under the UK GDPR may be more nuanced.
650. As with Article 22B, section 50B restricts the taking of significant decisions based entirely or partly on the processing of sensitive personal data (the equivalent of special categories of personal data under the UK GDPR), solely via automated processing, to situations where either the data subject has given their explicit consent or the processing is required or authorised by law. Unlike Article 22B(3)(a), however, processing for the purposes of entering into a contract between the data subject and the competent authority is not a valid condition for taking such a decision. This is because it is not considered likely that such a situation would ever arise under Part 3.
651. Section 50C(1) and (2) mirror the list of safeguards available to data subjects under article 22C(1) and (2). However, section 50C(3) provides an exemption to the requirement to apply the safeguards provided: that:
     • It is required for one of the reasons set out under section 50C(4), such as to avoid obstructing an inquiry or, to protect national security;
     • The controller reconsiders the decision and this is carried out as soon as is reasonably practicable; and
     • The reconsideration of the decision includes meaningful human involvement.

652. Subsections (4) and (5) of section 80 make amendments to sections 96 and 97 of the DPA 2018. The amendment to section 96 provides a definition of automated decision making for Part 4 of the DPA 2018. A decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision. Minor consequential changes have been made to section 97 to reflect this new definition.

Obligations of controllers

Section 81: Data protection by design: children’s higher protection matters:

653. Section 81 amends Article 25 of the UK GDPR about data protection by design and by default to strengthen protections of children’s personal data.
654. Article 25(1) of the UK GDPR provides that controllers must implement appropriate technical and organisational measures in order to meet the requirements of the UK GDPR and protect the rights of data subjects. When deciding which measures are appropriate, the controller must take into account the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity to people’s rights posed by the processing. This duty applies at the time of determination of the means for processing and during the processing itself.
655. Section 81(2) inserts new paragraph (1A) and (1B) to Article 25 of the UK GDPR.
656. Paragraph (1A) creates an express duty for controllers providing information society services likely to be accessed by children to consider the matters in new paragraph 1B when designing and implementing their processing activities. Taken together, these matters are referred to as ‘children’s higher protection matters'.
657. For the purposes of the UK GDPR, information society services are defined as "any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services" (see Article 4(25) of the UK GDPR). In practice these are online services of a commercial nature.
658. New Article 25(1B), subsections (a) and (b) set out specifics of this duty. They require relevant controllers to consider how best to protect and support children when they are using their services; to take account of the fact that children merit specific protection because they may be less aware of the risks and their rights in relation to the processing activities; and to take account of the fact that children have different needs at different ages and different stages of development.
659. Section 81(3) makes a consequential amendment that is self-explanatory.
660. Section 81(4) adds paragraph (4) to Article 25 of the UK GDPR. It is a technical provision that confirms that other organisations that process children’s personal data may need to consider the issues in new Article 25(1A) and (1B), on a case-by case basis and depending on the context, as per the status quo. It is included to ensure the new duty does not imply anything about the factors other organisations may need to consider when implementing organisational and technical measures under Article 25(1) UK GDPR.
661. Section 81(4) also adds paragraph (5) to Article 25 of the UK GDPR, which excludes preventive and counselling services from the definition of "information society services" for the purpose of this provision.

Logging of law enforcement processing

Section 82: Logging of law enforcement processing

662. The DPA 2018 introduced a requirement in section 62 that competent authorities keep logs of their processing activities including the collection, alteration, consultation, disclosure, combination, and erasure of personal data.
663. The purposes for which these logs may be used are set out in subsection (4) of section 62 DPA 2018. One key purpose is self-monitoring, including for the purpose of conducting internal disciplinary hearings. This may, for example, arise where an officer or member of police staff is suspected of inappropriately accessing a police record. The logs of consultation and disclosure must record, as far as possible, the identity of the person consulting or disclosing the personal data and the recipients of the personal data. It must also record, the date and time the personal data was consulted, or disclosed, and the justification for doing so.
664. Section 82 of this Act removes the requirement for a competent authority to record a ‘justification’ in the logs when consulting or disclosing personal data. This is because it is unlikely that a person accessing records inappropriately would record an honest justification. It is also because it is technologically challenging for systems, which are used for law enforcement purposes, to adopt a function which captures the justification.

Codes of conduct

Section 83: General processing and codes of conduct

665. Section 83 amends Article 41 of the UK GDPR to clarify that accredited monitoring bodies are only required to notify the Information Commissioner if they suspend or exclude a person from a code under the UK GDPR. This reflects the Commissioner's operational approach and ensures consistency with new Regulation 32B of the Privacy and Electronic Communications Regulations 2003 which is inserted by section 116.

Section 84: Law enforcement processing and codes of conduct

666. Section 84 inserts new section 71A into the DPA 2018 which enables expert public bodies, who have sufficient knowledge and experience, to create codes of conduct (mirroring the existing provision under the UK GDPR). These are tailored, sector-specific, pieces of guidance which are signed off by the Information Commissioner. Subsection (4) sets out a non-exhaustive list of the areas that may be covered when drawing up a code of conduct; this includes, for example, guidance on the information that controllers must provide to the public and to data subjects. Expert public bodies are encouraged to consult with relevant stakeholders when drawing up, amending or extending a code of conduct to ensure that it appropriately reflects the processing activities set out under Part 3 of the DPA 2018.
667. Competent authorities are expected to monitor their compliance with any code of conduct produced under the law enforcement processing regime through existing internal auditing mechanisms.

International transfers of personal data

Section 85: Transfers of personal data to third countries and international organisations

668. Section 85 inserts Schedules 7, 8 and 9, which amend Chapter 5 of the UK GDPR and Chapter 5 of Part 3 of the DPA 2018 to reform the UK’s regime for international transfers of personal data.

Safeguards for processing for research etc purposes

Section 86: Safeguards for processing for research etc purposes

669. Section 86 amends the UK GDPR by creating a new Chapter 8A and makes related consequential amendments. This new chapter consists of four new articles which combine the existing safeguards currently found in Article 89 of the UK GDPR and section 19 of the DPA 2018 for data processing for archiving in the public interest, scientific, historical and statistical research purposes. Section 86(2) amends the UK GDPR by creating new Article 84A. Article 84A outlines the categories of data processing that fall within the scope of this chapter (processing for scientific or historical research, archiving in the public interest and statistical purposes) and creates a new acronym, ‘RAS purposes’ to refer to these purposes.
670. Subsection (2) also amends the UK GDPR by creating two new articles, 84B and 84C. These new articles set out the safeguards required when processing personal data for RAS purposes. This includes that the processing must not be likely to cause substantial damage or substantial distress to the data subject (Article 84C(2)). Safeguards must also include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (Article 84C(4)). In addition, the processing must not be carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, unless it is for approved medical research (Article 84C(4)). Section 86(2) also replicates the definition of "approved medical research'' from section 19 of the DPA 2018. The Secretary of State may, by regulations, make further provisions about when the requirement for appropriate safeguards under Article 84B(2) is, or is not, satisfied (Article 84D). This power can only be used to add a paragraph to Article 84C and to vary or omit any paragraphs added by regulations. Regulations under this Article may not amend or revoke Article 84C(2)-(4) but may change the meaning of "approved medical research" for the purposes of Article 84C. Regulations under this Article are subject to the affirmative resolution procedure.

Section 87: Section 86: consequential provision

671. Section 87 makes consequential amendments to the UK GDPR, the DPA 2018 and the Mental Health (Care and Treatment) (Scotland) Act 2003. These amendments are required as a result of the changes made in section 86 which move provisions on the safeguards for RAS purposes from section 19 of the DPA 2018 to the new chapter 8A of the UK GDPR.

