Data Protection Act 2018

PART 1 — Preliminary

Overview

1

• (1) This Act makes provision about the processing of personal data.

• (2) Most processing of personal data is subject to the UK GDPR.

• (3) Part 2 supplements the UK GDPR.

• (4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes ....

• (5) Part 4 makes provision about the processing of personal data by the intelligence services (and certain processing carried out by competent authorities jointly with the intelligence services).

• (6) Part 5 makes provision about the Information Commissioner.

• (7) Part 6 makes provision about the enforcement of the data protection legislation.

• (8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

Protection of personal data

2

• (1) The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—

• (a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,

• (b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and

• (c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

• (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Terms relating to the processing of personal data

3

• (1) This section defines some terms used in this Act.

• (2) “Personal data” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

• (3) “Identifiable living individual” means a living individual who can be identified, directly or indirectly, in particular by reference to—

• (a) an identifier such as a name, an identification number, location data or an online identifier, or

• (b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

• (4) “Processing”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—

• (a) collection, recording, organisation, structuring or storage,

• (b) adaptation or alteration,

• (c) retrieval, consultation or use,

• (d) disclosure by transmission, dissemination or otherwise making available,

• (e) alignment or combination, or

• (f) restriction, erasure or destruction,

(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

• (5) “Data subject” means the identified or identifiable living individual to whom personal data relates.

• (6) “Controller” and “processor”, in relation to the processing of personal data to which ... Part 2, Part 3 or Part 4 applies, have the same meaning as in that ... Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).

• (7) “Filing system” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.

• (8) “The Commissioner” means the Information Commissioner (see section 114).

• (8A) “The Commission” means the Information Commission (see section 114A).

• (9) “The data protection legislation” means—

• (a) the UK GDPR,

• (b) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (c) this Act, and

• (d) regulations made under this Act or the UK GDPR, ...

• (e) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (10) “The UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)).

• (10A) “The EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.

• (11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (12) “The Law Enforcement Directive” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

• (13) “The Data Protection Convention” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.

• (14) In Parts 5 to 7, except where otherwise provided—

• (a) references to the UK GDPR are to the UK GDPR read with Part 2;

• (b) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (c) references to personal data, and the processing of personal data, are to personal data and processing to which ... Part 2, Part 3 or Part 4 applies;

• (d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which ... Part 2, Part 3 or Part 4 applies.

• (15) There is an index of defined expressions in section 206.

PART 2 — General processing

CHAPTER 1 — Scope and definitions

Processing to which this Part applies

4

• (1) This Part is relevant to most processing of personal data.

• (2) This Part—

• (a) applies to the types of processing of personal data to which the UK GDPR applies by virtue of Article 2 of the UK GDPR, and

• (b) supplements, and must be read with, the UK GDPR.

• (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Definitions

5

• (1) Terms used in ... this Part and in the UK GDPR have the same meaning in this Part as they have in the UK GDPR.

• (2) In subsection (1), the reference to a term's meaning in the UK GDPR is to its meaning in the UK GDPR read with any provision of this Part which modifies the term's meaning for the purposes of the UK GDPR.

• (3) Subsection (1) is subject to any provision in this Part which provides expressly for the term to have a different meaning and to section 204.

• (4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

• (7) A reference in ... this Part to the processing of personal data is to processing to which this Part applies.

• (8) Sections 3 and 205 include definitions of other expressions used in this Part.

CHAPTER 2 — The UK GDPR

Meaning of certain terms used in the UK GDPR

Meaning of “controller”

6

• (1) The definition of “controller” in Article 4(1)(7) of the UK GDPR has effect subject to—

• (a) subsection (2),

• (b) section 209, and

• (c) section 210.

• (2) For the purposes of the UK GDPR, where personal data is processed only—

• (a) for purposes for which it is required by an enactment to be processed, and

• (b) by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

Meaning of “public authority” and “public body”

7

• (1) For the purposes of the UK GDPR, the following (and only the following) are “public authorities” and “public bodies” ...—

• (a) a public authority as defined by the Freedom of Information Act 2000,

• (b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13),

• (ba) the Advanced Research and Invention Agency, and

• (c) an authority or body specified or described by the Secretary of State in regulations,

subject to subsections (2), (3) and (4).

