Data (Use And Access) Act 2025

Schedules

Schedule 1: National Underground Asset Register (England and Wales): monetary penalties

1053. This Schedule inserts a new Schedule 5A into NRSWA1991 which makes provisions about the monetary penalties for non-compliance with the requirements to pay a fee and provide information set out in Part 3A of that Act. The penalty scheme is intended to be a simple and effective approach which can easily be applied in practice.
1054. Paragraph 1(1) confers a power on the Secretary of State to issue a "penalty notice" where a person has failed to comply with a requirement to pay a fee in accordance with regulations under section 106E(1), or failed to provide information in accordance with regulations under section 106F(1) or (2). A notice can also be issued where such information is either misleading or false.
1055. The Secretary of State will have discretion over whether to impose a penalty. There will also be a requirement for a "warning notice" to be given to the person concerned where the imposition of a penalty is being proposed, together with provision for a period during which written representations can be made. Thereafter the Secretary of State has six months within which a "penalty notice" can be given to the person. Among other things, a penalty notice must state the amount of the penalty.
1056. Paragraph 1(2) in Schedule 5A empowers the Secretary of State to set out, in regulations, the amount of any penalty to be imposed. Should any person then be in breach of a relevant requirement, and the Secretary of State is considering the imposition of a monetary penalty, the amount of such a penalty will be that which is already provided for in existing regulations. The Secretary of State may not give more than one penalty notice to a person in respect of the same breach of the relevant requirement.
1057. Paragraph 4 of Schedule 5A makes provision for the enforcement of the penalty notice. Paragraph 5 sets out a person’s right of appeal against the penalty notice (or any requirement of it); such an appeal can be made to the First-tier Tribunal on any of the grounds set out in paragraph 5(2). Further provision is also made as to the Tribunal’s powers in respect of such an appeal and the effect of the Tribunal’s decision.

Schedule 2: National Underground Asset Register (Northern Ireland): monetary penalties

1058. This Schedule inserts a new Schedule 2ZA into SWNIO 1995 which makes provisions about the monetary penalties for non-compliance with the requirement to pay a fee in accordance with regulations under Article 45E(1), and the requirement to provide information in accordance with regulations under Article 45F(1) or (2). Schedule 2ZA therefore makes equivalent provision to the new Schedule 5A inserted into NRSWA 1991 by Schedule 1 (see paragraph (1055) above).

Schedule 3: Registers of births and deaths: minor and consequential amendments

1059. Part 1 of Schedule 3 makes a number of amendments to the Births and Deaths Registration Act 1953 (BDRA 1953) including: amending sections of the BDRA 1953 which referred to the registrar or superintendent registrar, or officer, having "custody of the register" and replacing such references with "relevant registration officer for the register", "the relevant registration officer" or "the appropriate registration officer". Other amendments specify how indexes are to be created and retained by both the Registrar General and the superintendent registrar.
1060. Part 2 of Schedule 3 makes minor and consequential amendments to other primary legislation as a result of the changes to the registration system brought about by this Bill.

Schedule 4: Lawfulness of processing: recognised legitimate interests

1061. Schedule 4 inserts a new Annex 1 into the UK GDPR setting out the conditions for constituting a recognised legitimate interest for the purposes of new Article 6(1)(ea) UK GDPR (as inserted by section 70). The amendment made to Article 6(1) by section 70(2)(c) ensures that public authorities cannot rely on these conditions when processing in the performance of their tasks.
1062. Paragraph 1 provides a condition for processing where it is necessary for the purposes of making a disclosure to a controller who needs to process that data for its task in the public interest or exercise of official authority pursuant to Article 6(1)(e), in circumstances where the controller has made a request for the personal data. Paragraph 1 would enable a controller to respond to such a request where it considered that the provision of the personal data was necessary. The amendment made to Article 6(1)(e) by section 70(2)(a) ensures that paragraph 1 provides the only circumstance in which a controller can rely on another controller’s tasks in the public interest.
1063. Paragraph 2 provides a condition for processing where it is necessary for the purposes of safeguarding national security, protecting public security or for defence purposes.
1064. Paragraphs 3 and 4 provide a condition for processing where it is necessary for responding to an emergency as defined in the Civil Contingencies Act 2004. This condition will be relevant where there is an event or situation which threatens serious damage to human welfare or the environment in the whole, a part or a region of the UK, or where there is war or terrorism which threatens serious damage to the security of the UK. The Civil Contingencies Act 2004 lists a series of events that further define the meaning of these events or situations, including loss of human life, human illness or injury, homelessness etc.
1065. Paragraph 5 provides a condition for processing where it is necessary for the purposes of detecting, investigating or preventing crime or apprehending or prosecuting offenders. The reference to ‘crime’ would also cover economic crimes such as fraud, money-laundering, terrorist financing etc.
1066. Paragraph 6 provides a condition for processing where it is necessary for the purposes of safeguarding a child or adult who is over 18 and considered to be at risk in ways defined in paragraph 1.
1067. Paragraphs 7 and 8 elaborate on what these concepts mean.

Schedule 5: Purpose Limitation: processing to be treated as compatible with original purpose

1068. Schedule 5 inserts a new Annex 2 into the UK GDPR, which sets out the conditions referred to in new Article 8A(3)(d). If further processing meets any of these conditions, the processing is to be treated as compatible with the original purpose. The conditions do not require that the processing be otherwise authorised in legislation or through a rule of law. Where the original lawful basis for processing was consent (Article 6(1)(a) UK GDPR), use of the conditions in the Annex is subject to consideration by the controller of whether it would be reasonable to seek the data subject’s consent (Article 8A(4)(b)).
1069. Paragraph 1 treats further processing as compatible where it is necessary for the purposes of making a disclosure to a controller ("A") who needs to process that data for its task in the public interest or exercise of official authority, pursuant to Article 6(1)(e), in circumstances where controller A has made a request for the personal data. Paragraph 1 enables a controller ("B") to respond to such a request from controller A without having to consider whether the new purpose is compatible with the purpose at the point of data collection. Controller B must not be a public authority carrying out processing in performance of its tasks.
1070. Paragraph 2 treats further processing as compatible when it is necessary for the purpose of making a disclosure of personal data for the purpose of archiving in the public interest. Some organisations may have originally collected personal data under the consent lawful ground for their own purposes, e.g. commercial purposes, without at the time realising its future historical value to an archive. This provision will enable such organisations to disclose the data to a controller ("R"), provided that R makes the request that states they intend to only process the personal data for the purpose of archiving in the public interest; that the disclosure is carried out in accordance with the provisions in Article 84B; and that the personal data in question was collected by the disclosing controller under the consent lawful ground. The controller making the disclosure must also reasonably believe that R will process the data in accordance with generally recognised standards that are relevant to R’s work of archiving in the public interest.
1071. Paragraph 3 treats further processing as compatible where it is necessary for the purposes of protecting public security. National security and defence purposes are not included in Annex 2 as there is already an exemption from the purpose limitation principle in section 26 of the DPA 2018.
1072. Paragraphs 4 and 5 treat further processing as compatible where it is necessary for responding to an emergency as defined in the Civil Contingencies Act 2004. This condition will be relevant where there is an event or situation which threatens serious damage to human welfare or the environment in the whole, a part or a region of the UK, or war or terrorism which threatens serious damage to the security of the UK. The Civil Contingencies Act 2004 lists a series of events that further define the meaning of these events or situations, including loss of human life, human illness or injury, homelessness etc.
1073. Paragraph 6 treats further processing as compatible where it is necessary for the purposes of detecting, investigating or preventing crime or apprehending or prosecuting offenders. The reference to ‘crime’ would also cover economic crimes such as fraud, money-laundering, terrorist financing etc.
1074. Paragraph 7 treats further processing as compatible where it is necessary for the purposes of protecting the vital interests of the data subject or another individual.
1075. Paragraph 8 treats further processing as compatible where the processing is necessary for the purposes of safeguarding a child or adult who is over 18 and considered to be at risk in ways defined in paragraph 10.
1076. Paragraph 11 treats further processing as compatible where processing is carried out for the purpose of assessment or collection of a tax or duty or an imposition of a similar nature.
1077. Paragraph 12 treats further processing as compatible where processing is necessary for the purposes of complying with an obligation of a controller under an enactment, a rule of law or an order of a court or tribunal.