National security

Section 88: National Security Exemption

672. Section 88 inserts new section 78A into Part 3 of the DPA 2018, which provides an exemption from certain provisions of Part 3, 5, 6 & 7, similar to that in section 28 of the Data Protection Act 1998, where this is required for the purposes of safeguarding national security. The provisions that may be disapplied in such circumstances are listed in subsection (2) and includes most of the data protection principles, the rights of the data subject, certain obligations on competent authorities and processors, and various enforcement provisions.
673. Part 3 of the DPA 2018 already enables competent authorities to apply exemptions to certain specified rights where this is necessary in order to safeguard national security. However, this section ensures that they have the same exemptions already available to organisations, such as businesses, who operate under the UK GDPR (section 26 of the DPA 2018) as well as the intelligence services (section 110 of the DPA 2018).
674. Section 88 also aligns the operation of national security certificates under section 79 of the DPA 2018 with the revised national security exemption.

Intelligence Services

Section 89: Joint processing by intelligence services and competent authorities

675. Section 89 amends Part 4 of the DPA 2018 to enable joint processing between a qualifying competent authority (or authorities) and an intelligence service (or intelligence services), under Part 4 of the DPA 2018. This enables the controllers to process the data within a single, common regime. The controls and safeguards under Part 4 will apply to all such joint processing.
676. Subsection (2) amends section 82 of the DPA 2018, which currently applies Part 4 only to processing by or on behalf of the Intelligence Services. This amendment makes clear that Part 4 also applies to the processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice. New subsection (2A) provides a power to the Secretary of State to make regulations to specify competent authorities (as defined in Section 30(1) of the DPA 2018) who can be regarded as "qualifying competent authorities", so able to apply for or be issued with a designation notice. New subsection (4) provides that any such regulations are subject to the affirmative procedure.
677. Subsection (3) of section 89 inserts new sections, 82A – 82E, that impose the conditions for designation notices.
678. 82A enables qualifying competent authorities (as specified in Regulations) to jointly apply for a notice from the Secretary of State permitting them to have a joint controller relationship under Part 4 of the DPA 2018. The Secretary of State must be satisfied that the intended processing is required for the purposes of safeguarding national security. Before giving a designation notice, the Secretary of State must consult with the Commissioner, and they may also consult with other relevant public or regulatory bodies as appropriate.
679. 82B provides for rules governing the duration of a designation notice. Notices cease to be in force after a period of 5 years or a shorter period if specified in the notice issued by the Secretary of State.
680. 82C imposes conditions on the review and withdrawal of a designation notice. It requires a designation notice to be reviewed at least annually by the Secretary of State.
681. A designation notice may be withdrawn by the Secretary of State at any time, following a review and when some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security.
682. When considering when a withdrawal notice should come into force, the Secretary of State must take into account the time needed for controllers to effect an orderly transition to new arrangements for the processing of that data. During the transition period and prior to the withdrawal notice coming into effect, the processing of data falling within the terms of the notice by a joint controller would continue to be subject to Part 4 DPA 2018. For example, joint processing activities such as transiting data in readiness for the notice being withdrawn would continue to be subject to Part 4 DPA 2018. When a notice is not in force or when processing is outside the scope of a notice, Part 3 of the DPA 2018 or the UK GDPR will apply to any processing by the competent authority, depending on its purpose.
683. 82D requires the Secretary of State to provide a copy of the designation notice to the Commissioner and the Commissioner must make available to the public a record of that designation notice whilst it is in force, with the assumption of transparency.
684. 82E allows a designation notice to be appealed to the tribunal if a person is directly affected by the notice.

Section 90: Joint processing: consequential amendments

685. Subsections (2) to (8) of section 90 makes necessary consequential amendments to the DPA 2018 to reflect the changes made by section 89, which will enable joint processing between a qualifying competent authority (or authorities) and an intelligence service (or intelligence services), under Part 4 of the DPA 2018.
686. Subsection (10) makes a consequential amendment to section 199 of the Investigatory Powers Act 2016 (IPA 2016), which provides a definition of personal data for provisions in that Act regarding bulk personal datasets. This definition of personal data cross-refers to section 82(1) of the DPA 2018, which referred to processing by an intelligence service. Section 89 amends section 82(1) of the DPA 2018 to account for the new joint processing regime. Subsection (10) will ensure that the processing referred to in section 199 IPA 2016 remains that done by an intelligence service.

Information Commissioner's role

Section 91: Duties of the Commissioner in carrying out functions

687. Section 91 amends Part 5 of the DPA 2018 by inserting new sections 120A-D. These provisions provide for a principal objective and general duties for the Commissioner when carrying out functions under the data protection legislation. They also require the Commissioner to prepare and publish a strategy and introduce new reporting requirements.
688. Subsection (2) omits section 2(2) (duty of Commissioner when carrying out functions) of the DPA 2018. This now forms part of the new principal objective at new section 120A of the DPA 2018.
689. New section 120A introduces a new principal objective for the Commissioner. To meet this objective when carrying out functions under the data protection legislation, the Commissioner should aim to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest; and to promote public trust and confidence in the processing of personal data.
690. New section 120B sets out new duties for the Commissioner when carrying out data protection functions. This includes duties to have regard to the desirability of promoting innovation and competition; a new duty to have regard to the importance of preventing, investigating and detecting criminal offences; and a new duty to have regard to the need to safeguard public and national security. There is also a new duty to have regard to the fact that children merit specific protection, as they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing.
691. New section 120C requires the Commissioner to prepare and publish a strategy. This should detail how the Commissioner will discharge functions under the data protection legislation in relation to duties under new sections 120A and 120B. It should also detail how the Commissioner will discharge data protection functions in relation to duties under section 108 of the Deregulation Act 2015 which requires the Commissioner to have regard to the desirability of promoting economic growth when exercising a regulatory function. In addition, there is a requirement for the strategy to set out how data protection functions will be carried out in accordance with the duty under section 21 of the Legislative and Regulatory Reform Act 2006 to have regard to the principles that regulatory activities should be carried out in a way which is transparent, accountable, proportionate and consistent and should be targeted only at cases in which action is needed.
692. New section 120C does not require the strategy to take a particular form and it is envisaged that this obligation can be met by a standalone report. The Commissioner must review and revise the strategy as needed as outlined in 120C(2) and must publish the strategy and any revised strategy, as outlined in 120C(3).
693. New section 120D outlines the duty for the Commissioner to consult, when considering how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition. An example of such instances could be issues relating to emerging technology. This consultation should be conducted at such times as the Commissioner considers appropriate.
694. New section 120D(2) defines the scope of this consultation requirement, outlining that it requires the Commissioner to consult other regulators and other such persons as the Commissioner considers appropriate in relation to economic growth, innovation and competition.
695. Subsection (4) of section 91 inserts a new requirement into section 139 DPA 2018 for the Commissioner to report on what has been done to comply with its duties under new sections 120A and 120B, as well as certain other statutory duties, during a reporting period. This also includes a review of the strategy published under new section 120C and a summary of what the Commissioner has done to comply with the consultation duty under new section 120D. This reporting requirement is an additional part of the Commissioner’s annual reporting requirements to Parliament under the DPA 2018.
696. Subsection (5) inserts the requirement for the Commissioner to prepare the first strategy as set out in 120C within 18 months of this requirement coming into force.

Section 92: Codes of practice for the processing of personal data

697. Section 92 ensures that all codes of practice made by the Commissioner (regardless of whether they are required by the in DPA 2018, or by regulations made by the Secretary of State) follow the same parliamentary process and have the same legal effects. It repeals section 128 (Other codes of practice) and replaces it with new section 124A.
698. New section 124A provides the Secretary of State with the power to make regulations requiring the Commissioner to produce codes of practice giving guidance as to good practice in the processing of personal data, in addition to those set out in sections 121 to 124 DPA 2018. The regulations must describe the personal data or processing to which the code relates and may also describe the persons to which it relates. Before preparing the code, the Commissioner must consult any of those the Commissioner considers appropriate from the list at subsection (4). Such codes are to be required by regulations, which will be subject to the negative resolution procedure. In line with topic-specific codes set out in the DPA 2018, where ad-hoc codes made under new section 124A are in force, the Commissioner may prepare amendments of the code or a replacement code.
699. Subsections (3) to (9) of section 92 make minor and consequential amendments to the DPA 2018, the Registration Service Act 1953, the Statistics and Registration Service Act 2007, and the Digital Economy Act 2017 as a result of the repeal of section 128 of the DPA 2018 and replacement by new section 124A.

