Legalize
← Current text · History

Data (Use and Access) Act 2025

Current text a fecha 2025-12-01

Part 1 — Access to customer data and business data

Introductory

Customer data and business data

1

Data regulations

Power to make provision in connection with customer data

2

Customer data: supplementary

3

Power to make provision in connection with business data

4

Business data: supplementary

5

Decision-makers

6

Interface bodies

7

Enforcement

Enforcement of regulations under this Part

8

including provision for monitoring or enforcement by a specified public authority.

but such powers are subject to the restrictions in section 9 (as well as any restrictions included in the regulations).

and see section 10 for further provision about financial penalties.

Restrictions on powers of investigation etc

9

Financial penalties

10

unless section 16 confers power to provide otherwise.

Fees etc and financial assistance

Fees

11

unless section 15 confers power to provide otherwise.

nothing in this section, or in regulations under subsection (1) or (9), prevents the person, or a person acting on their behalf, from requiring payment in connection with the performance or exercise of those duties or powers, or restricts their ability to do so, where the person could do so otherwise than in reliance on regulations under subsection (1).

Levy

12

Financial assistance

13

Financial services sector

The FCA and financial services interfaces

14

The FCA and financial services interfaces: supplementary

15

The FCA and financial services interfaces: penalties and levies

16

The FCA and co-ordination with other regulators

17

The Treasury may by regulations amend section 98 of the Financial Services (Banking Reform) Act 2013 (payment systems: duty of the FCA and other regulators to ensure co-ordinated exercise of relevant functions) by—

Supplementary

Liability in damages

18

Duty to review regulations

19

nor does it require the relevant person to provide for the review of Part 1 provision that has been revoked.

Restrictions on processing and data protection

20

Regulations under this Part: supplementary

21

Regulations under this Part: Parliamentary procedure and consultation

22

Related subordinate legislation

23

Repeal of provisions relating to supply of customer data

24

Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).

Other defined terms

25

Index of defined terms for this Part

26

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term Provision
application programming interface section 25 (1)
business, in the course of a section 25 (2)
business data section 1 (2)
customer section 1 (3)
customer data section 1 (2)
dashboard service section 25 (1)
data holder section 1 (2)
data regulations sections 1 (2) and 23 (3)
decision-maker section 6 (2)
digital content section 25 (1)
electronic communications service section 25 (1)
enforcer section 8 (2)
the FCA section 14 (1)
FCA additional requirement section 14 (6)
FCA interface rules section 14 (2)
goods section 25 (1)
interface section 7 (1)
interface arrangements section 7 (1)
interface body section 7 (2)
interface standards section 7 (1)
making arrangements section 25 (3)
managing (facilities, services, standards or arrangements) section 25 (3)
micro business section 25 (1)
monitoring powers (in sections 6 and 7) section 6 (5) or 7 (4) (g) (as appropriate)
primary legislation section 25 (1)
processing section 25 (1)
providing customer data or business data section 1 (6) (a)
public authority section 25 (1)
receiving customer data or business data section 1 (6) (b)
small business section 25 (1)
specified section 25 (1)
third party recipient section 25 (1)
trader section 1 (2)

Part 2 — Digital verification services

Introductory

Introductory

27

DVS trust framework and supplementary codes

DVS trust framework

28

Supplementary codes

29

Withdrawal of a supplementary code

30

Review of DVS trust framework and supplementary codes

31

DVS register

DVS register

32

Registration in the DVS register

33

Power to refuse registration in the DVS register

34

Registration of additional services

35

Supplementary notes

36

Addition of services to supplementary notes

37

Applications for registration, supplementary notes, etc

38

Fees for applications for registration, supplementary notes, etc

39

including provision conferring functions on the Secretary of State in relation to the matters in paragraphs (a) to (e).

Duty to remove person from the DVS register

40

Power to remove person from the DVS register

41

Duty to remove services from the DVS register

42

Duty to remove supplementary notes from the DVS register

43

Duty to remove services from supplementary notes

44

Information gateway

Power of public authority to disclose information to registered person

45

Information disclosed by the Revenue and Customs

46

Information disclosed by the Welsh Revenue Authority

47

Information disclosed by Revenue Scotland

48

Code of practice about the disclosure of information

49

Trust mark

Trust mark for use by registered persons

50

Supplementary

Power of Secretary of State to require information

51

to provide the Secretary of State with information that the Secretary of State reasonably requires for the purposes of the exercise of the Secretary of State’s functions under this Part.

Arrangements for third party to exercise functions

52

Report on the operation of this Part

53

Index of defined terms for this Part

54

The Table below lists provisions that define or otherwise explain terms defined for the purposes of this Part.

Term Provision
accredited conformity assessment body section 33 (6)
digital verification services section 27 (2)
the DVS register section 32 (2)
the DVS trust framework section 28 (1)
supplementary code section 29 (2)
supplementary note section 36 (6)

Powers relating to verification of identity or status

55

(8) An order under subsection (3) containing provision described in subsection (7)(a), (b) or (c) may, in particular— (a) specify a document generated by a DVS-registered person or a DVS-registered person of a specified description; (b) specify a document which was provided to such a person in order to generate such a document; (c) specify steps involving the use of services provided by such a person. (9) In subsection (8), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”). (10) An order under subsection (3) which specifies a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to specified services (see section 36 of the Data (Use and Access) Act 2025).

(1A) An order prescribing requirements for the purposes of this Chapter which contains provision described in subsection (1)(a) or (b) may, in particular— (a) prescribe a document generated by a DVS-registered person or a DVS-registered person of a prescribed description; (b) prescribe a document which was provided to such a person in order to generate such a document. (1B) In subsections (1) and (1A), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”). (1C) An order prescribing requirements for the purposes of this Chapter which prescribes a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2025).

(5A) (1) Regulations under paragraph 5(6)(b) or (c) may, in particular— (a) prescribe checks carried out using services provided by a DVS-registered person or a DVS-registered person of a prescribed description; (b) prescribe documents generated by such a person; (c) prescribe documents which were provided to such a person in order to generate such documents. (2) In sub-paragraph (1), “DVS-registered person” means a person who is registered in the DVS register maintained under Part 2 of the Data (Use and Access) Act 2025 (“the DVS register”). (3) Regulations under paragraph 5(6)(b) or (c) which prescribe a description of DVS-registered person may do so by, for example, describing a DVS-registered person whose entry in the DVS register includes a note relating to prescribed services (see section 36 of the Data (Use and Access) Act 2025).