Schedule 6: Automated decision-making: minor and consequential amendments

1078. Schedule 6 makes consequential amendments to the UK GDPR and the DPA 2018. These amendments are required to ensure consistency as a result of the changes made in the new Article 22A-D UK GDPR and sections 50A-D DPA 2018, in section 80.
1079. Paragraph 2(6) and paragraph 13(4) of schedule 6 extends the provision at Article 12(6) UK GDPR and section 52(4) DPA 2018 to enable the controller to request additional information to confirm the identity of the data subject for requests made under the new Article 22A-D or 50A-D.

Schedule 7: Transfers of personal data to third countries etc: general processing

1080. Chapter 5 of the UK GDPR sets out the conditions under which personal data can be lawfully transferred to a country outside of the UK or an international organisation (as defined in Article 4 of UK GDPR). Schedule 7 makes various amendments to Chapter 5 of the UK GDPR, to reform the UK’s regime for international transfers, as explained below.
1081. Paragraph 2(1) of Schedule 7 omits Article 44 and paragraph 2(2) replaces it with a new Article 44A.
1082. Article 44A(1) to (3) set out the three legal bases under which personal data can be lawfully transferred overseas. The first basis is where the Secretary of State has made regulations allowing the free flow of personal data to another country (see Article 45A-C). The second basis is where appropriate safeguards for the personal data are provided under Article 46. For example, organisations may put contractual clauses in place with recipient organisations overseas to ensure that the personal data is treated safely and securely. The third basis is where a transfer can be made based on a derogation under Article 49.
1083. Paragraph 3 of Schedule 7 omits Article 45. Article 45 provided that transfers of personal data to another country could take place where the Secretary of State has made regulations finding that the country in question provide an adequate level of protection for personal data, allowing the free flow of personal data to this country.
1084. In place of Article 45 and sections 17A and 17B of the DPA 2018, which are omitted by paragraphs 12 and 13 of Schedule 9, paragraphs 4 and 5 of Schedule 7 insert new Articles 45A, Article 45B and Article 45C. Previously the provisions relating to adequacy regulations were found partly in the DPA 2018, and partly in Chapter 5 of the UK GDPR. The effect of the provisions in Schedule 7 and Schedule 9 are that all provisions relating to the approval of transfers to other countries or international organisations are now contained in Chapter 5 of the UK GDPR.

Transfers approved by regulations

1085. Article 45A(1) provides a power for the Secretary of State to make regulations approving transfers of personal data to a third country or international organisation, thus allowing the free flow of personal data to that country or international organisation, as with the previous power to make adequacy regulations which was dealt with in section 17A of the DPA 2018 and Article 45 UK GDPR. Where such regulations are in place, UK organisations will not require any further authorisation to make a transfer of personal data to that country or international organisation, provided the transfer falls within the terms of the regulations. An international organisation could be within the UK or overseas. International organisation is defined in Article 4; examples of international organisations include UN bodies.
1086. Article 45A(2) specifies that the Secretary of State may only make regulations approving transfers if the Secretary of State is satisfied that the data protection test is met. The data protection test is set out in Article 45B, which is explained below.
1087. Article 45A(3) specifies that the Secretary of State may consider other matters that he or she considers relevant when he or she makes regulations. Other relevant matters may include consideration of the desirability of facilitating transfers of personal data to and from the UK and how they will benefit the UK. While ultimately the Secretary of State must be satisfied that the standard of protection in the other country, viewed as a whole, is not materially lower than the standard of protection in the UK, the wider context of data flows between the UK and another country may be important when deciding whether to make regulations.
1088. Article 45A(4) provides flexibility for regulations to be made covering some or all transfers to a country or international organisation. While regulations can be made approving all transfers to a particular country or international organisation, Article 45A(4) provides flexibility for the regulations to be more targeted and only approve certain transfers to that country or international organisation - for example, transfers to a particular sector or geographic area within the country, transfers to certain recipients or by certain UK organisations, transfers of certain types of personal data, or transfers identified in another way.
1089. Article 45A(5) provides that regulations under Article 45A are subject to the negative resolution procedure.

The data protection test

1090. Article 45B sets out the data protection test which the Secretary of State must consider is met in order to make regulations approving transfers to a country or international organisation.
1091. Article 45B(1) provides that the data protection test is met if the standard of protection for the general processing of personal data in that country or international organisation is not materially lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018. The test therefore makes clear that:
      • The Secretary of State should consider the standard of protection for data subjects within the third country, in a holistic way. This is further clarified in Article 45B(3) which confirms that references to protection in the data protection test are to that protection taken as a whole. This means that the test does not require a point- by-point replication between the other country’s regime and the UK’s regime or for the destination country to take the same legal and cultural approach as the UK. Instead, the Secretary of State’s assessment will be based on outcomes, such as the overall standard of protection for a data subject;
      • The Secretary of State will assess whether the standard of protection is materially lower than the UK’s standard. The test recognises that other countries’ data protection regimes will not be identical to the UK’s in form and differences may exist given the cultural context of privacy. Therefore, protections in a third country do not need to be identical to those in the UK. Instead, the Secretary of State must exercise his or her discretion, in a holistic and contextual manner, to decide whether or not the overall standard of protection is lower than the UK’s standard in a way which is material;
      • The standard of protection in the third country or international organisation must not be materially lower than the standard of protection which applies under the UK’s regime for the general processing of personal data. The UK’s regime for general processing is contained within the UK GDPR and Part 2 and Parts 5-7 of the DPA 2018. It does not include Parts 3 and 4 DPA 2018, which govern processing by law enforcement bodies and the intelligence services respectively.

1092. Article 45B(2) sets out a more concise and streamlined list of matters which the Secretary of State must consider as part of deciding whether the data protection test is met. These include:
      • Respect for the rule of law and for human rights in the country or the international organisation;
      • The existence, and powers, of an enforcement authority. This requires the Secretary of State to consider how such an authority protects UK data subjects in relation to their personal data which has been transferred;
      • Arrangements for redress for data subjects, whether that redress is judicial or non- judicial: the Secretary of State is required to consider the redress available for data subjects. The provision recognises that redress arrangements will differ by country. For example, redress could be provided by administrative authorities instead of or in addition to judicial redress;
      • Rules about the transfer of personal data from the country or by the organisation to other countries or international organisations. The Secretary of State must consider how the country or international organisation ensures that personal data continues to be appropriately protected when it is transferred onwards to another country or international organisation;
      • Any relevant international obligations to which the country or international organisation is subject. This might include whether they are party to multilateral or regional agreements relevant to data protection or related matters. For example, the European Convention on Human Rights, or the Council of Europe Convention of 28 January 1981 for the Protection of Individuals ("Convention 108"); and
      • The constitution, traditions and culture of the country or organisation. This requires the Secretary of State to consider the constitutional and cultural traditions that may contribute to a country or organisation’s approach to data protection, which may differ from those in the UK.

1093. Article 45B(2) is a non-exhaustive list and the Secretary of State may also need to consider other matters in order to determine whether the required standard of protection exists. For example, where there are laws and practices in the third country regarding how public authorities access personal data for national security or law enforcement purposes, to the extent that they affect the overall standard of protection, the Secretary of State will take these into account.
1094. Article 45B(3) makes further provision about the way in which the data protection test operates, including providing that references to the protection for data subjects mean that protection taken as a whole, and that references to the processing of personal data in the third country mean the processing of personal data transferred to the country or organisation under the UK GDPR (and not, for example, other personal data derived from within that third country).
1095. Article 45B(4) clarifies that where the Secretary of State makes regulations which only apply to some transfers to a country or international organisation, the relevant requirements and provisions in Article 45B only refer to the transfers permitted by the regulation, and the reference to rules for onward transfers includes rules on transfers elsewhere within that country as well as outside of it.