Section 93: Codes of practice: panels and impact assessments

700. Section 93 amends Part 5 of the DPA 2018 by inserting new sections 124B and 124C which amend the procedures by which the Commissioner develops statutory codes of practice under sections 121 to 124 and new section 124A of the DPA 2018.
701. New section 124B outlines the requirement for the Commissioner to consult a panel of individuals when preparing a statutory code of practice, the process for establishing the panels and the arrangements the Commissioner should put in place on how the panel should conduct its activities. This is subject to new section 124B(11) which provides a power for the Secretary of State to make regulations to disapply or modify the new requirements for a panel to consider a code prepared under new section 124A of the DPA 2018.
702. New section 124B(2) requires the Commissioner to establish a panel of individuals to consider the code, and new section 124B(3) sets out requirements for the members of the panel. The panel must include individuals with expertise in the subject matter of the code and other individuals the Commissioner considers are likely to be affected by the code or their representatives. This may include, for example, government officials; trade associations; representatives from relevant regulators, public authorities; civil society and industry bodies; and data subjects.
703. New section 124B(4) outlines the Commissioner’s responsibilities before the panel considers the code. The Commissioner is required to publish the draft code and a statement relating to the establishment of the panel including the members of the panel, the process by which they were selected and reasons for their selection. The published statement under new section 124B(4)(b) does not need to take a particular form.
704. New section 124B(5) allows for a new panel member to be appointed by the Commissioner if a current panel member is not willing or able to serve on the panel. A member may leave the panel permanently or on a temporary basis e.g. because of illness.
705. Under new section 124B(6), the Commissioner is required to publish a statement, in no particular form, identifying the new member of the panel, the process of selection and the reasons for their selection.
706. New section 124B(7) is self-explanatory.
707. Under new section 124B(8), if the panel submits a report on the code within the period determined, the Commissioner must make any changes to the draft code the Commissioner considers appropriate (which could be none) before publishing the draft code, the panel’s response or a summary of it, and for instances where a recommendation by the panel has not been taken forward, the reasons for not doing so.
708. New section 124B(9) is self-explanatory.
709. New section 124B(10) makes clear that the new requirements for a panel to consider the code also apply to amendments prepared in relation to the code.
710. New section 124B(11) provides a power for the Secretary of State to make regulations to disapply or modify the new requirements for a panel to consider a code, or an amendment to a code, which the Commissioner is required to prepare under new section 124A.
711. Under new section 124B(12), these regulations are subject to parliamentary approval via the negative resolution procedure, meaning the regulation can be rejected in full by either House of Parliament.
712. New section 124C outlines the requirement for the Commissioner to conduct and publish impact assessments when preparing a code of practice under sections 121 to 124A. This should include an assessment of who would be likely to be affected by the code and the likely effect the code will have on them.

Section 94: Manifestly unfounded or excessive requests to the Commissioner

713. Section 94 amends the DPA 2018 to provide that, when a request is made to the Commissioner to which the Commissioner is required or authorised to respond under the data protection legislation (for example, because it relates to the Commissioner’s tasks, duties and functions), the Commissioner may charge a reasonable fee or refuse a request where a request is manifestly unfounded or excessive.
714. This section amends section 135 of the DPA 2018 to provide that the Commissioner may refuse to deal with a manifestly unfounded or excessive request made by any person.
715. Sections 134 and 135 of the DPA 2018 confer separate powers to charge fees. Where a request is made (whether manifestly unfounded or excessive, or not), if section 134 is relevant, the Commissioner has the power to charge a reasonable fee under that section. If section 134 is not relevant (in particular, because the request comes from a data subject or data protection officer), the Commissioner may have the power to charge a reasonable fee under section 135. New subsection (1A)(a) ensures that the powers to charge fees under section 134 and section 135 do not overlap.
716. New subsection (1A)(b) ensures that the Commissioner's existing discretion to refuse to act where the Commissioner may be authorised, but not required, to respond to a request, is preserved.
717. Section 94(2)(f) sets out that this is an exception to the general rule set out in Article 57(3) of the UK GDPR that the performance of tasks should be free of charge for data subjects.
718. Section 94(3) is self-explanatory: it amends section 136(1) to ensure consistency with the streamlining of provisions (see below).
719. Section 94(4) omits paragraph 4 from Article 57 of the UK GDPR. This streamlines legislative provisions, ensuring that provisions related to manifestly unfounded or excessive requests to the Information Commissioner are located in section 135 of the DPA 2018.

Section 95: Analysis of performance

720. Section 95 amends section 139 of the DPA 2018 (Reporting to Parliament) and inserts new section 139A (Analysis of Performance) which requires the Commissioner to prepare and publish an analysis of the Commissioner’s performance using key performance indicators that most effectively measure this.
721. New section 139A(2) requires the Commissioner to prepare and publish this analysis once a year at a minimum.

Section 96: Notices from the Commissioner

722. Section 96 repeals section 141 (Notices from the Commissioner) of the DPA 2018 and replaces it with a new section 141A (Notices from the Commissioner).
723. New section 141A(2) sets out the four ways in which a notice can be given to a person (referred to here as "recipient") by the Commissioner under the DPA 2018.
724. New section 141A(3) defines the term "relevant individual" for the purposes of giving a notice by hand under subsection (2)(a). For example, when giving the notice to a body corporate (excluding partnerships), it must be handed to an officer of that body, or when giving it to a partnership it must be given to either a partner in the partnership or a person who has control or management of the partnership business.
725. The term "proper address" for the purposes of leaving a notice or posting it under new section 141A(2)(b) and (c) is defined in subsections (4) and (5). Subsection (4) provides that the proper address should be one specified by the recipient (or someone acting on their behalf) as an address where they will accept service of notices and other documents, but in the event such an address hasn’t been specified then the proper address is to be determined under subsection (5). Subsection (4) is also relevant when considering the application of section 7 of the Interpretation Act 1978 which deals with the service of documents by post.
726. New section 141A(6) expands on the meaning of a recipient’s "email address" for the purpose of subsection (2)(d).
727. New section 141A(7) confirms that a notice issued by the Commissioner is treated as given 48 hours after it was sent.
728. New section 141A(8) expands on the meaning of the term "officer" in relation to a body corporate, this is relevant when the Commissioner hands a notice to a relevant individual defined under subsection (3)(b).
729. New section 141A(9) makes it clear that whilst new section 141A sets out ways in which the Commissioner can serve notices, it does not preclude the Commissioner from giving a notice using any other lawful means.
730. Subsection (4) of section 96 makes a consequential amendment to Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

Enforcement

Section 97: Power of the Commissioner to require documents

731. Section 97 amends section 142 (information notices) of the DPA 2018 to clarify that the Commissioner can require specific documents as well as information when using the information notice power. This is a clarification of the Commissioner’s powers.
732. Subsections (3) to (7) make consequential amendments to references to information notices in section 143 (information notices: restrictions), section 145 (information orders), section 148 (destroying or falsifying information and documents), section 160 (guidance about regulatory action) and Schedule 17 (review of processing of personal data for the purposes of journalism). These amendments are needed as a result of the clarification to the information notice powers in section 142 and make clear that the relevant provision applies where documents are required under the information notice powers in the same way as for other information.