Part 3 — National Underground Asset Register

National Underground Asset Register: England and Wales

56

(106A) (1) The Secretary of State must keep a register of information relating to apparatus in streets in England and Wales. (2) The register is to be known as the National Underground Asset Register (and is referred to in this Act as “NUAR”). (3) NUAR must be kept in such form and manner as may be prescribed. (4) The Secretary of State must make arrangements so as to enable any person who is required, by a provision of this Act, to enter information into NUAR to have access to NUAR for that purpose. (5) Regulations under subsection (3) are subject to the negative procedure. (6) The obligations of the Secretary of State under subsection (1) and under Article 45A(1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (keeping of register of information relating to apparatus in streets in Northern Ireland) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland. (106B) (1) Before the end of the initial upload period an undertaker having apparatus in a street must enter into NUAR— (a) all information that is included in the undertaker’s records under section 79(1) on the archive upload date, and (b) any other information of a prescribed description that is held by the undertaker on that date. (2) The duty under subsection (1) does not apply in such cases as may be prescribed. (3) Information must be entered into NUAR under subsection (1) in such form and manner as may be prescribed. (4) An undertaker who fails to comply with a duty placed on the undertaker under this section— (a) commits an offence, and (b) is liable to compensate any person in respect of damage or loss incurred by the person in consequence of the failure. (5) A person who commits an offence under subsection (4)(a) is liable on summary conviction to a fine. (6) In criminal or civil proceedings against an undertaker arising out of a failure to comply with a duty under this section, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by— (a) the undertaker and the undertaker’s employees, and (b) any contractor of the undertaker and the contractor’s employees. (7) Section 95 applies in relation to an offence under this section as it applies in relation to an offence under Part 3. (8) For the purposes of subsection (1) the Secretary of State must by regulations— (a) specify a date as “the archive upload date”, and (b) specify a period beginning with that date as the “initial upload period”. (9) Regulations under this section are subject to the negative procedure. (106C) (1) The Secretary of State may by regulations make provision for or in connection with making information kept in NUAR available. (2) The regulations may (among other things)— (a) make provision about which information, or descriptions of information, may be made available; (b) make provision about the descriptions of person to whom information may be made available; (c) make provision for information to be made available subject to exceptions; (d) make provision requiring or authorising the Secretary of State to adapt, modify or obscure information before making it available; (e) make provision authorising all information kept in NUAR to be made available to prescribed descriptions of person under prescribed conditions; (f) make provision about the purposes for which information may be made available; (g) make provision about the form and manner in which information may be made available; (h) make provision for or in connection with the granting of licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence); (i) make provision for information to be made available for free or for a fee; (j) make provision about the amounts of the fees, including provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged; (k) make provision about how funds raised by means of fees must or may be used, including provision for funds to be paid to persons who are required, by a provision of this Act, to enter information into NUAR. (3) Except as otherwise prescribed and subject to section 106I, processing of information by the Secretary of State in exercise of functions conferred by or under section 106A or this section does not breach— (a) an obligation of confidence owed by the Secretary of State, or (b) any other restriction on the processing of information (however imposed). (4) Regulations under this section are subject to the affirmative procedure. (5) In this section— - “database right” has the same meaning as in Part 3 of the Copyright and Rights in Databases Regulations 1997 (S.I. 1997/3032); - “non-Crown IP right” means any copyright, database right or other intellectual property right which is not owned by the Crown. (106D) (1) The Secretary of State must produce guidance for persons described in subsection (2) about how to protect information kept in, or obtained from, NUAR. (2) The persons are persons who, pursuant to regulations made under section 106C, are able to access information kept in NUAR. (3) The Secretary of State may revise or replace the guidance. (4) The Secretary of State must publish the guidance (and any revised or replacement guidance) in such manner as the Secretary of State considers appropriate for bringing it to the attention of persons described in subsection (2). (5) The same guidance may discharge the obligations of the Secretary of State under this section and under Article 45D of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)). (106E) (1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under this Part. (2) The regulations may— (a) specify the amounts of the fees, or the maximum amounts of the fees, or (b) provide for the amounts of the fees, or the maximum amounts of the fees, to be determined in accordance with the regulations. (3) In making the regulations the Secretary of State must seek to secure that, so far as possible and taking one year with another, combined NUAR income matches combined NUAR expenses. (4) Except where the regulations specify the amounts of the fees— (a) the amounts of the fees must be specified by the Secretary of State in a statement, and (b) the Secretary of State must— (i) publish the statement, and (ii) lay it before Parliament. (5) Regulations under subsection (1) may make provision about— (a) when a fee is to be paid; (b) the manner in which a fee is to be paid; (c) the payment of discounted fees; (d) exceptions to requirements to pay fees; (e) the refund of all or part of a fee which has been paid. (6) Before making regulations under subsection (1), the Secretary of State must consult— (a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and (b) such other persons as the Secretary of State considers appropriate. (7) Subject to the following provisions of this section regulations under subsection (1) are subject to the affirmative procedure. (8) Regulations under subsection (1) that only make provision of a kind mentioned in subsection (2) are subject to the negative procedure. (9) But the first regulations under subsection (1) that make provision of a kind mentioned in subsection (2) are subject to the affirmative procedure. (10) In this section— - “combined NUAR expenses” means the sum of—expenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under this Part (including expenses not directly connected with the keeping of NUAR), andexpenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under Articles 45A to 45I of, and Schedule 2ZA to, the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)) (including expenses not directly connected with the keeping of the register kept under Article 45A(1) of that Order); - “combined NUAR income” means the sum of—income received by the Secretary of State from fees payable under regulations under subsection (1), andincome received by the Secretary of State from fees payable under regulations under Article 45E(1) of the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)). (106F) (1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes— (a) assisting the Secretary of State in determining the provision that it is appropriate for regulations under section 106E(1) or a statement under section 106E(4) to make; (b) assisting the Secretary of State in determining whether it is appropriate to make changes to such provision. (2) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes— (a) ascertaining whether a fee is payable by a person under regulations under section 106E(1); (b) working out the amount of a fee payable by a person. (3) Regulations under subsection (1) or (2) may require an undertaker to notify the Secretary of State of any changes to information previously provided under the regulations. (4) Regulations under subsection (1) or (2) may make provision about— (a) when information is to be provided (which may be at prescribed intervals); (b) the form and manner in which information is to be provided; (c) exceptions to requirements to provide information. (5) Regulations under subsection (1) or (2) are subject to the negative procedure. (106G) Schedule 5A makes provision about the imposition of penalties in connection with requirements imposed by regulations under sections 106E(1) and 106F(1) and (2). (106H) (1) The Secretary of State may make arrangements for a prescribed person to exercise a relevant function of the Secretary of State. (2) More than one person may be prescribed. (3) Arrangements under this section may— (a) provide for the Secretary of State to make payments to the person, and (b) make provision as to the circumstances in which such payments are to be repaid to the Secretary of State. (4) In the case of the exercise of a function by a person authorised by arrangements under this section to exercise that function, a reference in this Part or in regulations under this Part to the Secretary of State in connection with that function is to be read as a reference to that person. (5) Arrangements under this section do not prevent the Secretary of State from exercising a function to which the arrangements relate. (6) Except as otherwise prescribed and subject to section 106I, the disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this section or exercise of functions to which such arrangements relate does not breach— (a) an obligation of confidence owed by the person making the disclosure, or (b) any other restriction on the disclosure of information (however imposed). (7) Regulations under this section are subject to the affirmative procedure. (8) In this section “relevant function” means a function of the Secretary of State conferred by or under this Part (including the function of charging or recovering fees under regulations under section 106E) other than— (a) a power to make regulations, or (b) a function under section 106E(4) (specifying of fees etc). (9) If a person exercises the function of charging or recovering fees by virtue of arrangements under this section, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise. (106I) (1) A duty or power to process information that is imposed or conferred by or under this Part does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account). (2) In this section— - “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act); - “personal data” has the same meaning as in that Act (see section 3(2) of that Act). (106J) (1) In this Part “prescribed” means prescribed by regulations made by the Secretary of State. (2) Regulations under this Part may make— (a) different provision for different purposes; (b) supplementary and incidental provision. (3) Regulations under this Part are to be made by statutory instrument. (4) Before making regulations under this Part the Secretary of State must obtain the consent of the Welsh Ministers in relation to any provision which would be within the legislative competence of Senedd Cymru if contained in an Act of the Senedd (ignoring any requirement for the consent of a Minister of the Crown imposed under Schedule 7B to the Government of Wales Act 2006). (5) Where regulations under this Part are subject to “the affirmative procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament. (6) Where regulations under this Part are subject to “the negative procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament. (7) Any provision that may be made in regulations under this Part subject to the negative procedure may be made in regulations subject to the affirmative procedure. (106K) (1) In this Part the following terms have the same meaning as in Part 3— - “apparatus” (see sections 89(3) and 105(1)); - “in” (in a context referring to apparatus in a street) (see section 105(1)); - “street” (see section 48(1) and (2)); - “undertaker” (in relation to apparatus or in a context referring to having apparatus in a street) (see sections 48(5) and 89(4)). (2) In this Part “processing” has the same meaning as in the Data Protection Act 2018 (see section 3(4) of that Act) and “process” is to be read accordingly.