Monitoring

1096. Paragraph 5 of Schedule 7 inserts Article 45C into the UK GDPR, replacing section 17B of the DPA 2018 which has been omitted by paragraph 13 of Schedule 9.
1097. Article 45C(1) requires the Secretary of State to monitor developments in third countries and international organisations that could affect decisions to make regulations approving transfers of personal data under Article 45A, or decisions to amend or revoke such regulations. Ongoing monitoring of countries' relevant laws and practices enables the Secretary of State to respond to any developments that might affect decisions to make, amend or revoke regulations under Article 45A. Such monitoring might include, for example: engaging in dialogue with country representatives; obtaining information from HMG Embassies or High Commissions; commissioning and/or reviewing third party reports; and engaging with the Commissioner.
1098. Article 45C(2) provides that if the Secretary of State becomes aware that the data protection test is no longer met in relation to a country or international organisation to which transfers have been approved, the Secretary of State must either amend or revoke the regulations approving transfers to that country of international organisation. For example, an amendment may limit the types of transfer that are permitted by the regulation. If there is no way of amending the regulation to meet the data protection test the Secretary of State must revoke it. If the regulations are revoked the transfer of personal data to that third country or international organisation may still take place where other appropriate legal bases, as set out in Article 46 and Article 49 apply.
1099. Article 45C(3) provides that when regulations are amended or revoked, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects in relation to their personal data.
1100. Article 45C(4) requires the Secretary of State to publish a list of third countries and international organisations which are for the time being approved by regulations under Article 45A. The Secretary of State is also required to publish a list of the third countries and international organisations which have been, but are no longer, approved by such regulations. The government intends to publish this information on GOV.UK. Article 45C(5) requires the lists published under Article 45C(4) to specify where only certain transfers to that country or international organisation are approved.

Transfers subject to appropriate safeguards

1101. Paragraphs 6 to 8 of Schedule 7 amend Article 46 and 47 of the UK GDPR and introduces new Article 47A.
1102. Paragraph 6(1) is self-explanatory.
1103. Paragraph 6(2) omits Article 46(1), which provided that, in the absence of adequacy regulations, a controller or processor could transfer personal data to a third country or international organisation only if they provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies were available. Articles 46(2) and (3) provided further detail on how appropriate safeguards could be provided.
1104. Paragraph 6(3) inserts new Article 46(1A) and provides that a transfer of personal data is made to a third country or international organisation subject to appropriate safeguards only if:
      • Safeguards (i.e. the transfer mechanisms described in Articles 46(2) or (3), such as standard data protection clauses specified in a document issued by the ICO, or specified in regulations pursuant to new Article 47A(4)) are provided in connection with the transfer. If the safeguards are provided by a legally binding and enforceable instrument between a UK public body and another person or persons (under Article 46(2)(a)), the transfer must be consistent with the intended scope of that instrument; and each UK public body that is a party to the instrument, acting reasonably and proportionately in the circumstances, considers that the data protection test is met in relation to the transfers or types of transfers which is intended to be made in reliance on the instrument;
      • Where the safeguard is a mechanism described in Article 46(2)(b) - (f), (3)(a) -(b) or specified in regulations pursuant to new Article 47A(4), the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or type of transfer.

1105. Paragraphs 6(4)(a)(i), (e) and (f) of Schedule 7 make consequential amendments to Article 46(2) to clarify that the word ‘safeguards’ refers only to the transfer mechanisms listed in Article 46(2), the use of which is only appropriate in all the circumstances if the controller, processor or public body that is party to the instrument, acting reasonably and proportionately, considers that the data protection test is met. Paragraph 6(4)(c) makes a clarificatory amendment to confirm that binding corporate rules provide safeguards for the purposes of new Article 46(1A) only if they are approved pursuant to Article 47. Paragraphs 6(4)(a)(ii), (b) and (d) are self-explanatory.
1106. Paragraph 6(5)(a) makes a consequential amendment to Article 46(3) to clarify that the word ‘safeguards’ refers only to the transfer mechanisms listed in Article 46(3), the use of which is only appropriate in all the circumstances if the controller or processor, acting reasonably and proportionately, considers that the data protection test is met.
1107. Paragraph 6(6) introduces the new data protection test in new Article 46(6), which the controller, processor or UK public body that is party to the instrument, acting reasonably and proportionately, must consider is met before a transfer under Article 46 may take place. The data protection test is met if, after the personal data being transferred has reached its destination, the standard of protection provided for the data subject (by the safeguards and other means, where relevant) would not be lower than the standard of protection under the UK GDPR and relevant parts of the DPA 2018 in a way which is material.
1108. Paragraph 6(6) also introduces new Article 46(7), which provides more detail about what it means to act reasonably and proportionately. It clarifies that the actions of a controller, processor or UK public body that is party to an instrument must be reasonable and proportionate in all the circumstances (or likely circumstances) of the transfer (or types of transfer) - this includes considering the nature and volume of the personal data being transferred. This process is distinct to that which the Secretary of State undertakes under Articles 45A and B. It is tailored for the purposes of controllers or processors (or public bodies that are parties to an instrument under Article 46(2)(a)), and recognises that the transfer mechanisms in existing Articles 46(2) and (3) or specified in regulations pursuant to new Article 47A(4) include inherent protections for the rights of data subjects.
1109. Finally, paragraph 6(6) introduces new Article 46(8), which:
      • Clarifies that references to the protection for the data subject are to that protection taken as a whole; and
      • Introduces the definition of a ‘relevant person’ to distinguish from public bodies as defined in Article 4(10A). A ‘relevant person’ for the purposes of existing Articles 46(2)(a) and 3(b) means a public body or another person (including an international organisation) exercising functions of a public nature.

1110. Paragraph 7 is self-explanatory.

Making provision about further safeguards for transfer

1111. Paragraph 8 of Schedule 7 inserts Article 47A, which makes further provision about transfers subject to appropriate safeguards.
1112. New Articles 47A(1) to (3) restate existing sections 17C(1), (2) and (3) of the DPA 2018, which are omitted by Schedule 9. Previously the provisions relating to transfers subject to appropriate safeguards were found partly in the DPA 2018 and partly in Chapter 5 of the UK GDPR. The effect of the provisions in Schedule 7 and Schedule 9 are that all provisions relating to transfers subject to appropriate safeguards are now contained in Chapter 5 of the UK GDPR.
1113. New Article 47A(4) to (7) provides a power for the Secretary of State to make provision, by way of regulations (subject to the affirmative procedure), about further safeguards that may be relied on for the purposes of making a transfer under Article 46 (transfer subject to appropriate safeguards). This new power can only be exercised if the Secretary of State considers that the further safeguards are capable of ensuring that the data protection test in new Article 46(6) is met in relation to the transfers of personal data generally or in relation to a type of transfer specified in the regulations.

Derogations for specific situations

1114. Paragraph 9 of Schedule 7 makes consequential amendments to Article 49 (derogations for specific situations) which are required as a result of the changes elsewhere in Chapter 5 of the UK GDPR, which are explained above.
1115. Paragraph 9 also inserts a new sub-paragraph (4A). This sub-paragraph sets out the provision formerly included in section 18(1) DPA 2018, as part of the restructuring so that all provisions on international transfers are now contained within Chapter 5 of the UK GDPR. It continues the same power for the Secretary of State to specify in regulations, for the purposes of Article 49(1)(d), circumstances in which a transfer of personal data is to be taken as necessary, or not necessary, for important reasons for public interest.

Public interest restrictions

1116. Paragraph 10 of Schedule 7 inserts Article 49A which contains provisions previously found in section 18(2) of the DPA 2018 - so that all provisions relating to the UK’s regime for international transfers are now contained within Chapter 5 of the UK GDPR. This Article continues the same power for the Secretary of State to restrict, by regulations, transfers of categories of personal data to other countries or international organisations where necessary for important reasons of public interest.

Schedule 8: Transfers of personal data to third countries etc: law enforcement processing