• (2) An authority or body that falls within subsection (1) is only a “public authority” or “public body” for the purposes of the UK GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.

• (3) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—

• (a) a parish council in England;

• (b) a community council in Wales;

• (c) a community council in Scotland;

• (d) a parish meeting constituted under section 13 of the Local Government Act 1972;

• (e) a community meeting constituted under section 27 of that Act;

• (f) charter trustees constituted—

• (i) under section 246 of that Act,

• (ii) under Part 1 of the Local Government and Public Involvement in Health Act 2007, or

• (iii) by the Charter Trustees Regulations 1996 (S.I. 1996/263).

• (4) The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority described or mentioned in subsection (1)(a), (b) or (ba) is not a “public authority” or “public body” for the purposes of the UK GDPR.

• (5) Regulations under this section are subject to the affirmative resolution procedure.

Lawfulness of processing

Lawfulness of processing: public interest etc

8

In Article 6(1) of the UK GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of ... official authority includes processing of personal data that is necessary for—

• (a) the administration of justice,

• (b) the exercise of a function of either House of Parliament,

• (c) the exercise of a function conferred on a person by an enactment or rule of law,

• (d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or

• (e) an activity that supports or promotes democratic engagement.

Child’s consent in relation to information society services

9

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Special categories of personal data

Special categories of personal data and criminal convictions etc data

10

• (1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—

• (a) point (b) (employment, social security and social protection);

• (b) point (g) (substantial public interest);

• (c) point (h) (health and social care);

• (d) point (i) (public health);

• (e) point (j) (archiving, research and statistics).

• (2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the UK GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.

• (3) The processing meets the requirement in point (g) of Article 9(2) of the UK GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.

• (4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

• (5) The processing meets the requirement in Article 10(1) of the UK GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

• (6) The Secretary of State may by regulations—

• (a) amend Schedule 1—

• (i) by adding or varying conditions or safeguards, and

• (ii) by omitting conditions or safeguards added by regulations under this section, and

• (b) consequentially amend this section.

• (7) Regulations under this section are subject to the affirmative resolution procedure.

Special categories of personal data etc: supplementary

11

• (1) For the purposes of Article 9(2)(h) of the UK GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR (obligation of secrecy) include circumstances in which it is carried out—

• (a) by or under the responsibility of a health professional or a social work professional, or

• (b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

• (2) In Article 10 of the UK GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—

• (a) the alleged commission of offences by the data subject, or

• (b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Rights of the data subject

Limits on fees that may be charged by controllers

12

• (1) The Secretary of State may by regulations specify limits on the fees that a controller may charge in reliance on—

• (a) Article 12(5) of the UK GDPR (reasonable fees when responding to manifestly unfounded or excessive requests), or

• (b) Article 15(3) of the UK GDPR (reasonable fees for provision of further copies).

• (2) The Secretary of State may by regulations—

• (a) require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in reliance on those provisions, and

• (b) specify what the guidance must include.

• (3) Regulations under this section are subject to the negative resolution procedure.

Obligations of credit reference agencies

13

• (1) This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).

• (2) The controller's obligations under Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention.

• (3) Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the UK GDPR, the disclosure must be accompanied by a statement informing the data subject of the data subject's rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).

Automated decision-making authorised by law: safeguards

14

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Exemptions etc

Exemptions etc

15

• (1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the UK GDPR.

• (2) In Schedule 2—

• (a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 6(3) and Article 23(1) of the UK GDPR);

• (b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR);

• (c) Part 3 makes provision restricting the application of Article 15 of the UK GDPR where this is necessary to protect the rights of others (of a kind described in Article 23(1) of the UK GDPR);

• (d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR);

• (e) Part 5 makes provision containing exemptions or derogations from Chapters II, III, IV and V of the UK GDPR for reasons relating to freedom of expression (of a kind described in Article 85(2) of the UK GDPR);

• (f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the UK GDPR for scientific or historical research purposes, statistical purposes and archiving purposes ....

• (3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the UK GDPR to health, social work, education and child abuse data (of a kind described in Article 23(1) of the UK GDPR).