(5A) The provisions of Part 3A of this Act (National Underground Asset Register: England and Wales) bind the Crown. (5B) Nothing in subsection (5A) is to be construed as authorising the bringing of proceedings for a criminal offence against a person acting on behalf of the Crown.

Information in relation to apparatus: England and Wales

57

(c) being informed of its location under section 80(2)(a),

;

(1B) An undertaker must, except in such cases as may be prescribed, record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after— (a) placing the item in the street or altering its position, (b) inspecting, maintaining, adjusting, repairing, altering or renewing the item, (c) locating the item in the street in the course of executing any other works, or (d) receiving any such information in relation to the item under section 80(2)(a).

;

(3B) Except in such cases as may be prescribed, where an undertaker records information as required by subsection (1) or (1B), or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR. (3C) Information must be entered into NUAR under subsection (3B) in such form and manner as may be prescribed.

;

(7) In this section “prescribed” means— (a) in subsections (1) to (2)— (i) in relation to apparatus in streets in England, prescribed by regulations made by the Secretary of State; (ii) in relation to apparatus in streets in Wales, prescribed by regulations made by the Secretary of State or the Welsh Ministers; (b) otherwise, prescribed by regulations made by the Secretary of State. (8) Before making regulations under this section the Secretary of State must obtain the consent of the Welsh Ministers in relation to any provision that relates to apparatus in streets in Wales. (9) For the meaning of “NUAR”, see section 106A.

(80) (1) Subsection (2) applies where a relevant person executing works of any description in a street finds an item of apparatus which does not belong to the person in relation to which prescribed information— (a) is not entered in NUAR, or (b) is entered in NUAR but is incorrect. (2) Except in such cases as may be prescribed, the person must— (a) take such steps as are reasonably practicable to inform the undertaker to whom the item belongs of the missing or incorrect information, and (b) if (having taken such steps) the person is unable to inform the undertaker to whom the item belongs of the missing or incorrect information, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item. (3) A person who fails to comply with subsection (2) commits an offence. (4) A person who commits an offence under subsection (3) is liable on summary conviction to a fine not exceeding level 4 on the standard scale. (5) Before making regulations under this section the Secretary of State must obtain the consent of the Welsh Ministers in relation to any provision that relates to apparatus in streets in Wales. (6) Before making regulations under this section the Secretary of State must consult— (a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and (b) such other persons as the Secretary of State considers appropriate. (7) For the purposes of this section a person executing works in a street is a “relevant person” if the person has, pursuant to regulations under section 106C(1), access to NUAR in relation to the street in question. (8) For the meaning of “NUAR”, see section 106A.

.

(1A) Regulations under this Part may make— (a) different provision for different cases; (b) supplementary or incidental provision.

;

(2A) Regulations made by the Welsh Ministers under section 79 are to be made by statutory instrument and a statutory instrument containing such regulations is subject to annulment in pursuance of a resolution of Senedd Cymru.

(ai) section 79 of the New Roads and Street Works Act 1991;

.

National Underground Asset Register: Northern Ireland

58
  • NUAR provision” means any of Articles 45A to 45I and Schedule 2ZA;

;

  1. in Article 40 and a NUAR provision, prescribed by regulations made by the Secretary of State;

.