Section 98: Power of the Commissioner to require a report

733. Section 98 makes provision for the Commissioner to require a report on a specified matter when exercising the power under section 146 of the DPA 2018 to give an assessment notice.
734. Subsection (1) is self-explanatory.
735. Subsection (2) amends section 146 (assessment notices) of the DPA 2018.
736. Subsection (2)(a) inserts new subsections (j) and (k) in section 146 subsection (2) of the DPA 2018, enabling the Commissioner to require the controller or processor to make arrangements for an approved person to prepare a report on a specified matter and provide the report to the Commissioner.
737. Subsection (2)(b) inserts new section 3A after section 146 subsection (3) in the DPA 2018. This provides that the Commissioner may set out requirements in the assessment notice specifying how the report by the approved person is to be prepared, its content, form and when it is required to be completed by.
738. Subsection (2)(c) inserts new section 11A after section 146 subsection (11) in the DPA 2018. This requires the controller or processor to pay the cost for this report, including the approved person’s expenses.
739. Subsection (2)(d) adds a definition of an approved person to the terms defined in section 146 subsection (12).
740. Subsection (3) amends the DPA 2018 by inserting new section 146(A). This outlines the process for approving the person preparing the report and makes clear that the decision to approve lies with the Commissioner.
741. New section 146A(1) is self-explanatory.
742. New section 146A(2) provides that the controller or processor is to nominate an approved person to prepare the report and that they are required to do so within the time set out by the Commissioner in the notice.
743. New section 146A(3) provides that if the Commissioner is satisfied that the person nominated is suitable, that approval is to be provided to the controller or processor in writing.
744. New section 146A(4) sets out the process to be followed if the Commissioner is not satisfied that the person nominated is suitable. In such circumstances, the Commissioner is required to let the controller or processor know by written notice their decision, the reasons for their decision and the person the Commissioner is selecting to prepare the report.
745. New section 146A(5) sets out the process if the controller or processor fails to nominate a person to prepare the report in the time specified in the notice. In such circumstances, the Commissioner will decide the person to prepare the report and must notify the controller or processor of that decision by written notice. The controller or processor is required to make arrangements for this and pay any associated costs, as would be the case if they had nominated the approved person.
746. New section 146A(6) provides that the controller or processor is required to cooperate with the approved person in the process of preparing the report.
747. Subsection (4) of section 98 amends section 155(1) (penalty notices) of the DPA 2018 to allow the Commissioner to give a monetary penalty notice where the Commissioner is satisfied that a person has failed to comply with the duty placed upon the controller or processor under new section 146A(6), to assist the approved person in preparing the report.
748. Subsection (5) of section 98 amends section 160(4) (guidance about regulatory action) of the DPA 2018. This requires the Commissioner to include in the statutory guidance the factors the Commissioner will consider in deciding whether to issue an assessment notice requiring the preparation of a report, and the factors the Commissioner may take into account when determining the suitability of a person to prepare the report.

Section 99: Assessment notices: removal of OFSTED restriction

749. Section 99 removes the Office for Standards in Education, Children's Services and Skills’ (Ofsted) exemption to the ICO's assessment notice power under section 147(6)(b) of the DPA 2018. This allows the ICO to audit Ofsted’s function as a registration authority in the event of a suspected data breach.

Section 100: Interview notices

750. Section 100 inserts new sections 148A-C into the DPA 2018 which make provision about interview notices. An interview notice can be used to require a person to attend an interview and answer questions when required by the Commissioner.
751. New section 148A(1) sets out when the power can be used.
752. New section 148A(2) provides the Commissioner with a power to give an interview notice.
753. New section 148A(3) makes provision about who an interview notice can be issued to.
754. New section 148A(4) requires the Commissioner to specify where and when the interview will take place. This is subject to the restrictions in subsections (6) and (7).
755. New section 148A(5) provides that the interview notice must explain the suspected infringement of the UK GDPR or DPA 2018 that is being investigated, consequences of non-compliance with the interview notice and information about how a person can appeal the notice.
756. New section 148A(6) provides that an interview notice must not require the person to attend the interview before the end of the period in which an appeal could be brought.
757. New section 148A(7) provides that if an appeal is brought, the person concerned need not comply with the interview notice until the appeal has been withdrawn or decided.
758. New section 148A(8) provides that subsections (6) and (7) do not apply where the Commissioner considers there is an urgent need for the interview and where the Commissioner provides reasons for the urgency. In these circumstances, however, the interview notice must provide at least 24 hours between the time of issuing the notice and when the person is required to attend the interview.
759. New section 148A(9) is self-explanatory.
760. New section 148B places certain restrictions on the circumstances in which the Commissioner can require a person to answer questions under an interview notice.
761. New section 148B(1) provides that an interview notice does not require a person to answer questions at interview to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament.
762. New sections 148B(2) and (3) provide that a person is not required to answer questions where this would result in disclosure of communications between a professional legal adviser and their client in respect of the client’s obligations under the data protection legislation or in respect of proceedings under data protection legislation.
763. New section 148B(4) is self-explanatory.
764. New section 148B(5) provides that an interview notice cannot compel a person to provide information that would expose them to proceedings for the commission of an offence, except in relation to the offences under the DPA 2018 and the other offences listed in subsection (6).
765. New section 148B(7) provides that a statement provided in response to an interview notice cannot be used as evidence in criminal proceedings brought under the DPA 2018 (except where the proceedings relate to the offence under new section 148C (false statements made in response to an interview notice)) unless in the proceedings the person gives evidence that is inconsistent with the statement, and evidence relating to the statement is put before the court by the person or a question relating to it is asked by the person or on their behalf.
766. New section 148B(8) provides that an interview notice cannot be made in respect of personal data being processed for journalistic, academic, artistic or literary purposes.
767. New section 148B(9) lists other bodies to whom the Commissioner cannot give an interview notice.
768. New section 148C (false statements made in response to interview notices) makes it an offence for a person to intentionally or recklessly make a false statement in response to an interview notice. This mirrors the offence in section 144 of the DPA 2018 for false statements in response to information notices.
769. Subsection (3) of section 100 amends section 149(9)(b) of the DPA 2018 (enforcement notices) to add interview notices to the regulation making powers in this section. This brings the interview notice function in line with assessment notices, information notices and penalty notices in this context.
770. Subsection (4) amends section 155(1)(b) (penalty notices) of the DPA 2018 to include interview notices. Where the Commissioner is satisfied that a person has failed to comply with an interview notice, the Commissioner is permitted to give a monetary penalty notice requiring a person to pay the Commissioner an amount determined by the Commissioner.
771. Subsection (5) amends section 157(4) (maximum amount of penalty) of the DPA 2018 to include interview notices. The maximum penalty amount in relation to failure to comply with an interview notice is the higher maximum amount. This provision brings the maximum amount of the penalty that may be imposed by a penalty notice for failure to comply with an interview notice in line with the maximum amount for existing enforcement powers. The higher maximum amount is defined in section 157(5) of the DPA 2018.
772. Subsection (6)(a) amends section 160(1) (guidance about regulatory action) to include interview notices in the functions for which the Commissioner is required to produce and publish statutory guidance. This brings the interview notice function in line with assessment notices, enforcement notices, information notices and penalty notices.
773. Subsection (6)(b) inserts new section 5A in section 160 and specifies the matters which the guidance must include in relation to interview notices.
774. Subsection (7) amends section 162 (rights of appeal) of the DPA 2018 to include an interview notice to the list of notices a person can appeal.
775. Subsection (8) amends section 164 (applications in respect of urgent notices) of the DPA 2018 to provide that the provisions for appealing an urgent notice apply to interview notices. This enables a person who is given an interview notice that requires the person to comply with it urgently, to apply to the court to have the urgency statement set aside or for variation of the timetable for compliance with the notice.
776. Subsection (9) is self-explanatory.
777. Subsection (10) amends section 196 (penalties for offences) to provide that the offence provided for in section 148C (false statements made in responses to interview notices) is included in subsection (2). Section 196(2) of the DPA 2018 sets out the maximum penalties for offences that can be tried summarily or on indictment. In England and Wales, the maximum penalty when tried summarily or on indictment is an unlimited fine. In Scotland and Northern Ireland, the maximum penalty on summary conviction is a fine not exceeding the statutory maximum or an unlimited fine when tried on indictment. This aligns the offence set out in section 148C with existing comparable offences in the DPA 2018, including that in section 144 (false statements made in response to information notices).
778. Subsection (11) provides that "interview notice (Part 6)" is added to the terms defined in section 206 (index of defined expressions) in the DPA 2018 and signposts where the definition may be found in the DPA 2018.
779. Subsection (12) amends Schedule 17 (review of processing of personal data for the purposes of journalism) and inserts new section 3A after paragraph 3 to make provision for where the Commissioner gives an interview notice during a review period. New section 148B(8) prevents the Commissioner from giving an interview notice with respect to the processing of personal data for the special purposes. Paragraph 3A of this Schedule disapplies section 148B(8), providing the Commissioner with the ability to give interview notices for the purpose of the review, but only where a determination under section 174 of the DPA 2018 has taken effect.
780. Subsection (12) also amends paragraph 4 of Schedule 17 to include interview notices. It applies section 164 of the DPA 2018 (applications in respect of urgent notices) to interview notices given under paragraph 3A.