1117. Chapter 5 of Part 3 of the DPA 2018 sets out the conditions under which personal data can be transferred by a competent authority, to a country outside of the UK or an international organisation, for law enforcement purposes. Schedule 8 makes various amendments to Chapter 5, to reform the UK’s regime for international transfers for law enforcement purposes, as explained below.
1118. Paragraph 2 of Schedule 8 amends section 72(1)(b) of the DPA 2018, by substituting "special conditions that apply" with "additional conditions that apply in certain cases" and by referencing section 73(4)(b). These changes are relevant to amendments made to section 73(4)(b) and section 77.
1119. Paragraph 3 amends section 73 of the DPA 2018, which provides that a controller may only make a transfer of personal data if the conditions of the section are met. The general conditions for transfer remain broadly the same, with minor and technical amendments made to provide greater clarity. There will continue to be an exception to this principle provided in subsection (5), which, as amended, will enable the controller to transfer personal data without prior authorisation where necessary to prevent an immediate and serious threat to public or national security, or essential interests of a third country or the UK, and where the authorisation cannot be obtained in good time. In such circumstances, the controller must notify the overseas authoriser as soon as reasonably practicable.
1120. Paragraph 3(5) amends condition 3 in section 73(4) by expanding the list of intended recipients to specifically include processors acting on behalf of, and in accordance with a contract with, a controller. The controller may satisfy its obligation to ensure that condition 3 is met in respect of transfers, including onward transfers, made by a processor, where those transfers are governed by a contract imposing binding obligations on a processor in accordance with section 59 of the DPA 2018. Whilst transfers to processors in third countries are currently permissible, this amendment clarifies the existing law and section 73(4)(aa) provides legal certainty to UK controllers that they, and any processors appointed by them, can transfer personal data to their processors, and sub-processors, operating outside of the UK.
1121. Paragraph 4(1) omits section 74A. Previously that section provided that transfers of personal data to another country could take place where the Secretary of State had made regulations finding that the country in question provided an adequate level of protection. The free flow of personal data for law enforcement purposes would then be allowed to that country. In place of section 74A there is new section 74AA and 74AB, with amendments also made to 74B. These changes mirror those made to the equivalent provisions under the UK GDPR, in the new Articles 45A, 45B and 45C, detailed in the notes relating to Schedule 7 above, so reference should be made to those notes if a more detailed explanation on the effect of these provisions is required.
1122. Section 74AA(1) provides a power for the Secretary of State to make regulations approving transfers of personal data to a third country or international organisation, thus allowing the free flow of personal data to that country or international organisation, as with the previous power to make adequacy regulations which was dealt with in section 74A of the DPA 2018. Where such regulations are in place, competent authorities will not require any further data protection safeguards to make a transfer of personal data to that country or international organisation, provided the transfer falls within the terms of the regulations.
1123. Section 74AB sets out the data protection test which the Secretary of State must be satisfied is met in order to make regulations approving transfers to a country or international organisation. Section 74AB(1) provides that the data protection test is met if the standard of protection provided to data subjects with regard to law enforcement processing of personal data in that country or international organisation, is not materially lower than the standard of protection under Part 3 of DPA 2018 and relevant provisions in Parts 5 – 7 of that Act.
1124. Section 74AB(2) sets out a list of considerations that the Secretary of State must take into account when considering whether the data protection test is met. This is a non-exhaustive list and the Secretary of State may also need to consider other matters in order to determine whether the required standard of protection exists.
1125. Paragraph 5 of Schedule 8 amends section 74B of the DPA 2018, omitting section 74B(1) and (2). Section 74B will require the Secretary of State to monitor developments in third countries and international organisations that could affect decisions to make regulations approving transfers of personal data under section 74AA, or decisions to amend or revoke such regulations. Ongoing monitoring of countries' relevant laws and practices, will enable the Secretary of State to respond to any developments that might affect decisions to make, amend or revoke regulations under section 74AA. The approach for monitoring may include, for example: dialogue with country representatives; information from HMG Embassies or High Commissions; and engagement with the Information Commissioner. Section 74B(4), as amended, sets out the actions the Secretary of State must take if the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under section 74AA. The Secretary of State must, to the extent necessary, either amend or revoke a regulation if the data protection test is no longer met. For example, an amendment may limit the types of transfer that are permitted by the regulation. If there is no way of amending the regulation to meet the data protection test the Secretary of State must revoke it.
1126. Paragraph 6 of Schedule 8 amends section 75 of the DPA 2018, which provides that transfers of personal data to third countries and jurisdictions can take place where appropriate safeguards are in place to protect that personal data. Paragraph 6 introduces new subsections to this provision.
1127. Paragraphs 6(1) and 6(2) are self-explanatory.
1128. Paragraph 6(3) omits existing section 75(1), which currently sets out that transfers are based on appropriate safeguards where a legally binding instrument containing appropriate safeguards binds the recipient or where the controller, after assessing the circumstances surrounding the transfer, concludes that appropriate safeguards exist. Paragraph 6(4) inserts new section 75(1A) and provides that a transfer of personal data is made to a third country or international organisation subject to appropriate safeguards only if:
      • An appropriate legal instrument binds the intended recipient of the data (subject to new subsection (4)). This provision replicates the previous section 75(1)(a);
      • Or (b)) the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (subject to subsection (5)). This provision essentially replaces the previous section 75(1)(b);

1129. Paragraphs 6(5) and 6(6) make amendments to existing section 75(2) and 75(3), which provide further detail on controllers’ obligations when relying on transfers subject to appropriate safeguards. These provisions remain largely unchanged with minor amendments to reflect the wider changes. The amendment to section 75(2) means that Controllers will still be required to inform the Commissioner of the categories of data to be transferred where the controller determination mechanism is relied upon), except where the transfer is to a processor pursuant to the new section 73(4)(aa). This does not require controllers to notify the Commissioner on each occasion data is transferred; it simply requires notification of the categories of information that can take place relying on section 75(1A)(b).
1130. Paragraph 6(7) adds new sections 75(4), 75(5), 75(6) and 76(7).
1131. Paragraph 6(7) inserts a new section 75(4) which sets out the circumstances for when a legal instrument is ‘appropriate’, for the purposes of 75(1A)(a). The instrument must (a) be intended to be relied on in connection with the transfer or that type of transfer, (b) have at least one competent authority as a party to it and (c) each competent authority that is a party to it, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (subject to subsection (5)). In practice, ‘appropriate legal instruments’ are likely to be agreed by government departments with their counterparts in third countries, and that department would need to take reasonable and proportionate steps to ensure the data protection test is met. Where such instruments are in place, the Controller (assuming this is a separate entity to the party that created it) will need to ensure the data they wish to transfer is within scope of the instrument.
1132. Paragraph 6(7) introduces the new data protection test in new section 75(5), which the controller or competent authority, which is party to an instrument must, acting reasonably and proportionately consider is met before a transfer under section 75 may take place. The data protection test is met, in relation to a transfer, or a type of transfer, of personal data if, after the personal data being transferred has reached its destination, the standard of protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided under Part 3 of the DPA 2018 and Parts 5 to 7 of the Act so far as they relate to processing by a competent authority for any of the law enforcement purposes, in a way that is material. This includes relevant enforceable data subject rights and effective legal remedies for the data subject in all the circumstances of the transfer. The new test also recognises that safeguards may be applied in different cultural and legal contexts when being used internationally and still provide appropriate protection for data subjects, and is consistent with the approach taken in the new section 74AB. The reference to "other means" should be understood as anything other than a legal instrument which ensures the standard of protection and may include, for example, a situation when standard of protection is provided in the domestic laws and practices of a third country, whereby those laws would be the "other means" of protection. The test therefore does not require a point-by-point replication of protections for data subjects, which would not be reasonable or proportionate given the ways in which data protection regimes may differ.
1133. Paragraph 6(7) introduces new section 75(6), which provides more detail about what it means to act reasonably and proportionately. It clarifies that the actions of a controller or a competent authority that is party to an instrument must be reasonable and proportionate in all the circumstances (or likely circumstances) of the transfer (or types of transfer) - this includes considering the nature and volume of the personal data being transferred. For example, a controller seeking to rely on the new section 75(1A)(b), is likely to have a different judgement of what is reasonable and proportionate depending on the specific transfer. If the controller seeks to transfer larger volumes of data on a more frequent basis to a specific third country, what is reasonable and proportionate is likely to be different to a more infrequent transfer. In relation to the former, the Controller may consider, for example, that it is reasonable and proportionate to establish a Memorandum of Understanding with their international counterpart to govern data transfers. which could demonstrate the steps the controller had taken, and assurances received, to ensure the protection of personal data. This process is distinct to that which the Secretary of State undertakes under new sections 74AA and 74AB. It is tailored for the purposes of controllers or competent authorities that are parties to an instrument.
1134. Paragraph 6(7) introduces new section 75(7), which clarifies that references to the protection for the data subject are to that protection taken as a whole.
1135. Paragraph 7 amends section 76 of the DPA 2018, which provides for when data can be transferred to a third country or international organisation in the absence of ‘adequacy regulations’ and ‘appropriate safeguards’, where it is necessary for a special purpose.
1136. Paragraph 7(4)(b) amends section 76(1)(c) to include reference to national security in addition to public security while also adding reference to the ‘UK’. These changes ensure that Controllers are confident to transfer data where necessary for the prevention of an immediate and serious threat to national security of the UK or a third country. Paragraph 7(4)(c) and (d) make amendments to section 76(1)(d) and (e), replacing the previous wording of ‘in individual cases’ with ‘in particular circumstances’. This wording better reflects the fact that the law is not seeking to limit transfers by competent authorities to individual pieces of data, making clearer that transfers can take place involving a broader set or category of data in particular circumstances. This clarity is important, as transfers of data may be particularly relevant and necessary as part of operations and investigations that are broad in scope, for example, the pursuit of child sexual abuse networks.
1137. Paragraph 7(6) inserts a new additional subsection into section 76, which makes clear that controllers transferring data in reliance on section 76 must ensure that the amount of data shared is not excessive in relation to the special purpose for which it is shared. The fact that a transfer of data involves sharing multiple records would not mean that the transfer would be considered excessive, so long as the sharing is necessary and proportionate. For example, during investigations of serious and organised crime, a competent authority may conclude that it is necessary and proportionate to share multiple targeted records with a third country to help further the investigation.
1138. Paragraph 8 amends the italic heading before section 77 from "Transfers to particular recipients" to "Additional conditions".
1139. Paragraph 9 amends the heading of section 77 from "Transfers of personal data to persons other than relevant authorities" to "Additional conditions for transfers in reliance on section 73(4)(b)". Paragraphs 9(1) and (2) amend sections 77(6) and (7) to specify that they relate to transfers that take place in reliance on section 73(4)(b).
1140. Paragraph 10 amends section 78 of the DPA 2018, which provides that where data has been transferred by a competent authority to a third country or international organisation, any subsequent transfers of that data should ordinarily take place only after the competent authority from which the data was obtained has given its authorisation to the transfer.
1141. Paragraph 10(2) inserts new subsection 78(A1) which clarifies that subsections (1) to (6) apply where transfers are conducted under section 73, except where the transfer is to a processor pursuant to section 73(4)(aa).
1142. Paragraph 10(3) amends section 78(1) to allow subsequent transfers to be made without authorisation in the exceptional circumstances set out in section 78(1A). Where such transfers are made, the UK authoriser must be informed without delay.
1143. Paragraph 10(4) inserts new section 78(1A) stipulating that competent authorities transferring data under Part 3 of the DPA 2018 must make it a condition of transfer that either the recipient of the data must seek prior authorisation from the UK authoriser before sharing the data further or alternatively that prior authorisation should be sought, except where the subsequent transfer is necessary to prevent an immediate and serious threat to public security or national security and there being a lack of time to reasonably seek prior authorisation. Such a transfer may occur when, for example, there is an immediate and credible threat to life such as a terrorist attack and the third country concludes that a subsequent transfer of data, originally transferred to them by a UK controller, is needed to prevent it. Where a transfer is made by the third country in such circumstances, they must notify the UK controller of such a transfer having happened as soon as reasonably practicable. It is ultimately up to the UK controller to determine whether to require prior authorisation in all cases or whether the third country should be able to transfer without such authorisation in these limited urgent circumstances.
1144. Paragraph 10 (7) makes a minor amendment to the wording in section 78(4) but maintains the principle that the UK authoriser may not give permission for a subsequent transfer without the prior authorisation of the EU member State where the data originated. There will continue to be an exception to this principle provided in subsection (5), which, as amended, will enable the controller to transfer personal data without prior authorisation where necessary to prevent an immediate and serious threat to the public or national security, or essential interests of a third country or the UK, and where the authorisation cannot be obtained in good time. In such circumstances, the controller must notify the overseas authoriser as soon as reasonably practicable.
1145. Paragraph10(8) amends section 78(5)(a) whereby equal consideration is given to the public security, national security or essential interests of both the UK or a third country as valid circumstances in which authorisation is not required.
1146. Paragraph 10(10) inserts a new section 78(7) which specifies the conditions that controllers must impose when making transfers to processors pursuant to section 73(4)(aa).