insert—

(45A) (1) The Secretary of State must keep a register of information relating to apparatus in streets in Northern Ireland. (2) The register is to be known as the National Underground Asset Register (and is referred to in this Order as “NUAR”). (3) NUAR must be kept in such form and manner as may be prescribed. (4) The Secretary of State must make arrangements so as to enable any person who is required, by a provision of this Order, to enter information into NUAR to have access to NUAR for that purpose. (5) The obligations of the Secretary of State under paragraph (1) and under section 106A(1) of the New Roads and Street Works Act 1991 (keeping of register of information relating to apparatus in streets in England and Wales) may be discharged by the keeping of a single register in relation to England, Wales and Northern Ireland. (45B) (1) Before the end of the initial upload period an undertaker having apparatus in a street must enter into NUAR— (a) all information that is included in the undertaker’s records under Article 39(1) on the archive upload date, and (b) any other information of a prescribed description that is held by the undertaker on that date. (2) The duty under paragraph (1) does not apply in such cases as may be prescribed. (3) Information must be entered into NUAR under paragraph (1) in such form and manner as may be prescribed. (4) An undertaker who fails to comply with a duty placed on the undertaker under this Article— (a) commits an offence, and (b) is liable to compensate any person in respect of damage or loss incurred by the person in consequence of the failure. (5) A person who commits an offence under paragraph (4)(a) is liable on summary conviction to a fine not exceeding level 5 on the standard scale. (6) In criminal or civil proceedings against an undertaker arising out of a failure to comply with a duty under this Article, it is a defence for the undertaker to show that all reasonable care was taken to secure that no such failure occurred by— (a) the undertaker and the undertaker’s employees, and (b) any contractor of the undertaker and the contractor’s employees. (7) For the purposes of paragraph (1) the Secretary of State must by regulations— (a) specify a date as “the archive upload date”, and (b) specify a period beginning with that date as the “initial upload period”. (45C) (1) The Secretary of State may by regulations make provision for or in connection with making information kept in NUAR available. (2) The regulations may (among other things)— (a) make provision about which information, or descriptions of information, may be made available; (b) make provision about the descriptions of person to whom information may be made available; (c) make provision for information to be made available subject to exceptions; (d) make provision requiring or authorising the Secretary of State to adapt, modify or obscure information before making it available; (e) make provision authorising all information kept in NUAR to be made available to prescribed descriptions of person under prescribed conditions; (f) make provision about the purposes for which information may be made available; (g) make provision about the form and manner in which information may be made available; (h) make provision for or in connection with the granting of licences by the Secretary of State in relation to any non-Crown IP rights that may exist in relation to information made available (including provision about the form of a licence and the terms and conditions of a licence); (i) make provision for information to be made available for free or for a fee; (j) make provision about the amounts of the fees, including provision for the amount of a fee to be an amount which is intended to exceed the cost of the things in respect of which the fee is charged; (k) make provision about how funds raised by means of fees must or may be used, including provision for funds to be paid to persons who are required, by a provision of this Order, to enter information into NUAR. (3) Except as otherwise prescribed and subject to Article 45I, processing of information by the Secretary of State in exercise of functions conferred by or under Article 45A or this Article does not breach— (a) an obligation of confidence owed by the Secretary of State, or (b) any other restriction on the processing of information (however imposed). (4) In this Article— - “database right” has the same meaning as in Part 3 of the Copyright and Rights in Databases Regulations 1997 (S.I. 1997/3032); - “non-Crown IP right” means any copyright, database right or other intellectual property right which is not owned by the Crown; - “processing” has the same meaning as in the Data Protection Act 2018 (see section 3(4) of that Act). (45D) (1) The Secretary of State must produce guidance for persons described in paragraph (2) about how to protect information kept in, or obtained from, NUAR. (2) The persons are persons who, pursuant to regulations made under Article 45C, are able to access information kept in NUAR. (3) The Secretary of State may revise or replace the guidance. (4) The Secretary of State must publish the guidance (and any revised or replacement guidance) in such manner as the Secretary of State considers appropriate for bringing it to the attention of persons described in paragraph (2). (5) The same guidance may discharge the obligations of the Secretary of State under this Article and under section 106D of the New Roads and Street Works Act 1991. (45E) (1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to pay fees to the Secretary of State for or in connection with the exercise by the Secretary of State of any function conferred by or under a NUAR provision. (2) The regulations may— (a) specify the amounts of the fees, or the maximum amounts of the fees, or (b) provide for the amounts of the fees, or the maximum amounts of the fees, to be determined in accordance with the regulations. (3) In making the regulations the Secretary of State must seek to secure that, so far as possible and taking one year with another, combined NUAR income matches combined NUAR expenses. (4) Except where the regulations specify the amounts of the fees— (a) the amounts of the fees must be specified by the Secretary of State in a statement, and (b) the Secretary of State must— (i) publish the statement, and (ii) lay it before Parliament. (5) Regulations under paragraph (1) may make provision about— (a) when a fee is to be paid; (b) the manner in which a fee is to be paid; (c) the payment of discounted fees; (d) exceptions to requirements to pay fees; (e) the refund of all or part of a fee which has been paid. (6) Before making regulations under paragraph (1), the Secretary of State must consult— (a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and (b) such other persons as the Secretary of State considers appropriate. (7) In this Article— - “combined NUAR expenses” means the sum of—expenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under a NUAR provision (including expenses not directly connected with the keeping of NUAR), andexpenses incurred by the Secretary of State in, or in connection with, exercising functions conferred by or under Part 3A of the New Roads and Street Works Act 1991 (including expenses not directly connected with the keeping of the register kept under section 106A(1) of that Act); - “combined NUAR income” means the sum of—income received by the Secretary of State from fees payable under regulations under paragraph (1), andincome received by the Secretary of State from fees payable under regulations under section 106E(1) of the New Roads and Street Works Act 1991. (45F) (1) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes— (a) assisting the Secretary of State in determining the provision that it is appropriate for regulations under Article 45E(1) or a statement under Article 45E(4) to make; (b) assisting the Secretary of State in determining whether it is appropriate to make changes to such provision. (2) The Secretary of State may by regulations make provision requiring undertakers having apparatus in a street to provide information to the Secretary of State for either or both of the following purposes— (a) ascertaining whether a fee is payable by a person under regulations under Article 45E(1); (b) working out the amount of a fee payable by a person. (3) Regulations under paragraph (1) or (2) may require an undertaker to notify the Secretary of State of any changes to information previously provided under the regulations. (4) Regulations under paragraph (1) or (2) may make provision about— (a) when information is to be provided (which may be at prescribed intervals); (b) the form and manner in which information is to be provided; (c) exceptions to requirements to provide information. (45G) Schedule 2ZA makes provision about the imposition of penalties in connection with requirements imposed by regulations under Articles 45E(1) and 45F(1) and (2). (45H) (1) The Secretary of State may make arrangements for a prescribed person to exercise a relevant function of the Secretary of State. (2) More than one person may be prescribed. (3) Arrangements under this Article may— (a) provide for the Secretary of State to make payments to the person, and (b) make provision as to the circumstances in which such payments are to be repaid to the Secretary of State. (4) In the case of the exercise of a function by a person authorised by arrangements under this Article to exercise that function, a reference in a NUAR provision or in regulations under a NUAR provision to the Secretary of State in connection with that function is to be read as a reference to that person. (5) Arrangements under this Article do not prevent the Secretary of State from exercising a function to which the arrangements relate. (6) Except as otherwise prescribed and subject to Article 45I, the disclosure of information between the Secretary of State and a person in connection with the person’s entering into arrangements under this Article or exercise of functions to which such arrangements relate does not breach— (a) an obligation of confidence owed by the person making the disclosure, or (b) any other restriction on the disclosure of information (however imposed). (7) In this Article “relevant function” means a function of the Secretary of State conferred by or under a NUAR provision (including the function of charging or recovering fees under regulations under Article 45E) other than— (a) a power to make regulations, or (b) a function under Article 45E(4) (specifying of fees etc). (8) If a person exercises the function of charging or recovering fees by virtue of arrangements under this Article, the person must pay the fees to the Secretary of State, except to the extent that the Secretary of State directs otherwise. (45I) (1) A duty or power to process information that is imposed or conferred by or under a NUAR provision does not operate to require or authorise the processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, that duty or power is to be taken into account). (2) In this Article— - “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act); - “personal data” has the same meaning as in that Act (see section 3(2) of that Act); - “processing” has the same meaning as in that Act (see section 3(4) of that Act).

(A1) Before making regulations under this Order the Secretary of State must obtain the consent of the Department for Infrastructure. (A2) Regulations under Article 39 or 40 or under a NUAR provision may make supplementary or incidental provision.