Section 101: Penalty notices

781. Section 101 makes changes to the provisions for imposing penalties in Schedule 16 to the DPA 2018. Before issuing a penalty notice to a person, the Commissioner must inform the person of the intention to do so, by issuing a notice of intent. Section 101 changes the rules about the time within which a penalty notice given in reliance on a notice of intent must be issued to allow for the Commissioner to have more time to issue a final penalty notice after issuing a notice of intent where needed.
782. Subsection (1) is self-explanatory.
783. Subsection (2) repeals paragraph 2(2) and (3) of Schedule 16 and subsection (3) inserts new sub-paragraph A1 and B1 into paragraph 4 of that Schedule. This provides for the Commissioner to give a penalty notice within 6 months of giving a notice of intent but allows the Commissioner to issue a penalty notice outside of the 6 month time limit if it is not reasonably practicable to issue a final penalty notice within this timeframe. In such circumstances, the Commissioner is instead required to issue a final penalty notice "as soon as reasonably practicable" after issuing the notice of intent. This allows the Commissioner to have sufficient time, after issuing a notice of intent, to consider oral or written representations and complete its investigations, where needed. This also places new requirements on the Commissioner to let the person know the outcome of its investigation by giving written notice where the Commissioner has decided not to give a penalty notice. This notice should also be given within 6 months of the day the notice is given or as soon as reasonably practicable thereafter.
784. Subsection (4) introduces a new requirement in section 160 of the DPA 2018. This requires the Commissioner to produce and publish guidance setting out the circumstances in which the Commissioner needs longer than 6 months to make a decision whether or not to issue a penalty notice.

Section 102: Annual report on regulatory action

785. Section 102 amends the DPA 2018 by making provision for the Commissioner to annually publish a report detailing how the Commissioner’s regulatory functions have been discharged.
786. Subsection (2) amends section 139 of the DPA 2018 by inserting new subsection 2A which allows the Commissioner to include the annual report on regulatory action in the general report which is laid before Parliament.
787. Subsection (4) inserts new section 161A into the DPA 2018 outlining a report the Commissioner must produce and publish annually on the Commissioner’s investigation and enforcement powers.
788. New section 161A(2) sets out the information that the annual report on regulatory action must include in relation to investigations on the application of the UK GDPR and enforcement powers exercised in relation to those investigations.
789. New section 161A(3) sets out the information the annual report on regulatory action must include on enforcement powers exercised in relation to law enforcement processing and intelligence services processing under Parts 3 and 4 of the DPA 2018.
790. New section 161A(4) provides that the Commissioner is required to produce and publish information about the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16 and the reasons why that happened.
791. Under new section 161A(5) the report must summarise how the Commissioner has taken into account the Commissioner’s own guidance on regulatory action while exercising the Commissioner’s powers.
792. New section 161A(6) is self-explanatory.

Section 103: Complaints by data subjects

793. Section 103 inserts new sections 164A and 164B into the DPA 2018.
794. New section 164A outlines the procedures for dealing with complaints made by data subjects to data controllers.
795. New section 164A(1) outlines the right of a data subject to complain to the data controller if the data subject considers that there is an infringement of their rights under the UK GDPR or Part 3 of the DPA 2018.
796. New section 164A(2) requires controllers to facilitate the making of complaints under this section by taking appropriate steps. This could include providing a complaint form to be completed electronically, or other appropriate means.
797. New section 164A(3) requires data controllers to acknowledge receipt of the complaint within a period of 30 days, beginning when the complaint is received.
798. New section 164A(4) requires data controllers to take appropriate steps, without undue delay, to respond to the complaint and inform the complainant of the outcome of the complaint.
799. New section 164A(5) explains that the requirement in subsection(4)(a) for data controllers to "take appropriate steps to respond to the complaint" includes making enquiries about the subject matter of the complaint to the extent appropriate, and informing the complainant about the progress of the complaint.
800. New section 164B(1) sets out a power for the Secretary of State to make regulations to require controllers to notify the Commissioner of the number of complaints they have received in relation to the periods set out in regulations.
801. New sections 164B(2)-(5) set out further detail in relation to the regulations. Any such regulations must be made in accordance with the negative resolution procedure.
802. Subsections (3) to (6) of section 103 streamline provisions relating to complaints by data subjects, by merging relevant articles of the UK GDPR into the DPA 2018. This ensures relevant provisions regarding complaints to the Commissioner about infringements of the data protection legislation are located in section 165 of the DPA 2018.
803. Subsection (7) introduces Schedule 10 containing miscellaneous minor and consequential amendments to the UK GDPR and the DPA 2018 relating to complaints by data subjects.

Section 104: Court procedure in connection with subject access requests

804. Section 104 inserts new section 180A into the DPA 2018.
805. New section 180A(1) establishes that section 180A applies in court proceedings to determine whether a data subject is entitled to information in response to a subject access request made under any of the UK’s data protection regimes or by virtue of the right to data portability.
806. New section 180A(2) sets out that the court can require the controller to provide the court with the information in question. The controller must provide any requested information which would fall within scope of the rights as set out in section 180A(1).
807. New section 180A(3) ensures that the court cannot require the information set out in subsection (1) to be disclosed to the data subject by any means until it has been determined that the data subject is entitled to it.
808. New section 180A(4) states that the searches for information controllers must make when required to by the court do not need to go beyond the requirements of a reasonable and proportionate search for information when responding to a subject access request.
809. The purpose of this provision is to ensure that courts in relevant cases may inspect material that has been withheld in response to a subject access request without the material having been disclosed to the data subject, when determining whether or not the material is exempt from disclosure. Similar provision was included in the Data Protection Act 1998 (section 15(2) of that Act). In X v The Transcription Agency and another [2023] EWHC 1092 (KB) the High Court rejected an argument that the absence of equivalent provision in the Data Protection 2018 (which repealed and replaced the 1998 Act) indicated that Parliament intended that courts should not be able to inspect the material in the absence of the claimant. New section 180A puts the position beyond doubt.

Section 105: Consequential amendments to the EITSET Regulations

810. Schedule 2 of the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 S.I. 2016/696 ("the EITSET Regulations") currently applies (with appropriate modification) certain enforcement provisions contained within the DPA 2018, so that enforcement powers are available to the Commissioner as the supervisory body for trust service providers, in respect of breaches of Regulation (EU) No 910/2014 ("the eIDAS Regulation").
811. Section 105 amends Schedule 2 of the EITSET Regulations in order to apply (with appropriate modification) the changes made by other provisions in the Act.
812. Amongst amendments made to Schedule 2 of the EITSET Regulations, are amendments required in order to apply (with appropriate modification) the new enforcement power under section 146A of the DPA 2018, to require a technical report as part of the assessment notice procedure, and the new enforcement power under section 148A, to impose an interview notice to require a person to attend an interview and answer questions. The new offence of intentionally or recklessly making a false statement in response to an interview notice under section 148C is also applied by amendments made to Schedule 2 of the EITSET Regulations.
813. This section amends Schedule 2 of the EITSET Regulations, in order to remove the reference to consultation under section 65 of the DPA 2018 when section 155(3(c) is applied with modification under Schedule 2 of the EITSET Regulations as the consultation requirements under that section are not relevant to the regulation of trust service providers under the UK eIDAS Regulation.
814. This section also amends Schedule 2 of the EITSET Regulations, in order to omit paragraph 21, which is a previous and unnecessary provision, given paragraph 1(y) of Schedule 2 only applies certain subsections of section 182 of the DPA 2018.