Schedule 9: Transfers of personal data to third countries etc: minor and consequential amendments and transitional provision

1147. Part 1 of Schedule 9 makes consequential amendments to other parts of the UK GDPR and DPA 2018 which arise as a result of the changes made to the UK’s regime for international transfers of personal data by Schedule 7 and Schedule 8 (as explained earlier in these Explanatory Notes).
1148. Part 2 of Schedule 9 sets out transitional provisions which are required to ensure a smooth transition between the previous international transfers regime, and the new regime which is implemented by the Act.
1149. With regard to the new regime for approving transfers of personal data to other countries and international organisations, the transitional provisions ensure that following the commencement of the new regime, transfers continue to be allowed to any countries or international organisations which were found adequate by the Secretary of State under the previous regime, as well as to those countries and international organisations which are treated as adequate under Schedule 21 of the DPA 2018.
1150. With regard to the new regime for transfers subject to appropriate safeguards, the transitional provisions ensure that standard data protection clauses laid by the Secretary of State under section 17C of the DPA 2018 or issued by the Commissioner under section 119A of the DPA 2018 (for example, the International Data Transfer Agreement and the EU Addendum) provide safeguards for the purposes of new Article 46(1A)(a)(i). Controllers will be able to enter into new contracts containing the IDTA clauses to transfer personal data overseas, if the controller considers the data protection test in the new Article 46(6) of the UK GDPR is met.
1151. For controllers wishing to use pre-commencement transfer mechanisms, the transitional provisions state that such mechanisms continue to provide appropriate safeguards following commencement of the new regime if they:
      • Were contained in arrangements which were entered into before the new regime commenced; and
      • Provide safeguards in accordance with Article 46(2) or (3) of the UK GDPR or paragraph 9 of Schedule 21 of the DPA 2018; or
      • Are a legal instrument, to which a competent authority is a party and which binds the data recipient, containing appropriate safeguards in accordance with section 75(1)(a) of the DPA 2018; and
      • Could validly be relied on to transfer personal data immediately before the commencement of the new regime.

1152. The effect of these provisions is to allow controllers to use pre-commencement transfer mechanisms following commencement of the new regime, so long as those mechanisms satisfy the requirements of existing Article 46(1) and the last sentence of existing Article 44 of the UK GDPR, or section 73(3) of the DPA 2018, immediately before the regime commenced. Controllers who satisfy these criteria will therefore not need to apply the data protection test in Article 46(6) and section 75(5) of the DPA 2018 (unless they seek to enter into new transfer mechanisms post-commencement of the Act).
1153. With regard to the new regime for derogations for specific situations, the transitional provisions also ensure that any regulations made by the Secretary of State under section 18(1) or 18(2) of the DPA 2018 are to be treated as having been made under the restated powers in Article 49(4A) and Article 49A of the UK GDPR respectively.

Schedule 10: Complaints: minor and consequential amendments

1154. Schedule 10 makes consequential amendments to the UK GDPR and the DPA 2018 relating to complaints by data subjects. These are necessary to ensure consistency as a result of changes made by section 103.

Schedule 11: Further minor provision about data protection

1155. Schedule 11 makes minor miscellaneous amendments to the UK GDPR and DPA 2018, by providing definitions, removing redundant provisions and clarifying some of the pre-existing text. It also amends the territorial extent of some provisions in the Victims and Prisoners Act 2024.

Schedule 12: Storing information in the terminal equipment of a subscriber or user

1156. Schedule 12 inserts new Schedule A1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PEC Regulations’). This schedule sets out exceptions to the prohibition on the storage of information, or access to information, on a user’s terminal equipment in new regulation 6(1) of the PEC Regulations.
1157. Paragraph 1 of Schedule A1 sets out the meaning of "website" used in this schedule. It also cross-refers to regulation 6(2) which sets out interpretive provisions relevant to this schedule.
1158. Paragraph 2 of Schedule A1 reproduces the current consent exception in regulation 6(2) of the PEC Regulations. Organisations can store information or gain access to information stored in the terminal equipment of an individual, if the individual has been provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and the individual has given consent.
1159. Paragraph 3 of Schedule A1 reproduces the current transmission of a communication exception in regulation 6(4)(a) of the PEC Regulations.
1160. Paragraph 4(1) of Schedule A1 reproduces the current strictly necessary exception in regulation 6(4)(b) of the PEC Regulations. Sub-paragraph (2) provides a non-exhaustive list of examples of "strictly necessary" purposes for the purpose of this exception.
1161. Paragraph 5 of Schedule A1 introduces a new exception for the purpose of collecting statistical information about how an organisation’s information society service is used, with a view to making improvements to that service. For example, statistical information showing how many people are accessing a service, what they are clicking on and for how long they are staying on a particular web page. Sub-paragraph (1)(c) provides a safeguard that prevents onward sharing of information except where the sharing is for the purpose of making improvements to the service or website concerned. The exception applies only where the user is provided with clear and comprehensive information about the purpose and is given a simple and free means of objecting to the storage or access.
1162. Paragraph 6 of Schedule A1 introduces a new exception for the purpose of enabling the way an information society service ("ISS") appears or functions when displayed on a subscriber or user’s device, to adapt to the preferences of that subscriber or user - for example, their font preferences. Or, for the purpose of enabling an enhancement of the appearance or functionality of an ISS when displayed on a user’s device. This could be, for instance, where a cookie identifies performance-related information which can be used to optimise content, for example "responsive design" which enables a webpage to reconfigure itself for the particular dimensions of a monitor or screen. This exception only applies where the subscriber or user is provided with clear and comprehensive information about the purpose and is given a simple and free means of objecting to the storage or access.
1163. Paragraph 7 of Schedule A1 introduces a new exception where the sole purpose is to enable the geographical position of a subscriber or user to be ascertained so that assistance can be provided in response to the user or subscriber’s emergency communication from their terminal equipment.