;

(1B) For the purposes of the Statutory Instruments Act 1946 a power of the Secretary of State to make regulations under this Order is exercisable by statutory instrument, and that Act applies in relation to a document by which such a power is exercised as if this Order were an Act of Parliament passed after the commencement of that Act. (1C) Regulations made by the Secretary of State under Articles 39, 40, 45A, 45B and 45F are subject to the negative Westminster procedure. (1D) Subject to paragraphs (1E) and (1F), regulations made by the Secretary of State under Articles 45C, 45E and 45H and paragraph 1 of Schedule 2ZA are subject to the affirmative Westminster procedure. (1E) Regulations under Article 45E(1) that only make provision of a kind mentioned in Article 45E(2) are subject to the negative Westminster procedure. (1F) But the first regulations under Article 45E(1) that make provision of a kind mentioned in Article 45E(2) are subject to the affirmative Westminster procedure. (1G) Where regulations under this Order are subject to “the affirmative Westminster procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before and approved by a resolution of each House of Parliament. (1H) Where regulations under this Order are subject to “the negative Westminster procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament. (1I) Any provision that may be made in regulations under this Order subject to the negative Westminster procedure may be made in regulations subject to the affirmative Westminster procedure.

Information in relation to apparatus: Northern Ireland

59

(c) being informed of its location under Article 40(2)(a),

;

(1B) An undertaker must, except in such cases as may be prescribed, record in relation to every item of apparatus belonging to the undertaker such other information as may be prescribed as soon as reasonably practicable after— (a) placing the item in the street or altering its position, (b) inspecting, maintaining, adjusting, repairing, altering or renewing the item, (c) locating the item in the street in the course of executing any other works, or (d) receiving any such information in relation to the item under Article 40(2)(a).

;

(3B) Except in such cases as may be prescribed, where an undertaker records information as required by paragraph (1) or (1B), or updates such information, the undertaker must, within a prescribed period, enter the recorded or updated information into NUAR. (3C) Information must be entered into NUAR under paragraph (3B) in such form and manner as may be prescribed.

;

(6) In this Article “prescribed” means— (a) in paragraphs (1) to (2), prescribed by regulations made by the Secretary of State or the Department for Infrastructure; (b) otherwise, prescribed by regulations made by the Secretary of State. (7) For the meaning of “NUAR”, see Article 45A.

(40) (1) Paragraph (2) applies where a relevant person executing works of any description in a street finds an item of apparatus which does not belong to the person in relation to which prescribed information— (a) is not entered in NUAR, or (b) is entered in NUAR but is incorrect. (2) Except in such cases as may be prescribed, the person must— (a) take such steps as are reasonably practicable to inform the undertaker to whom the item belongs of the missing or incorrect information, and (b) if (having taken such steps) the person is unable to inform the undertaker to whom the item belongs of the missing or incorrect information, enter into NUAR, in such form and manner as may be prescribed, prescribed information in relation to the item. (3) A person who fails to comply with paragraph (2) commits an offence. (4) A person who commits an offence under paragraph (3) is liable on summary conviction to a fine not exceeding level 4 on the standard scale. (5) Before making regulations under this Article the Secretary of State must consult— (a) such representatives of persons likely to be affected by the regulations as the Secretary of State considers appropriate, and (b) such other persons as the Secretary of State considers appropriate. (6) For the purposes of this Article a person executing works in a street is a “relevant person” if the person has, pursuant to regulations under Article 45C, access to NUAR in relation to the street in question. (7) For the meaning of “NUAR”, see Article 45A.

.

Pre-commencement consultation

60

Part 4 — Registers of births and deaths

Form in which registers of births and deaths are to be kept

61

(25) (1) Registers of live-births, still-births and deaths must be kept in such form as the Registrar General may reasonably require. (2) The Registrar General may, in particular, require any such register to be kept in a form that secures that any information entered in the register by a registrar— (a) in the case of a register of live-births or of deaths, is available to the superintendent registrar and to the Registrar General immediately after the entry has been made, and (b) in the case of a register of still-births, is available to the Registrar General immediately after the entry has been made. (3) In a case where a register is kept in such form as is mentioned in subsection (2), any information in the register which is available to the superintendent registrar or Registrar General is to be regarded as held by that person (as well as by the registrar) in connection with that person’s functions. (4) The Registrar General— (a) may provide anything which the Registrar General considers appropriate for the registers mentioned in subsection (1) to be kept in the form required under that subsection, and (b) must maintain anything provided under paragraph (a). (5) The Registrar General must also provide the forms required for the purposes of this Act for making certified copies of entries in registers.

Provision of equipment and facilities by local authorities

62

In the Registration Service Act 1953, after section 11 insert—

(11A) (1) At each register office provided for the superintendent registrar of a district, the council which employs the superintendent registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the superintendent registrar’s functions. (2) At each office and each station for a sub-district of a registrar, the council which employs the registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the registrar’s functions.

Requirements to sign register

63

(38B) (1) Where any register of births or register of deaths is required to be kept under this Act otherwise than in hard copy form, the Minister may by regulations provide that— (a) a person’s duty under this Act to sign the register at any time is to have effect as a duty to comply with specified requirements at that time, and (b) a person who complies with those requirements is to be treated for the purposes of this Act as having signed the register at that time and, in the case of a duty to sign the register in the presence of the registrar, to have done so in the presence of the registrar, and accordingly, in such a case, the entry in the register is to be taken for the purposes of this Act to have been signed by the person. (2) The provision that may be made by regulations under this section includes, among other things— (a) provision requiring a person to sign something other than the register; (b) provision requiring a person to provide specified evidence of identity in such form and manner as may be specified. (3) In this section “specified” means specified in regulations under this section.

(6) A statutory instrument that contains (whether alone or with other provision) regulations made by the Minister under section 38B may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.

Treatment of existing registers and records

64

Minor and consequential amendments

65

Schedule 3 contains minor and consequential amendments.

Part 5 — Data protection and privacy

Chapter 1 — Data protection

Terms used in this Chapter

The 2018 Act and the UK GDPR

66

In this Chapter—

Definitions in the UK GDPR and the 2018 Act

Meaning of research and statistical purposes

67

(2) References in this Regulation to the processing of personal data for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. (3) Such references— (a) include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but (b) only include processing for the purposes of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest. (4) References in this Regulation to the processing of personal data for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research. (5) References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where— (a) the information that results from the processing is aggregate data that is not personal data, and (b) the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.

Consent to processing for the purposes of scientific research

68

(6) A data subject’s consent is to be treated as falling within the definition of “consent” in point (11) of paragraph 1 if— (a) it does not fall within that definition because (and only because) the consent is given to the processing of personal data for the purposes of an area of scientific research, (b) at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed, (c) seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research, and (d) so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research. (7) References in this Regulation to consent given for a specific purpose (however expressed) include consent described in paragraph 6.

Consent to law enforcement processing

69

(1A) “Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).

(aa) section 40A makes provision about processing carried out in reliance on the consent of the data subject,

.