Protection of prohibitions, restrictions and data subject’s rights

Section 106: Protection of prohibitions, restrictions and data subject’s rights

815. Subsections (1) to (5) of section 106 amend the DPA 2018 by inserting new section 183A, 183B and 186A into the DPA 2018 as well as making amendments to existing section 186. The purpose of these provisions is to ensure there are clearer rules about the relationship between key elements of the data protection legislation and: (i) other provisions in legislation or rules of law relating to the processing of personal data, and (ii) restrictions or prohibitions in legislation on disclosures of personal data. This is needed as a result of the changes to the interpretative effects on EU-derived legislation, such as the UK GDPR and other EU-derived elements of the UK’s data protection legislation, made by the EU (Withdrawal) Act 2018 (EUWA 2018) and the Retained EU law (Revocation and Reform) Act 2023.
816. Subsection (2) inserts a new section 183A into the DPA 2018.
817. New section 183A(1) sets out a presumption, in relation to any relevant enactments, or any rules of law, conferring powers or imposing duties relating to the processing of personal data, that requirements under the "main data protection legislation" are not overridden by such powers or duties.
818. The "main data protection legislation", "relevant enactment" and "requirement" are defined in subsection (4) of new section 183A. Subsection (4) sets out which parts of the data protection legislation constitute the "main data protection legislation" for the purposes of new section 183A(1). It also defines "relevant enactment" for the purposes of subsection (1) as meaning any enactment so far as passed or made on or after the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force. This means that the presumption in subsection (1) does not apply to legislation passed or made before the day on which new section 183A comes into force. The reference to "enactment" includes devolved legislation (see section 205(1) of the DPA 2018).
819. New section 183A(2)(a) ensures that subsection (1) does not apply to any provisions forming part of the "main data protection legislation". Subsection (2)(b) recognises that there may be situations where legislation is deliberately intended to override requirements of the data protection legislation and makes it clear that in such cases subsection (1) will not apply to the extent that the legislation makes express provision to this effect. This preserves the principle of parliamentary sovereignty. Whether or not devolved legislation is able to override the data protection legislation in this way will depend on the terms of the relevant devolution settlement.
820. New section 183A(3) ensures that any duty or power in the legislation that makes provision for processing personal data can be taken into account for the purposes of determining whether it is possible to rely on any exception to a requirement in the data protection legislation. For example, if there is a duty in legislation on a person or organisation to disclose personal data, the requirement for a lawful basis in Article 6(1) of the UK GDPR is likely to be met. (Article 6(1)(c) provides a lawful basis for processing where the processing is necessary for compliance with a legal obligation to which the controller is subject).
821. New section 183A(5) provides that the reference in subsection (1) to an enactment or rule of law that imposes a duty or confers a power to process personal data includes duties or powers that arise directly or indirectly, for example: provisions that remove restrictions, or provisions that authorise a person to require another person to process personal data.
822. Subsection (3) of section 106 amends the DPA 2018 by inserting a new section 183B into the DPA 2018.
823. New section 183B makes provision about the relationship between pre-commencement enactments which impose a duty, or confer a power, to process personal data and the main data protection legislation (see subsection (1)).
824. The "main data protection legislation" and "requirement" are defined in subsection (5)(a) of new section 183B as having the same meaning as in new section 183A. Subsection (5)(b) defines "pre-commencement enactment" for the purposes of subsection (1) as meaning any enactment that has been passed or made before the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force. This limits the effect of subsection (1) to legislation passed or made before the day on which new section 18a3A comes into force. The reference to "enactment" includes devolved legislation (see section 205(1) of the DPA 2018).
825. New section 183B(2) provides that the relationship described in new section 183B(1) is not changed by the removal of the principal of the supremacy of EU law in section 5(A1) of the EUWA 2018 nor the repeal of section 5(1) to (3) of that Act. These changes to the EUWA 2018 were made by section 3 of the Retained EU Law (Revocation and Reform) Act 2023. This will apply in cases in which the principle of supremacy of EU law was relevant to the relationship before 1 January 2024.
826. New section 183B(3) provides that where the relevant provision of the main data protection legislation is a provision of, or made under, the UK GDPR, section 5(A2) of the EUWA 2018 does not apply to the relationship described in subsection (1). Section 5(A2) provides that provisions of assimilated direct legislation are subject to domestic enactments (so far as incompatible with them). The UK GDPR constitutes assimilated direct legislation and therefore falls within the scope of section 5(A2).
827. New section 183B(4) states that nothing is to be implied about a relationship described in new section 183B(1) merely due to the fact that express provision with similar effect to section 183A(1) is made in connection with one relationship but not another.
828. New section 183B(6) section 183B states that section 183A(5) applies for the purposes of subsection (1)(a) of new section 183B in the same manner that it applies for the purposes of section 183A(1). In other words, the reference in subsection (1) to an enactment or rule of law that imposes a duty or confers a power to process personal data includes duties or powers that arise directly or indirectly. For example, provisions that remove restrictions, or provisions that authorise a person to require another person to process personal data.
829. Subsection (4) of section 106 makes some amendments to section 186 of the DPA 2018 to clarify its intended application and effect, particularly in light of new section 183A and new section 186A. For example, new section 186(2A)(c) reflects new section 183A(2)(b) by providing that the rule in section 186(1) does not apply to the extent that an enactment makes express provision to the contrary referring to section 186 itself or a provision listed in section 186(2). Whether or not devolved legislation is able to make such provision will depend on the terms of the relevant devolution settlement.
830. Subsection (5) amends the DPA 2018 by inserting a new section 186A into the DPA 2018. New section 186A builds on section 186 DPA 2018 by making further provision in relation to the interaction between the data protection legislation and other existing legislative provisions or rules of law containing prohibitions or restrictions on the disclosure of information or authorising the withholding of information.
831. New section 186A makes provision about the relationship between pre-commencement enactments which prohibit or restrict the disclosure of information or authorise the withholding of information and provisions of the UK GDPR or the DPA 2018 listed in section 186(2) (see subsection (1)).
832. "Pre-commencement enactment" is defined in new section 186A(5) for the purposes of subsection (1) as meaning that any enactment that has been passed or made before the day on which section 106(4) of the Data (Use and Access) Act 2025 comes into force, other than an enactment contained in, or made under, a provision of the data protection legislation listed in section 186(2) or (3). The reference to "enactment" includes devolved legislation.
833. New section 186A(2) provides that the relationship described in subsection (1) is not changed by the removal of the principal of the supremacy of EU law in section 5(A1) of the EUWA 2018 nor the repeal of section 5(1) to (3) of that Act. These changes to the EUWA 2018 were made by section 3 of the Retained EU Law (Revocation and Reform) Act 2023. This will apply in cases in which the principle of supremacy of EU law was relevant to the relationship before 1 January 2024.
834. New section 186A(3) provides that in relation to pre-commencement legislation, there may be occasions when an existing express or implied contrary indication means that section 186(1) does not apply.
835. New section 186A(4) indicates that no inference should be drawn about the relationship described in new section 186A(1) merely due to the fact that express provision stating that section 186(1) applies is made in connection with one such relationship but not another.
836. Subsection (6) of section 106 inserts a cross-reference to new section 183A and a signpost to new section 183B(3) into section 5(A3)(a) of the EUWA 2018, as inserted by section 3 of the Retained EU Law (Revocation and Reform) Act 2023. Section 5(A3) contains exceptions from the interpretation rule in section 5(A2) of the EUWA 2018, as also inserted by section 3 of the Retained EU Law (Revocation and Reform) Act 2023. That rule says that provisions of assimilated direct legislation (such as the UK GDPR) are subject to domestic enactments (so far as incompatible with them). The amendments have the effect that the rule is disapplied where new section 183A applies.
837. Subsection (7) provides that subsections (3), (5) and (6)(c) of section 106 of the Data (Use and Access) Act 2025 are to be treated as having come into force on 1 January 2024. This means that those subsections will be treated as having had effect from the commencement of section 3 of the Retained EU Law (Revocation and Reform) Act 2023.

Miscellaneous

Section 107: Regulations under the UK GDPR

838. Section 107 makes provision concerning the procedure for making regulations under the powers in the UK GDPR, including consultation requirements. It makes it clear that, before making regulations, the Secretary of State must consult the Commissioner and such other persons as they consider appropriate, save for some exceptions. Those other appropriate persons will depend on the nature of the regulations in question, but an example would be where the regulations touch on healthcare matters and/or the processing of patient data. In such a case, the Secretary of State might consider it appropriate to consult, for example, the National Data Guardian for Health and Care, relevant healthcare bodies and relevant medical associations.