Schedule 13: Privacy and electronic communications: Commissioner’s enforcement powers

1164. Regulation 31 of the current Privacy and Electronic Communications (EC Directive) Regulations 2003 (‘PEC Regulations’) apply the enforcement powers in the Data Protection Act 1998 to the PEC regulations, subject to certain modifications. These modifications are currently set out in Schedule 1 of the PEC Regulations. These provisions remain in force for the purposes of the PEC Regulations, even though the DPA 2018 replaced the Data Protection Act 1998 for most other purposes.
1165. Section 115 substitutes Regulation 31 of the PEC Regulations with a new Regulation that makes it clear that the enforcement provisions in the DPA 2018 will now be applied to the PEC Regulations. The current Schedule 1 will also be substituted by Schedule 13, which makes modifications to the enforcement provisions in the DPA 2018 for the purposes of their application to the PEC Regulations.
1166. Paragraph 1 of new Schedule 1 specifies the provisions in Parts 5 to 7 of the DPA 2018 that will be applied for the purposes of enforcing the PEC Regulations. They include, amongst other things, powers for the Commissioner to impose information notices, assessment notices, interview notices, enforcement and penalty notices; and the relevant rights of appeal for persons who wish to appeal against the imposition of such notices. They also include relevant criminal offences, such as the offence in section 148 of the DPA 2018 which is committed when a person deliberately frustrates a Commissioner investigation by destroying or falsifying information. In order for these provisions to be applied to the PEC Regulations, some modifications to terminology are needed. The remaining paragraphs in this Schedule highlight where modifications are needed.
1167. Paragraph 2 of Schedule 1 sets out some general modifications that are needed to the terminology in the DPA 2018, so that the enforcement provisions can be applied to the PEC Regulations. For example, any references to "the Act" or "Parts of the Act" should be taken to mean the Act or parts of the Act as applied to the PEC Regulations.
1168. Paragraphs 3 and 4 make modifications to sections 142 and 143 of the DPA 2018 on information notices for the purposes of their application to the PEC Regulations. The modifications ensure that the Commissioner can acquire relevant information and documents from a person engaged in any activity regulated by the PEC Regulations to investigate their compliance. An information notice can also be imposed on any third parties; where the third party is a communications provider the information notice can be imposed in order to determine someone’s compliance, and for all other third parties, this can be imposed when investigating a suspected breach.
1169. The Commissioner will also be able to apply a duty of confidentiality (new subsection (8A) as set out in paragraph 3(c) of Schedule 1) to information notices they issue on third parties. The duty is subject to exemptions to allow disclosure of the notice (i) to employees or (ii) with permission of the Commissioner, or (iii) when obtaining legal advice. The purpose of this modification is to protect the effectiveness of the Commissioner’s investigation. For example, to stop communication providers informing the relevant user (the subject of the notice) that the Commissioner is investigating them.
1170. Paragraph 5 of Schedule 1 makes modifications to section 145 of the DPA 2018 on information orders for the purposes of their application to the PEC Regulations. As a result of these changes the Commissioner could apply to the court for an information order when a person fails to comply with an information notice in relation to a breach of the PEC Regulations.
1171. Paragraphs 6 and 8 make modifications to section 146 and 147 of the DPA 2018 on Assessment notices for the purposes of their application to the PEC Regulations. As a result of these modifications, the Commissioner could issue an assessment notice requiring an organisation to allow it to assess whether it has committed a breach of the PEC Regulations.
1172. Section 98 of this Act adds new section 146A to the DPA 2018, which will allow the Commissioner to require a technical report as part of the assessment notice procedure. Paragraph 7 of new Schedule 1 sets out the modifications that are to be made to that provision for the purposes of its application to the PEC Regulations.
1173. Section 100 adds new section 148A to the DPA 2018, which will allow the Commissioner to impose an interview notice to require a person to attend an interview and answer questions when so required by the Commissioner. It also adds new section 148B which sets out some restrictions on the use of the power. Paragraphs 9 and 10 of new Schedule 1 sets out the modifications that are to be made to these provisions for the purposes of their application to the PEC Regulations.
1174. Paragraph 11 of the new Schedule 1 makes modifications to section 149 on enforcement notices for the purposes of its application to the PEC Regulations. The modifications mean that, where the Commissioner is satisfied that a person has failed, or is failing, to comply with a requirement of the PEC Regulations they may issue a written notice specifying what the person should do to remedy the failure to comply with a requirement of the PEC Regulations. The supplementary provisions in section 150 and restrictions on the use of enforcement notices in section 152 will also be modified for the purposes of the PEC Regulations via the changes in paragraphs 12 and 13 of Schedule 1.
1175. Paragraph 14 modifies Schedule 15 (powers of entry and inspection) of the DPA 2018 for the purposes of its application to the PEC Regulations. Schedule 15 makes provision in respect of the Commissioner’s powers of entry and inspection.
1176. Paragraph 15 modifies section 155 (penalty notices) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section gives the Commissioner a power to give a monetary penalty notice requiring a person to pay the Commissioner an amount determined by the Commissioner. New subsection (1A) of section 155 provides that the Commissioner must not give a penalty notice in respect of a failure to comply with regulation 5A (personal data breach) of the PEC Regulations, which are instead subject to a fixed monetary penalty.
1177. New subsection (4A) of section 155 gives the Commissioner a power to give a penalty notice to an officer of a body corporate when the Commissioner has also given that body corporate a penalty notice in respect of a failure to comply with any of the requirements in regulations 19 to 24 of the PEC Regulations. This replicates the "director liability" provisions in paragraph 8AA of the current Schedule 1 to the PEC Regulations which are being replaced by this new Schedule.
1178. Paragraph 16 of the new Schedule 1 modifies Schedule 16 (penalties) of the DPA 2018 for the purposes of its application to the PEC Regulations. Schedule 16 sets out procedures the Commissioner must follow when imposing a penalty notice.
1179. Paragraph 17 makes modifications to section 156 (penalty notices: restrictions) of the DPA 2018 for the purposes of its application to the PEC Regulations. The Commissioner is prohibited from giving a penalty notice to a person who acts on behalf of either House of Parliament or to the Crown Estate Commissioners.
1180. Paragraph 18 makes modifications to section 157 (Maximum amount of penalty) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section makes provision about the maximum amount of fines that can be imposed for infringements of a provision of the PEC Regulation or a failure to comply with an information notice, interview notice, assessment notice or an enforcement notice.
1181. Paragraph 18(b)(ii) lists the PEC Regulations for which a penalty notice may impose the higher maximum penalty in the event of an infringement. The higher maximum penalty is £17,500,000 or (in the case of an undertaking) 4% of the undertaking’s total annual worldwide turnover, whichever is higher. Infringement of the remaining PEC Regulations are subject to the standard maximum penalty which is £8,700,000 or (in the case of an undertaking) 2% of the undertaking’s total annual worldwide turnover, whichever is higher.
1182. Paragraph 19 modifies section 159 (amount of penalties: supplementary) of the DPA 2018 as applied for the purposes of the regulation of the PEC Regulations. This section provides the Secretary of State with the power to introduce regulations for the purposes of section 157, which make provision that a person is or is not an undertaking, that a period is or is not a financial year or about how an undertaking’s turnover is to be determined. The Regulations are subject to the affirmative resolution procedure.
1183. Paragraph 20 modifies section 160 (guidance about regulatory action) of the DPA 2018 as applied for the purposes of the regulation of the PEC Regulations. Section 160 requires the Commissioner to produce and publish guidance about how he will exercise his functions in relation to information notices, assessment notices, interview notices, enforcement notices and penalty notices. It also sets out the procedure the Commissioner must follow for publishing the guidance and laying it in Parliament.
1184. Paragraph 21 makes modification to section 162 (Rights of appeal) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section gives a person who is given an information notice, assessment notice (including requirements relating to a technical report), interview notice, enforcement notice or penalty notice a right to appeal against that notice/requirement. A person whose application for the cancellation or variation of an enforcement notice is refused is given a right to appeal against that refusal. This section also gives a person a right to appeal against the amount specified in a penalty notice or a penalty variation notice whether or not the person appeals against the notice.
1185. Paragraph 22 makes modification to section 163 (Determination of appeals) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section makes provision in relation to the determination of appeals under section 162 by the Upper Tribunal or the First-tier Tribunal.
1186. Paragraph 23 makes modification to section 180 (Jurisdiction) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section sets out which courts have jurisdiction for information orders. In England and Wales and Northern Ireland the jurisdiction is exercisable by the county court or the High Court, and in Scotland by the sheriff or the Court of Session. An exception is made for cases in which the information notice contains an urgency statement or there is an application to challenge urgent notices under section 164, when only the High Court or, in Scotland, the Court of Session can make an information order.
1187. Paragraph 24 makes modification to section 181 (Interpretation of Part 6) of the DPA 2018 for the purposes of its application to the PEC Regulations.
1188. Paragraph 25 make modification to section 182 (Regulations and consultation) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section makes provision concerning the form, process and procedure for making regulations under the powers in the DPA 2018 (as applied), including consultation requirements.
1189. Paragraph 26 makes modification to section 196 (Penalties for offences) of the DPA 2018 for the purpose of its application to the PEC Regulations. Where offences relate to a person’s frustration or obstruction of the Commissioner’s investigations of breaches of the PEC Regulations, the penalties that can be imposed by the courts will be identical to those that apply when the offence relates to obstruction of investigations for breaches of the data protection legislation.
1190. Paragraph 27 makes modification to section 200 (Guidance about PACE codes of practice) of the DPA 2018 for the purpose of its application to the PEC Regulations. Section 200 requires the Commissioner to publish guidance about how the Commissioner intends to perform the duty under section 67(9) of the Police and Criminal Evidence Act 1984 (duty to have regard to codes of practice under that Act when investigating offences and charging offenders). The modifications made by paragraph 27 are self-explanatory.
1191. Paragraph 28 makes modification to section 202 (Proceedings in the First-tier Tribunal: contempt) of the DPA 2018 as applied for the purposes of the regulation of the PEC Regulations. This section allows the First-tier Tribunal to certify an offence to the Upper Tribunal if a person does something (or fails to do something) in relation to tribunal proceedings which would constitute contempt of court if the proceedings were before a court. The modifications made by paragraph 28 are self-explanatory.
1192. Paragraph 29 modifies section 203 (Tribunal procedure rules) of the DPA 2018 for the purposes of its application to the PEC Regulations. This section sets out the power to make Tribunal Procedure Rules to regulate the way the rights of appeal conferred by section 162 are exercised.
1193. Paragraph 30 sets out the meaning of "the PEC Regulations" for the purposes of Schedule 13.

