Regulations 23 and 24
1. Paragraphs 2 and 3 set out the conditions specified for the disclosure of protected information by the registrar to a specified public authority.
2. The specified public authority has delivered to the registrar a statement that it intends to use the protected information only for the purpose of facilitating the carrying out by that specified public authority of a public function (“the permitted purpose”).
3. Subject to paragraph 4, the specified public authority (“the authority”) has delivered to the registrar a statement that it will, where it supplies a copy of the protected information to a processor for the purpose of processing the information for use in respect of the permitted purpose—
(a)ensure that the processor is one who carries on business in the European Economic Area;
(b)require that the information is not transmitted outside the European Economic Area by the processor; and
(c)require that the processor does not disclose the information except to the authority or an employee of the authority.
4. Paragraph 3 does not apply where the specified public authority is the Secret Intelligence Service, Security Service or Government Communications Headquarters.
5. Paragraphs 6 to 10 set out the conditions specified for the disclosure of protected information by the registrar to a credit reference agency.
6.— [F1(1)] The credit reference agency—
(a)is carrying on in the United Kingdom or in another EEA State a business comprising the furnishing of information relevant to the financial standing of individuals, being information collected by the agency for that purpose;
(b)maintains appropriate procedures—
(i)to ensure that an independent person can investigate and audit the measures maintained by the agency for the purposes of ensuring the security of any protected information disclosed to that agency; and
[F2(ii)for the purposes of ensuring that it complies with its data protection obligations;]
(c)has not been found guilty of an offence under—
(i)section 1112 (general false statement offence) of the Companies Act 2006 or section 2 of the Fraud Act 2006 M1 (fraud by false representation);F3...
(ii)section 47 (failure to comply with enforcement notice) of the Data Protection Act 1998 in circumstances where it has used the protected information for purposes other than those described in sub-paragraphs (a) to (e) of paragraph 7 below[F4; or ]
[F4(ii)for the purposes of ensuring that it complies with its data protection obligations;]
[F5(d)has not been given a penalty notice under section 155 of the Data Protection Act 2018 in circumstances described in paragraph (c)(ii), other than a penalty notice that has been cancelled.]
[F6(2) In this paragraph, “data protection obligations”, in relation to a credit reference agency, means—
(a)where the agency carries on business in the United Kingdom, obligations under the data protection legislation (as defined in section 3 of the Data Protection Act 2018);
(b)where the agency carries on business in a EEA State other than the United Kingdom, obligations under—
(i)the GDPR (as defined in section 3(10) of the Data Protection Act 2018),
(ii)legislation made in exercise of powers conferred on member States under the GDPR (as so defined), and
(iii)legislation implementing the Law Enforcement Directive (as defined in section 3(12) of the Data Protection Act 2018).]
Textual Amendments
F1Sch. 2 para. 6 renumbered as Sch. 2 para. 6(1) (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(2) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F2Sch. 2 para. 6(1)(b)(ii) substituted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(3) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F3Word in Sch. 2 para. 6(1)(c)(i) omitted (25.5.2018) by virtue of Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(4)(a) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F4Sch. 2 para. 6(1)(c)(iii) and word inserted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(4)(b) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F5Sch. 2 para. 6(1)(d) inserted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(5) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
F6Sch. 2 para. 6(2) inserted (25.5.2018) by Data Protection Act 2018 (c. 12), s. 212(1), Sch. 19 para. 340(6) (with ss. 117, 209, 210); S.I. 2018/625, reg. 2(1)(g)
Marginal Citations
7. The credit reference agency has delivered to the registrar a statement that it intends to use that protected information only for the purposes of—
(a)providing an assessment of the financial standing of a person;
(b)meeting any obligations contained in [F7the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017] or any [F8rules made pursuant to section 137A of the Financial Services and Markets Act 2000 which relate to the prevention and detection of money laundering in connection with the carrying on of regulated activities by authorised persons], or in any legislation of another EEA State implementing [F9Directive 2015/849/EU of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purpose of money laundering or terrorist financing];
(c)conducting conflict of interest checks required or made necessary by any enactment;
(d)the provision of protected information to—
(i)a public authority specified in Schedule 1 which has satisfied the requirements of paragraphs 2 and 3 of this Schedule; or
(ii)a credit reference agency which has satisfied the requirements of this Part of this Schedule; or
(e)conducting checks for the prevention and detection of crime and fraud.
Textual Amendments
F7Words in Sch. 2 para. 7(b) substituted (26.6.2017) by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692), reg. 1(2), Sch. 7 para. 26(a) (with regs. 8, 15)
F8Words in Sch. 2 para. 7(b) substituted (1.4.2013) by The Financial Services Act 2012 (Consequential Amendments and Transitional Provisions) Order 2013 (S.I. 2013/472), art. 1(1), Sch. 2 para. 173(b)
F9Words in Sch. 2 para. 7(b) substituted (26.6.2017) by The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692), reg. 1(2), Sch. 7 para. 26(b) (with regs. 8, 15)
8. The credit reference agency has delivered to the registrar a statement that it intends to take delivery of and to use the protected information only in the United Kingdom or in another EEA State.
9. The credit reference agency has delivered to the registrar a statement that it will, where it supplies a copy of the protected information to a processor for the purpose of processing the information for use in respect of the purposes referred to in paragraph 7—
(a)ensure that the processor is one who carries on business in the European Economic Area;
(b)require that the information is not transmitted outside the European Economic Area by the processor; and
(c)require that the processor does not disclose the information except to the credit reference agency or an employee of the credit reference agency.
10. The credit reference agency has delivered to the registrar a statement that it meets the conditions in paragraph 6 above.
11.—(1) In this Schedule—
“processor” means any person who provides a service which consists of putting information into data form or processing information in data form, and any reference to a processor includes a reference to the processor's employees; and
“public function” includes—
any function conferred by or in accordance with any provision contained in any enactment;
any function conferred by or in accordance with any provision contained in the Community Treaties or any Community instrument;
any similar function conferred on persons by or under provisions having effect as part of the law of a country or territory outside the United Kingdom; and
any function exercisable in relation to the investigation of any criminal offence or for the purpose of any criminal proceedings.
(2) In this Schedule any reference to—
(a)an employee of any person who has access to protected information shall be deemed to include any person working or providing services for the purposes of that person or employed by or on behalf of, or working for, any person who is so working or who is supplying such a service; and
(b)the disclosure for the purpose of facilitating the carrying out of a public function includes disclosure in relation to, and for the purpose of, any proceedings whether civil, criminal or disciplinary in which the specified public authority engages while carrying out its public functions.