Section 108: Further minor provision about data protection

839. Section 108 introduces Schedule 11 containing miscellaneous minor amendments to the UK GDPR and the DPA 2018.

Chapter 2: Privacy and electronic communications

Section 109: The PEC Regulations

840. Section 109 defines "the PEC Regulations" for the purposes of this chapter.

Section 110: Interpretation of the PEC Regulations

841. Section 110 amends Regulation 2 of the PEC Regulations.
842. Subsection (2) amends Regulation 2(1) of the PEC Regulations.
843. Subsection (2)(a) makes it clear that that the definition of "call" includes all calls, including those that are attempted irrespective of whether they connect with the intended recipient.
844. Subsection 2(b) also amends the definition of "communication" to make it clear it covers communications, such as texts and emails, which are "transmitted". Previously, the regulation only referred to communications that were "exchanged or conveyed", which implied they needed to reach their intended recipient.
845. Subsection (2)(c) is a technical amendment which inserts the meaning of "direct marketing" into Regulation 2 for ease of reference. The definition is currently drawn from the DPA 2018 (see paragraph 432(6) of Schedule 19 to the DPA 2018). Direct marketing covers all types of advertising, marketing or promotional material. It includes commercial marketing and the promotion of aims and ideals. A service message written in a neutral tone that is sent to comply with regulatory requirements (e.g. a bank updating a customer about changes in interest rates) would not usually count as direct marketing, unless parts of the message actively promote or encourage a person to take a particular action. See guidance produced by the Information Commissioner’s Office. 
846. Subsection (3) of section 110 inserts paragraph (1A) in Regulation 2. Paragraph (1A) clarifies the meaning of ‘recipient’ in the context of calls or communications that are sent or generated but not received. It provides that, in this context, a "recipient" should be taken to mean the ‘intended recipient’.
847. Subsection (4) removes the reference to regulation 2(3) of the PEC Regulation which was previously deleted from the regulation.
848. Subsection (5) inserts new paragraphs (5) and (6). New paragraph (5) states that references to periods of time expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation. New paragraph (6) defines the meaning of "the Periods of Time Regulation". This provision ensures consistency with section 205(2) of the DPA 2018 and new Article 4A of the UK GDPR (inserted by paragraph 3 of Schedule 11 to this Act).

Section 111: Duty to notify the Commissioner of personal data breach: time periods

849. The PEC Regulations include rules on reporting breaches of personal data to the Information Commissioner for organisations providing electronic communications services to the public (e.g. telecoms providers and internet service providers). These rules are supplemented by provisions in the retained version of the Commission Regulation (EU) No 611/2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications ("Regulation 611/2013").
850. The current effect of regulation 5A of the PEC Regulations and Article 2 of Regulation 611/2013 is that organisations must report personal data breaches to the Information Commissioner no later than 24 hours of becoming aware of the breach. Subsection (1)(a) of section 111 changes this so that personal data breaches must be reported without undue delay and, where feasible, not later than 72 hours.
851. Subsection (1)(b) inserts a new paragraph 3A into the PEC Regulations, stating that where a personal data breach notification (under paragraph 2) is not made within 72 hours, reasons for the delay must be provided.
852. Subsection (2)(a) and (b) refers to the fixed monetary penalty in 5C of the PEC Regulations and clarifies how to calculate the 21 day period under regulation 5C(4)(f) and (5) of the PEC Regulations.
853. Subsection (3) amends Article 2 of Regulation 611/2013 to reflect the new time limits for breach reporting.
854. Subsection (3)(a) amends paragraph 2 of Article 2 of Regulation 611/2013. Subsection (3)(a)(i) amends the first subparagraph to state that service providers must report a personal data breach without undue delay and, where feasible, not later than 72 hours of becoming aware of it.
855. Subsection (3)(a)(ii) is a consequential amendment on new paragraph 3 of Article 2.
856. Subsection (3)(a)(iii) inserts a new subparagraph which states that paragraph 2 is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits. This provision ensures consistency with section 205(2) of the DPA 2018, new Article 4A of the UK GDPR (inserted by paragraph 3 of Schedule 11 to this Act) and new paragraph (5) of Regulation 2 of the PEC Regulations (inserted by section 110 to this Act).
857. Subsection (3)(b) amends paragraph 3 of Article 2 of Regulation 611/2013 to state that where the information (which is requested under Annex 1 of the Regulation) is not available to be included in the personal data breach notification, it may be provided in phases to the Information Commissioner without undue further delay.

Section 112: Storing information in the terminal equipment of a subscriber or user

858. Section 112 amends regulation 6 of the PEC Regulations. Subsection (4) introduces Schedule 12 to this Act, which inserts new Schedule A1 to the PEC Regulations.
859. Subsection (2) of section 112 replaces regulation 6 of the PEC Regulations which sets out rules on the circumstances in which a person can store information, or gain access to information stored, in the "terminal equipment" of a subscriber or user. Terminal equipment may include, for example, computers, mobile phones, wearable technology, smart TVs and connected devices, including the Internet of Things.
860. New regulation 6(1) provides that subject to the exceptions in Schedule A1, organisations are prohibited from storing information or gaining access to information stored in the terminal equipment of an individual.
861. New regulation 6(2)(a) clarifies for the purposes of this regulation and new Schedule A1 that a reference to an organisation storing information, or gaining access to information stored, in the device of a subscriber or user, includes a reference to the person instigating the storage or access.
862. New regulation 6(2)(b) clarifies that a reference to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment ("emissions data"). An example of emissions data includes Wi-Fi probe requests.
863. Subsection (3) of section 112 inserts new regulation 6A into the PEC Regulations.
864. New regulation 6A(1)(a) introduces a power for the Secretary of State to add new exceptions to the prohibition in regulation 6(1). The power would also allow the Secretary of State to omit or vary any existing exceptions to the prohibition.
865. Paragraph (1)(b) of new regulation 6A provides that the Secretary of State can also make consequential, supplementary, incidental, transitional, transitory or saving provisions which are necessary to give effect to exceptions made by regulations made under these provisions.
866. Paragraph (3) of new regulation 6A provides that, before making regulations under paragraph 6A(1), the Secretary of State must consult the Commissioner and "such other persons as the Secretary of State considers appropriate".
867. Paragraph (4) of new regulation 6A provides that the regulations made under this power are subject to the affirmative resolution procedure.
868. Subsection (5) of section 112 makes it clear how consultation requirements under regulation 6A may be satisfied.