Schedule 14: The Information Commission

1194. Paragraph 1 of Schedule 14 inserts a new Schedule 12A into the DPA 2018 which describes the nature, form and governance structure of the new body corporate (the Information Commission).
1195. Paragraph 2 contains transitional provisions. It makes provision that the person who holds the office of Information Commissioner immediately before the day on which the Schedule comes into force is to be treated as having been appointed as the chair of the Information Commission for a term that expires at the time the person would cease to hold the office of Information Commissioner but for its abolition.
1196. Paragraph 3 contains transitional provisions relating to the requirement under paragraph 3(4) of new Schedule 12A to the DPA 2018 for the Secretary of State to consult the chair of the Information Commission prior to appointing non-executive members of the Commission. The transitional provisions allow the requirements under paragraph 3(4) of Schedule 12A to be satisfied by consultation carried out, before this Schedule comes into force, with the person who holds the office of Information Commissioner.
1197. Paragraph 4 contains transitional provisions relating to the consultation requirements under paragraph 25 of new Schedule 12A to the DPA 2018 for the chair of the Information Commission to consult the Secretary of State before appointing the first chief executive of the Information Commission. The transitional provisions allow the requirements under paragraph 25 of Schedule 12A to be satisfied by consultation carried out, before Schedule 14 comes into force, by the person who holds the office of Information Commissioner.

New Schedule 12A to the Data Protection Act 2018: The Information Commission

1198. Paragraph 1 states that the Information Commission is not to be regarded as a servant or agent of the Crown, or as enjoying any status, immunity or privilege of the Crown. The Commission’s property is not to be regarded as property of, or property held on behalf of, the Crown.
1199. Paragraph 2 prescribes that the number of members of the Information Commission must not be less than 3, or more than 14. It confers power on the Secretary of State to change the maximum number of members of the Commission through regulations, which will be subject to the negative resolution procedure.
1200. Paragraph 3 makes provision for the membership of the Commission and imposes consultation requirements on the Secretary of State and non-executive members when appointing members to the Commission. It also confers power on the Secretary of State to set, by direction, a minimum and a maximum number of executive members.
1201. Paragraph 4 stipulates that the Secretary of State must exercise the powers in paragraphs 2 and 3 to ensure that, in so far as practicable, non-executive members outnumber executive members.
1202. Paragraph 5 requires that the chair and other members of the Commission are selected on merit on the basis of fair and open competition.
1203. Paragraph 6 makes provision for conflicts of interest.
1204. Paragraph 7 makes provision for the tenure of the chair.
1205. Paragraph 8 makes provision for the tenure of the deputy chair.
1206. Paragraph 9 makes provision for the tenure of the other non-executive members.
1207. Paragraph 10 makes provision for the remuneration and pensions of the non-executive members.
1208. Paragraph 11 makes provision in relation to the terms and conditions of the executive members.
1209. Paragraph 12 makes provision for the appointment and in relation to the terms and conditions of other staff of the Information Commission.
1210. Paragraph 13 makes provision in relation to committees of the Commission.
1211. Paragraph 14 makes provision in relation to the delegation of functions of the Commission.
1212. Paragraph 15 makes provision regarding advice from committees.
1213. Paragraph 16 makes provision in relation to proceedings of the Commission and its
      committees.
1214. Paragraph 17 requires that the Commission makes arrangements for the keeping of records of proceedings.
1215. Paragraph 18 makes provision for disqualification for acting in relation to certain
      matters.
1216. Paragraph 19 makes provision regarding the validity of proceedings of the Commission, of the non-executive members of the Commission and of committees of the Commission.
1217. Paragraph 20 provides that the Secretary of State may make payments to the Commission.
1218. Paragraph 21 makes provision regarding fees, charges, penalties and other sums received by the Commission in carrying out its functions.
1219. Paragraph 22 makes provision concerning the keeping of accounts.
1220. Paragraph 23 makes provision about the authentication of the Information Commission’s seal and the presumption of the authenticity of documents.
1221. Paragraph 24 clarifies that the Information Commission may do things to facilitate the exercise of its functions.
1222. Paragraph 25 makes transitional provision for the appointment of an interim chief executive.
1223. Paragraph 26 relates to the interpretation of references to pensions, allowances and gratuities.