(40A) (1) This section is about processing of personal data that is carried out in reliance on the consent of the data subject. (2) The controller must be able to demonstrate that the data subject consented to the processing. (3) If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made— (a) in a manner which clearly distinguishes the request from the other matters, (b) in an intelligible and easily accessible form, and (c) in clear and plain language. (4) Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding. (5) The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal). (6) Processing may only be carried out in reliance on consent if— (a) before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and (b) it is as easy for the data subject to withdraw the consent as to give it. (7) When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.

Data protection principles

Lawfulness of processing

70

(ea) processing is necessary for the purposes of a recognised legitimate interest;

, and

(5) For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1. (6) The Secretary of State may by regulations amend Annex 1 by— (a) adding or varying provisions, or (b) omitting provisions added by regulations made under this paragraph. (7) The Secretary of State may only make regulations under paragraph 6 where— (a) the requirement in paragraph 8 is satisfied, and (b) if the regulations add a case to Annex 1, the requirement in paragraph 9 is also satisfied. (8) The requirement in this paragraph is that the Secretary of State considers it appropriate to make the regulations having regard to, among other things— (a) the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and (b) where relevant, the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing. (9) The requirement in this paragraph is that the Secretary of State considers that processing in the case to be added to Annex 1 is necessary to safeguard an objective listed in Article 23(1)(c) to (j). (10) Regulations under paragraph 6 are subject to the affirmative resolution procedure. (11) For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include— (a) processing that is necessary for the purposes of direct marketing, (b) intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and (c) processing that is necessary for the purposes of ensuring the security of network and information systems. (12) In paragraph 11— - “intra-group transmission” means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body; - “security of network and information systems” has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).

The purpose limitation

71

(3) For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.

(Article 8A) (1) This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose. (2) In making the determination, a person must take into account, among other things— (a) any link between the original purpose and the new purpose; (b) the context in which the personal data was collected, including the relationship between the data subject and the controller; (c) the nature of the processing, including whether it is processing described in Article 9(1) (processing of special categories of personal data) or Article 10(1) (processing of personal data relating to criminal convictions etc); (d) the possible consequences of the intended processing for data subjects; (e) the existence of appropriate safeguards (for example, encryption or pseudonymisation). (3) Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where— (a) the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate, (b) the processing is carried out in accordance with Article 84B— (i) for the purposes of scientific research or historical research, (ii) for the purposes of archiving in the public interest, or (iii) for statistical purposes, (c) the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so, (d) the processing meets a condition in Annex 2, or (e) the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law. (4) Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if— (a) it falls within paragraph 3(a) or (c), or (b) it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent. (5) The Secretary of State may by regulations amend Annex 2 by— (a) adding or varying provisions, or (b) omitting provisions added by regulations made under this paragraph. (6) The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j). (7) Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing. (8) Regulations under paragraph 5 are subject to the affirmative resolution procedure.

Processing in reliance on relevant international law

72

The basis for the processing referred to in point (e) of paragraph 1 must be laid down by domestic law or relevant international law (see section 9A of the 2018 Act).

, and

(za) section 9A makes provision about when the requirement in paragraph 2(g) of this Article for a basis in relevant international law is met;

.

(za) section 9A makes provision about when the requirement in paragraph 1 of this Article for authorisation by relevant international law is met;

.

(9A) (1) Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1. (2) A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise. (3) The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting— (a) conditions, (b) provision about the purposes for which a condition may be relied on, and (c) safeguards in connection with processing carried out in reliance on a condition in the Schedule. (4) Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom. (5) Regulations under this section are subject to the affirmative resolution procedure. (6) In this section, “treaty” and “ratified” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).

Schedule A1 This condition is met where the processing is necessary for the purposes of responding to a request made in accordance with the Agreement between the Government of the United Kingdom of Great Britain and Northern Ireland and the Government of the United States of America on Access to Electronic Data for the Purpose of Countering Serious Crime, signed on 3 October 2019.

Processing of special categories of personal data

Elected representatives responding to requests

73

In paragraph 23 of Schedule 1 to the 2018 Act (processing of special categories of personal data: elected representatives responding to requests), in sub-paragraph (4), for “fourth day after” substitute “period of 30 days beginning with the day after”.

Processing of special categories of personal data

74

(Article 11A) (1) The Secretary of State may by regulations— (a) make provision so that an additional description of processing of personal data is subject to the prohibition in Article 9(1), (b) make provision so that added processing is not subject to that prohibition, (c) make provision so that an exception in Article 9(2) may or may not be relied on in connection with added processing, and (d) make provision varying such an exception as it applies in connection with added processing. (2) In paragraph 1, “added processing” means a description of processing which is subject to the prohibition in Article 9(1) by virtue of provision made under paragraph 1(a). (3) Regulations made under this Article (in reliance on Article 91A(4)(b)) may amend section 5, 205 or 206 of the 2018 Act (interpretation). (4) Regulations under this Article are subject to the affirmative resolution procedure.

(6A) “Sensitive processing” has the meaning given in section 35(8).

(42A) (1) The Secretary of State may by regulations— (a) make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part, (b) make provision so that added processing is not sensitive processing for the purposes of this Part, (c) make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and (d) make provision varying such a condition as it relates to added processing. (2) In subsection (1)— - “added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a); - “protected condition in Schedule 8” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6). (3) Regulations under this section may amend this Part and sections 205 and 206. (4) Regulations under this section are subject to the affirmative resolution procedure.

(6A) “Sensitive processing” has the meaning given in section 86(7).

(91A) (1) The Secretary of State may by regulations— (a) make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part, (b) make provision so that added processing is not sensitive processing for the purposes of this Part, (c) make provision so that a protected condition in Schedule 10 may or may not be relied on in connection with added processing, and (d) make provision varying such a condition as it relates to added processing. (2) In subsection (1)— - “added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a); - “protected condition in Schedule 10” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 86(3). (3) Regulations under this section may amend this Part and sections 205 and 206. (4) Regulations under this section are subject to the affirmative resolution procedure.

“sensitive processing (in Parts 3 and 4) sections 35 and 86”.
  • sensitive personal data” means personal data whose retention, or (as appropriate) retention and examination, would be sensitive processing;
  • sensitive processing” means—processing of personal data relating to a living individual that is processing of a kind described in section 86(7)(a) to (e) of the Data Protection Act 2018, orprocessing of personal data relating to a deceased individual that would be that kind of processing if the personal data related to a living individual.

(202A) (1) The Secretary of State may by regulations— (a) make provision so that a description of Part 4 sensitive processing, or of processing that would be such processing if the information processed related to a living individual, is sensitive processing for the purposes of section 202, and (b) make provision so that added processing is not sensitive processing for the purposes of that section. (2) In this section— - “added processing” means a description of processing that is sensitive processing for the purposes of section 202 by virtue of provision made under subsection (1)(a); - “Part 4 sensitive processing” means processing of personal data that, at the time the regulations are made, is sensitive processing for the purposes of Part 4 of the Data Protection Act 2018 by virtue of regulations made under section 91A of that Act. (3) Regulations under this section may amend section 202.

(ea) section 202A,

.

Data subject’s rights

Fees and reasons for responses to data subjects’ requests about law enforcement processing

75

(4A) The Secretary of State may by regulations— (a) require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and (b) specify what the guidance must include.