Section 113: Emergency alerts: interpretation of time periods

869. Section 113 clarifies how the period of time in regulation 16A(6) of the PEC Regulation should be calculated.

Section 114: Use of electronic mail for direct marketing by charities

870. Section 114 amends regulation 22 of the PEC Regulations. This regulation applies to the transmission of unsolicited communications by electronic mail to individual subscribers. Electronic mail is defined in regulation 2 and covers among others, communication by emails or text messages. Under paragraph (2) unsolicited communication by such means is in principle, prohibited without the recipient’s consent, unless exceptions apply.
871. Currently regulation 22 of the PEC Regulations provides for one exception. It allows anyone (companies, charities, or other organisations) to send electronic marketing communications to an individual (recipient) without their explicit consent, if their contact details were collected during the sale of a product or service, or negotiations of a sale. The direct marketing materials benefiting from this exception may only concern similar products and services and the individual recipient must be offered a simple means of opting out of receiving marketing communications, both at the time the contact details are collected and in all subsequent communication sent. Both safeguards are aimed at limiting an individual’s exposure to spam and nuisance communications. This exception is commonly known as the ‘soft opt-in'.
872. Section 114 adds a new exception to regulation 22 available only to charities. It allows charities to send direct marketing for the purposes of furthering one or more of their charitable purposes (for definitions see para 879 below). This could include communications regarding their campaigning or fundraising activities.
873. Subsection (1) sets out that regulation 22 of the PEC Regulations is amended as per the subsections (2) to (4).
874. Subsection (2) makes a consequential amendment to regulation 22(2) of the PEC Regulations, including a reference to the new paragraph (3A).
875. Subsection (3) inserts new paragraph (3A) into regulation 22 of the PEC Regulations. New paragraph (3A) creates a new exception allowing a charity to send or instigate the sending of electronic mail for the purpose of direct marketing. Subparagraphs (a)-(c) set out the conditions for this exception.
876. Under subparagraph (a) the sole purpose of the direct marketing must be furthering one or more of their charitable objectives.
877. Subparagraph (b) sets out that the charity must have obtained the contact of the recipient of the electronic mail, to be able to rely on the soft opt-in. That is, in the course of the recipient either (i) expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or (ii) offering or providing support to further one or more of those purposes. An individual may "express an interest" for example by visiting the charity’s website or premises to request information on a particular campaign. Examples of offering or providing support may be through volunteering for the charity or by making a donation.
878. Subparagraph (c) provides that the individual recipient must be given a simple way of opting out of receiving communications at the point their contact details were collected as well as in each subsequent communication sent to that individual.
879. Subsection (4) inserts a new paragraph 5 into regulation 22 of the PEC Regulations. It defines a "charity" and "charitable purpose" for the purpose of this regulation. Only charities subject to the relevant UK charities regulatory framework can rely on this new exception and only to further their charitable purposes. ‘Charitable purposes’ must be interpreted according to relevant legislation.

Section 115: Commissioner’s enforcement powers

880. Section 115 updates the Information Commissioner’s powers of enforcement in relation to the PEC Regulations, which currently rely on powers in the Data Protection Act 1998. The effect of this provision will be to apply some of the more modern enforcement powers in the DPA 2018 to the PEC Regulations.
881. Subsections (2) and (3) omit paragraph 6 of regulation 5 and regulation 5B of the PEC Regulations, which are both concerned with the Commissioner’s powers to audit measures taken by public electronic communications service providers to safeguard the security of their services and inform certain parties of a personal data breach. These provisions are no longer needed as section 146 of the DPA 2018 (powers for the Commissioner to impose assessment notices) will instead be applied for the purposes of the PEC Regulations, subject to the modification in Schedule 13.
882. Subsection 4(a) includes technical amendments to aid the readability of the legislation, including updating "county court" references.
883. Subsection (4)(b) adds further subparagraphs to the end of regulation 5C, which is concerned with the penalties that can be imposed on service providers for failing to report security breaches. New subparagraphs 13, 14 and 16 provide the Secretary of State with a power to amend the amount of the fixed monetary penalty that can be imposed (which is currently £1,000 or £800 if paid within 21 days of receipt of the notice of intent). Any changes must be made via regulations which are laid in Parliament and subject to the affirmative resolution procedure. New subparagraph 15 provides that, before making regulations under regulation 5C(13), the Secretary of State must consult the Commissioner and "such other persons as the Secretary of State considers appropriate".
884. Subsection (5) replaces regulation 31 of the PEC Regulations, which currently applies the Information Commissioner’s enforcement powers in the Data Protection Act 1998 to the PEC Regulations. The new regulation 31 will instead apply certain enforcement powers in Parts 5 to 7 of the DPA 2018 to the PEC Regulations, subject to the modifications in Schedule 13.
885. Subsections (6) and (7) remove regulations 31A and 31B, which currently allow the Commissioner to impose "third party information notices" on communications providers to gather information held on electronic communications networks, or by electronic communications services, for investigating compliance with the regulations; and set out rights of appeal against the imposition of a notice. These provisions are no longer needed because the more modern powers in section 142 of the DPA 2018 (Information notices) and associated appeal rights will now be applied to the PEC Regulations. Under these new provisions, the Commissioner will be able to serve a written notice on any person or a communications provider, requesting information or documents to help determine whether the person has or is complying with the PEC Regulations.
886. Under subsection (8), the current Schedule 1 to the PEC Regulations, which sets out modifications to the enforcement regime in the Data Protection Act 1998 for the purposes of their application to the PEC Regulations, is repealed. It is replaced by a new Schedule 13 which sets out modifications to the enforcement regime in the DPA 2018, so that it can be applied to the PEC Regulations.
887. Subsection (9) makes some consequential amendments to paragraph 58(1) of Schedule 20 to the DPA 2018 to reflect the changes that have been made to regulations 2, 31 and 31B by these sections.
888. Subsection (10) makes it clear how consultation requirements under regulation 5C may be satisfied.

Section 116: Codes of conduct

889. Section 116 inserts new regulations 32A, 32B and 32C into the PEC Regulations.
890. Under regulation 32A the Information Commissioner must encourage representative bodies to draw up PEC Regulations codes of conduct. Codes of conduct are voluntary accountability tools, enabling sectors to identify key compliance challenges in their sector with the approval of the Information Commissioner that the code, and its monitoring, is appropriate. They are written by an organisation or association representing a sector in a way that the sector understands.
891. New regulations 32A(1) and (2) require the Information Commissioner to encourage the production of codes of conduct which take account of specific features of different sectors.
892. New regulation 32A(3) sets out an illustrative list of the matters that a code of conduct may make provisions regarding.
893. New regulations 32A(4) and (5) set out the requirements for the Information Commissioner's approval of a code of conduct. Namely, following receipt of a draft code the Commissioner will provide an opinion to the representative body on whether the code correctly reflects the requirements of the relevant PEC Regulations. Codes approved by the Commissioner are to be registered and published.
894. Codes of conduct require a monitoring method, and for private or non-public authorities, a monitoring body to deliver them. New regulation 32A(6) states that the Information Commissioner may only approve codes if they meet these requirements.
895. New regulation 32A(7) sets out how amendments to an approved code will be managed. This provision specifically applies paragraphs (4)-(6) to an amended code.
896. New regulation 32A(8) provides for a code of conduct under paragraph (1) to be contained in the same document as a code of conduct described in Article 40 of the UK GDPR and makes it clear that a provision in the code of conduct can address requirements under both the PEC Regulations and the UK GDPR. This will enable the Information Commissioner to give an opinion on whether the code complies with the UK GDPR and relevant PEC Regulations or just relevant PEC Regulations.
897. New regulation 32A(9) sets out the meaning of terms used in the regulation.
898. New regulation 32B permits the Commissioner to accredit a body where the monitoring body meets certain conditions. They include, for example, that the monitoring body has established relevant procedures and structures to handle complaints about infringements of the code, and that it has demonstrated its independence and does not have a conflict of interest. New regulation 32B(1) permits the Commissioner to accredit a body for the purpose of monitoring a code described under regulation 32A(1). The role of the monitoring body will be to monitor whether an organisation, other than a public body, complies with the code.
899. New regulation 32B(2) sets out the criteria that an organisation must meet to be accredited by the Commissioner as a monitoring body for a code.
900. New regulation 32B(3) requires the Commissioner to publish guidance about how they propose to take decisions about accreditation under this regulation.
901. New regulation 32B(4) requires the monitoring body to take appropriate action where it identifies that an infringement of the code has occurred. If the action taken consists of suspending or excluding a person from the code then the monitoring body is required to inform the Commissioner under new regulation 32B(5) and to provide reasons for why they have taken that action.
902. New regulation 32B(6) requires the Commissioner to revoke a monitoring body’s accreditation if they consider that the body no longer meets the requirements for accreditation, or has failed to take action when the code has been infringed, or has failed to inform the Commissioner when a person has been suspended or excluded from the code.
903. New regulation 32B(7) states that in this regulation the term "public body" has the same meaning as in regulation 32A.
904. New regulation 32(C) sets out that adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with the relevant requirements of the PEC Regulations covered by that code.
905. Subsection (3) of section 116 amends regulation 33 of the PEC Regulations. The amendment requires OFCOM to comply with any reasonable requests made by the Commissioner in connection with their functions under regulation 32A and regulation 32B.
906. Subsection (4) amends new Schedule 1 to the PEC Regulation which is inserted by Schedule 13 to this Act. The amendment adds regulations 32B(4) and 32B(5) to the list of provisions for which a penalty notice may impose the higher maximum penalty in the event of an infringement.