Schedule 15: Information standards for health and adult social care in England

1224. Schedule 15 amends section 250 (powers to publish information standards) of the Health and Social Care Act 2012 (HSCA 2012).
1225. Paragraph 3(2) amends section 250(2) to make clear that an information standard (a standard in relation to the processing of information) that may be prepared and published under section 250(1) includes a standard relating to information technology (IT) or IT services used or intended to be used in connection with the processing of information.
1226. Paragraph 2(3) makes a technical amendment to section 250(2B) to ensure that an information standard may apply to a public body which exercises functions in connection with the provision in relation to (as well as in) England of health care or of adult social care. This reflects the fact that, by virtue of section 250(2B) of the HSCA 2012, the persons to whom information standards may apply include persons who are required to be registered (with the Care Quality Commission) in respect of the carrying on of a regulated activity: under the Health and Social Care Act 2008, an activity may be prescribed as a "regulated activity" if, amongst other things, it involves, or is connected with, the provision of health or social care in, or in relation to, England.
1227. Paragraph 3(4) amends section 250(2B) by adding relevant IT providers to the list of persons to whom an information standard may apply (the definition of a "relevant IT provider" is explained below).
1228. Paragraph 3(5) makes a technical amendment to section 250(3) to make it clear that the Secretary of State’s power, under section 250(1), to prepare information standards may be exercised in relation to information concerning, or connected with, the provision of health and adult social care in relation to England (as well as in England). As above, this reflects the fact that, by virtue of section 250(2B) of the HSCA 2012, the persons to whom information standards may apply include persons who are required to be registered (with the Care Quality Commission) in respect of the carrying on of an activity which involves, or is connected with, the provision of health or social care in, or in relation to, England.
1229. Paragraph 3(6) makes a technical amendment to section 250(7) so that the definitions in that subsection apply for the purposes of the entirety of Chapter 1 of Part 9 of the HSCA 2012, rather than just section 250 in that Chapter.
1230. Paragraph 3(6) inserts definitions of "information technology", "IT service" and "relevant IT provider" into section 250(7). "Information technology" includes IT products such as computers, other devices whose uses include the processing of information by electronic means ("IT devices"); parts, accessories and other equipment made or adapted for use in connection with computers or IT devices; software and code made or adapted for use in connection with computers or IT devices; and networks and other infrastructure (whether physical or virtual) used in connection with other IT. "IT service" means a physical or virtual service consisting of, or provided in connection with, developing, making available, operating or maintaining information technology. "Relevant IT provider" means a person involved in marketing, supplying, providing or otherwise making available IT, IT services or a service which consists of processing information using IT, for payment or free of charge, so far as the IT or service is used, or intended for use, in connection with the provision in or in relation to England of health or adult social care.
1231. Paragraph 3(6) also makes a technical amendment to the definition of "processing" in section 250(7) to omit a reference to section 3(14) of the DPA 2018 which glosses references to the processing of personal data and which is unnecessary in light of the fact that section 250 does not refer to the processing of personal data.
1232. Paragraph 4 inserts new section 250A into the HSCA 2012. New subsection (1) enables an information standard to make provision about the design, quality, capabilities or other characteristics of IT or IT services. Information standards can also make provision about contracts or other arrangements under which IT or IT services are marketed, supplied, provided or otherwise made available.
1233. New subsection (2) of section 250A enables an information standard to make technical provision about IT and IT services. This can include provision about:
      • Functionality (e.g. how an IT product or service works to provide the desired outcome);
      • Connectivity (e.g. the ability of an IT product or service to connect with other computer systems or application programs);
      • Interoperability (e.g. how IT products or services from different providers exchange or share information);
      • Portability (e.g. the possibility of the IT product or service to be used in different environments without required significant rework);
      • Storage of, and access to information (e.g. how, where and why information is stored, and the format in which it is stored);
      • The security of information (e.g. the processes and methodologies involved in keeping information confidential yet accessible where appropriate, and assuring its integrity).

1234. New subsection (3) of section 250A provides that an information standard can make provision by reference to open standards or proprietary standards. This could include standards produced by standards development organisations.
1235. Paragraph 5 of Schedule 15 substitutes subsection (3) of section 251 of the HSCA 2012. Section 251(3) enables the Secretary of State or NHS England to adopt an information standard prepared or published by another person. The substituted subsection (3) ensures that this extends to information standards as they have effect from time to time, and that information standards can make provision by reference to international agreements or other documents (including as they have effect from time to time). Paragraph 5 also makes a consequential amendment to the heading of section 251.
1236. Paragraph 6 inserts a new heading "Compliance with Standards" after section 251. Paragraph 7 substitutes the heading of section 251ZA. Paragraph 8 inserts new sections 251ZB, 251ZC, 251ZD and 251ZE after section 251ZA.
1237. New section 251ZB(1) provides that if the Secretary of State has reasonable grounds to suspect that a relevant IT provider is not complying with an information standard that applies to the IT provider, the Secretary of State may give the IT provider a written notice which identifies the information standard in question, sets out the grounds for suspecting non- compliance, asks the IT provider to comply within a specified period, asks the IT provider to provide evidence of compliance within a specified period, and where appropriate sets out the steps that the IT provider must take within a specified period in order to comply with the standard.
1238. Section 251ZB(2) sets out that any period specified for the purposes of subsection (1) must be at least 28 days beginning with the day the notice is given.
1239. Section 251ZB(3) provides that the Secretary of State may vary or revoke a notice given to a relevant IT provider under section 251ZB(1) by means of a further written notice.
1240. New section 251ZC provides for public censure of a relevant IT provider in certain circumstances. Subsection (1) provides that, if the Secretary of State has reasonable grounds to suspect an IT provider is not complying with an information standard that applies to the IT provider, the Secretary of State can publish a statement to that effect.
1241. Subsection (2) provides that the published statement can include the text of the notice given to an IT provider under section 251ZB (notice requesting compliance).
1242. Subsection (3) stipulates that before a statement is published under section 251ZC, the Secretary of State must give the relevant IT provider a copy of the terms of the proposed statement, and an opportunity to make representations about the decision to publish a statement and the terms of the statement.
1243. Subsection (4) stipulates that if the Secretary of State decides to publish the statement after considering any representations made by the relevant IT provider, the Secretary of State must inform the IT provider before publishing the statement.
1244. Subsection (5) confirms that any personal data processed in the exercise of the power of public censure is subject to the relevant, existing, data protection legislation.
1245. New section 251ZD enables the Secretary of State to delegate certain functions to other persons. Those functions are listed in subsection (3) and consist of functions under section 251ZA (monitoring compliance), so far as they relate to relevant IT providers, and functions under section 251ZB (notice requesting compliance). Subsection (1) provides that the Secretary of State may direct a public body to exercise some or all of those functions and give the public body directions about the exercise of those functions.
1246. Subsection (2) enables the Secretary of State to make arrangements for a person prescribed by regulations to exercise some or all of those functions.
1247. Subsection (4) enables the arrangements made under subsection (2) to provide for the making of payments to the person with whom the arrangements are made, and to make provision about the circumstances in which such payments are to be repaid to the Secretary of State.
1248. New section 251ZE provides for the accreditation of IT and IT services. Subsection (1) enables regulations to make provision for the establishment and operation of a scheme for accreditation of IT and IT services.
1249. Subsection (2) enables the regulations to provide for the scheme to be established and operated by a person ("operator") specified in the regulations.
1250. Subsection (3) enables the regulations to, among other things, confer power on the operator to establish the procedure for accrediting IT and IT services under the scheme, set the criteria for accreditation (the accreditation criteria), to keep an accreditation under the scheme under review and to charge a reasonable fee in respect of an application for accreditation.
1251. Subsection (4) enables the regulations to, among other things, make provision that requires the operator of the accreditation scheme to set some or all of the accreditation criteria by reference to information standards, to publish details of the scheme including the accreditation criteria, to provide for the review of a decision to refuse an application for accreditation, and to provide advice to applicants for accreditation with a view to ensuring that the accreditation criteria are met.

Schedule 16: Grant of smart meter communication licences

1252. The proposed new powers for the GEMA (referred to here as "the Authority") are introduced into the Energy Act 2008, to ensure that the new provisions sit alongside the Secretary of State’s existing powers in that Act to modify licence conditions for smart metering related matters.
1253. Schedule 16, Part 1 amends section 88 of the Energy Act 2008 to differentiate between the existing powers of the Secretary of State and the new powers of the Authority.
1254. Section 91A makes provision for the Authority to make regulations regarding the procedure to be followed in granting a successor smart meter communication licence via a competitive or non-competitive process. The approval of the Secretary of State is needed for the Authority to make such regulations. The negative parliamentary procedure will apply to any such regulations by virtue of section 105(1) of the Energy Act 2008.
1255. Section 91B makes further provision regarding any regulations made by the Authority to appoint a successor smart meter communication licence.
1256. Section 91C introduces a power for the Authority to make modifications to conditions of gas and electricity licences or documents maintained under those licences for the purposes of, or in preparation for the grant of a smart meter communication licence.
1257. Section 91D requires the Authority to consult on any proposed changes to conditions of gas and electricity licences or documents maintained under them prior to making the changes.
1258. Schedule 16, Part 2 amends the Gas Act 1986 and the Electricity Act 1989 and has the effect of removing the existing powers for the Secretary of State to make regulations regarding the process to be followed for the competitive award of a smart meter communication licence.