,

(6) If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of— (a) the reasons for not doing so, and (b) the data subject’s right to lodge a complaint with the Commissioner. (7) The controller must comply with subsection (6)— (a) without undue delay, and (b) in any event, before the end of the applicable time period (as to which see section 54).

Time limits for responding to data subjects’ requests

76

— (a)

, and

, and (b) delay dealing with the request until the identity is confirmed.

(Article 12A) (1) In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3. (2) “The relevant time” means the latest of the following— (a) when the controller receives the request in question; (b) when the controller receives the information (if any) requested in connection with a request under Article 12(6); (c) when the fee (if any) charged in connection with the request under Article 12(5) is paid. (3) The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. (4) A notice under paragraph 3 must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay. (5) Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under Article 15 relates— (a) the controller may ask the data subject to provide the further information, and (b) the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards— (i) the applicable time period, or (ii) the period described in paragraph 4(a). (6) An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.

(3A) The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. (3B) A notice under subsection (3A) must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay. (3C) Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates— (a) the controller may ask the data subject to provide the further information, and (b) the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards— (i) the applicable time period, or (ii) the period described in subsection (3B)(a). (3D) An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.

, and

  • the applicable time period” means the period of one month beginning with the relevant time, subject to subsection (14A);

, and

(14A) The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. (14B) A notice under subsection (14A) must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay.

Information to be provided to data subjects

77

(5) Paragraph 3 does not apply to the extent that— (a) the controller intends to further process the personal data— (i) for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes, and (ii) in accordance with Article 84B, and (b) providing the information is impossible or would involve a disproportionate effort. (6) For the purposes of paragraph 5(b), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. (7) A controller relying on paragraph 5 must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.

(e) providing the information is impossible or would involve a disproportionate effort, or (f) the obligation referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.

, and

(6) For the purposes of paragraph 5(e), whether providing the information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. (7) A controller relying on paragraph 5(e) or (f) must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.

Searches in response to data subjects’ requests

78

(1A) Under paragraph 1, the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that paragraph.

, and

(2A) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.

(2A) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.

Data subjects’ rights to information: legal professional privilege exemption

79

.

(45A) (1) Sections 44(2) and 45(1) do not require the controller to give the data subject— (a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or (b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser. (2) A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of— (a) the decision to rely on the exemption, (b) the reason for the decision, (c) the data subject’s right to make a request to the Commissioner under section 51, (d) the data subject’s right to lodge a complaint with the Commissioner under section 165, and (e) the data subject’s right to apply to a court under section 167. (3) Subsection (2)(a) and (b) do not apply to the extent that complying with them would— (a) undermine a claim described in subsection (1)(a), or (b) conflict with a duty described in subsection (1)(b). (4) The controller must— (a) record the reason for a decision to rely on the exemption in subsection (1), and (b) if requested to do so by the Commissioner, make the record available to the Commissioner. (5) The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).

(ba) relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),

,

(aa) where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;

,

(aa) where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;

, and

Automated decision-making

Automated decision-making

80

(Article 22A) (1) For the purposes of Articles 22B and 22C— (a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and (b) a decision is a significant decision, in relation to a data subject, if— (i) it produces a legal effect for the data subject, or (ii) it has a similarly significant effect for the data subject. (2) When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling. (Article 22B) (1) A significant decision based entirely or partly on processing described in Article 9(1) (processing of special categories of personal data) may not be taken based solely on automated processing, unless one of the following conditions is met. (2) The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent. (3) The second condition is that— (a) the decision is— (i) necessary for entering into, or performing, a contract between the data subject and a controller, or (ii) required or authorised by law, and (b) point (g) of Article 9(2) applies. (4) A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea). (Article 22C) (1) Where a significant decision taken by or on behalf of a controller in relation to a data subject is— (a) based entirely or partly on personal data, and (b) based solely on automated processing, the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(3). (2) The safeguards must consist of or include measures which— (a) provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject; (b) enable the data subject to make representations about such decisions; (c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions; (d) enable the data subject to contest such decisions. (Article 22D) (1) The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations. (2) The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject. (3) The Secretary of State may by regulations make the following types of provision about the safeguards required under Article 22C(1)— (a) provision requiring the safeguards to include measures in addition to those described in Article 22C(2), (b) provision imposing requirements which supplement what Article 22C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in Article 22C(2) must be done or be capable of being done), and (c) provision about measures which are not to be taken to satisfy one or more of points (a) to (d) of Article 22C(2). (4) Regulations under paragraph 3 may not amend Article 22C. (5) Regulations under this Article are subject to the affirmative resolution procedure.

(50A) (1) For the purposes of sections 50B and 50C— (a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and (b) a decision is a significant decision, in relation to a data subject, if— (i) it produces an adverse legal effect for the data subject, or (ii) it has a similarly significant adverse effect for the data subject. (2) When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling. (50B) (1) A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met. (2) The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent. (3) The second condition is that the decision is required or authorised by law. (50C) (1) Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is— (a) based entirely or partly on personal data, and (b) based solely on automated processing, the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4). (2) The safeguards must consist of or include measures which— (a) provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject; (b) enable the data subject to make representations about such decisions; (c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions; (d) enable the data subject to contest such decisions. (3) Subsections (1) and (2) do not apply in relation to a significant decision if— (a) exemption from those provisions is required for a reason listed in subsection (4), (b) the controller reconsiders the decision as soon as reasonably practicable, and (c) there is meaningful human involvement in the reconsideration of the decision. (4) Those reasons are— (a) to avoid obstructing an official or legal inquiry, investigation or procedure; (b) to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) to protect public security; (d) to safeguard national security; (e) to protect the rights and freedoms of others. (5) When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling. (50D) (1) The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations. (2) The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject. (3) Regulations under subsection (1) or (2) may amend section 50A. (4) The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)— (a) provision requiring the safeguards to include measures in addition to those described in section 50C(2), (b) provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and (c) provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2). (5) Regulations under this section are subject to the affirmative resolution procedure.

(4) For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.

Obligations of controllers

Data protection by design: children’s higher protection matters

81

(1A) In the case of processing carried out in the course of providing information society services which are likely to be accessed by children, when assessing what are appropriate technical and organisational measures in accordance with paragraph 1, the controller must take into account the children’s higher protection matters. (1B) The children’s higher protection matters are— (a) how children can best be protected and supported when using the services, and (b) the fact that children— (i) merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing, and (ii) have different needs at different ages and at different stages of development.

(4) Paragraphs 1A and 1B are not to be read as implying anything about the matters that may be relevant to the assessment of what are appropriate technical and organisational measures for the purposes of paragraph 1 in cases other than those described in paragraph 1A. (5) In this Article, “information society services” does not include preventive or counselling services.

Logging of law enforcement processing

Logging of law enforcement processing

82

In section 62 of the 2018 Act (logging of law enforcement processing)—

Codes of conduct

General processing and codes of conduct

83

In Article 41 of the UK GDPR (monitoring of approved codes of conduct)—

(4A) If the action taken by a body under paragraph 4 consists of suspending or excluding a controller or processor from the code, the body must inform the Commissioner, giving reasons for taking that action.

Law enforcement processing and codes of conduct

84

(e) makes provision about codes of conduct (see section 71A).

(4) Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.

(7A) Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).

(3) Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).

(71A) (1) The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part. (2) Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors. (3) For the purposes of this section— (a) “public body” means a body or other person whose functions are, or include, functions of a public nature, and (b) a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1). (4) A code of conduct described in subsection (1) may, for example, make provision with regard to— (a) lawful and fair processing; (b) the collection of personal data; (c) the information provided to the public and to data subjects; (d) the exercise of the rights of data subjects; (e) the measures and procedures referred to in sections 56, 57 and 62; (f) the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects; (g) the transfer of personal data to third countries or international organisations; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing. (5) The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft. (6) Where an expert public body does so, the Commissioner must— (a) provide the body with an opinion on whether the code correctly reflects the requirements of this Part, (b) decide whether to approve the code, and (c) if the code is approved, register and publish the code. (7) Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.

International transfers of personal data

Transfers of personal data to third countries and international organisations

85

Safeguards for processing for research etc purposes

Safeguards for processing for research etc purposes

86

(Article 84A) (1) This Chapter makes provision about the processing of personal data— (a) for the purposes of scientific research or historical research, (b) for the purposes of archiving in the public interest, or (c) for statistical purposes. (2) Those purposes are referred to in this Chapter as “RAS purposes”. (Article 84B) (1) Personal data may only be processed for RAS purposes if— (a) the processing consists of the collection of the personal data (whether from the data subject or otherwise), (b) the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a data subject, or (c) without the processing, the RAS purposes cannot be fulfilled. (2) Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject. (Article 84C) (1) This Article makes provision about when the requirement under Article 84B(2) for processing of personal data to be carried out subject to appropriate safeguards is satisfied. (2) The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates. (3) The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research. (4) The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation. (5) In this Article— - “approved medical research” means medical research carried out by a person who has approval to carry out that research from—a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, ora body appointed by any of the following for the purpose of assessing the ethics of research involving individuals—the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department;a relevant NHS body;United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965;an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act); - “relevant NHS body” means—an NHS trust or NHS foundation trust in England,an NHS trust or Local Health Board in Wales,a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978,the Common Services Agency for the Scottish Health Service, orany of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)). (Article 84D) (1) The Secretary of State may by regulations make further provision about when the requirement for appropriate safeguards under Article 84B(2) is, or is not, satisfied. (2) Regulations under this Article may not amend or revoke Article 84C(2), (3) or (4) (but may change the meaning of “approved medical research” for the purposes of Article 84C). (3) Regulations under this Article are subject to the affirmative resolution procedure.

Section 86: consequential provision

87

(ba) Chapter 8A (safeguards for processing for research, archiving or statistical purposes);

,

National security

National security exemption

88

(ai) Article 77 (right to lodge a complaint with the Commissioner);

.

(78A) (1) A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security. (2) The provisions are— (a) Chapter 2 of this Part (principles), except for the provisions listed in subsection (3); (b) Chapter 3 of this Part (rights of the data subject); (c) in Chapter 4 of this Part— (i) section 67 (notification of personal data breach to the Commissioner); (ii) section 68 (communication of personal data breach to the data subject); (d) Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4); (e) in Part 5— (i) section 119 (inspection in accordance with international obligations); (ii) in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2; (f) in Part 6— (i) sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection); (ii) sections 170 to 173 (offences relating to personal data); (g) in Part 7, section 187 (representation of data subjects). (3) The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are— (a) section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful; (b) section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing); (c) section 42 (safeguards: sensitive processing); (d) Schedule 8 (conditions for sensitive processing). (4) The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are— (a) the following provisions of section 73— (i) subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose); (ii) subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State); (b) section 78 (subsequent transfers).

(3A) Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.

,

(a) may identify the personal data to which it applies by means of a general description, and (b)

,

(ca) in Part 3 of this Act, section 78A, and

.

Intelligence services

Joint processing by intelligence services and competent authorities

89

(A1) This Part— (a) applies to processing of personal data by an intelligence service, and (b) applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).

,

(2A) In this Part— - “competent authority” has the same meaning as in Part 3; - “qualifying competent authority” means a competent authority specified or described in regulations made by the Secretary of State.

, and

(4) Regulations under this section are subject to the affirmative resolution procedure.

(82A) (1) For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where— (a) an application for designation of the processing is made in accordance with this section, and (b) the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security. (2) The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service. (3) The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to— (a) a country or territory outside the United Kingdom, or (b) an international organisation. (4) A designation notice must— (a) specify or describe the processing and qualifying competent authority that are designated, and (b) be given to the applicants for the designation (and see also section 82D). (5) An application for designation of processing of personal data by a qualifying competent authority must be made jointly by— (a) the qualifying competent authority, and (b) the intelligence service with which the processing is to be carried out. (6) An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service. (7) The application must— (a) describe the processing, including the intended purposes and means of processing, and (b) explain why the applicants consider that designation is required for the purposes of safeguarding national security. (8) Before giving a designation notice, the Secretary of State must consult the Commissioner. (9) In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104. (82B) (1) A designation notice must state when it comes into force. (2) A designation notice ceases to be in force at the earliest of the following times— (a) at the end of the period of 5 years beginning when the notice comes into force; (b) (if relevant) at the end of a shorter period specified in the notice; (c) when the notice is withdrawn under section 82C. (3) The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice. (82C) (1) Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force. (2) A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security. (3) A person who applied for the designation of the processing must, on a request from the Secretary of State, provide— (a) a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and (b) an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security. (4) The Secretary of State must at least annually— (a) review each designation notice that is for the time being in force, and (b) consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security. (5) The Secretary of State— (a) may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and (b) must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise). (6) A withdrawal notice must— (a) withdraw the designation notice completely, and (b) state when it comes into force. (7) In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider— (a) the desirability of the processing ceasing to be designated as soon as possible, and (b) where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data. (82D) (1) Where the Secretary of State gives a designation notice— (a) the Secretary of State must send a copy of the notice to the Commissioner, and (b) the Commissioner must publish a record of the notice. (2) The record must contain— (a) the Secretary of State’s name, (b) the date on which the notice was given, (c) the date on which the notice ceases to have effect (if not previously withdrawn), and (d) subject to subsection (3), the rest of the text of the notice. (3) The Commissioner must not publish the text, or a part of the text, of the notice if— (a) the Secretary of State has determined that publishing the text or that part of the text— (i) would be against the interests of national security, (ii) would be contrary to the public interest, or (iii) might jeopardise the safety of any person, and (b) the Secretary of State has notified the Commissioner of that determination. (4) The Commissioner must keep the record of the notice available to the public while the notice is in force. (5) Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner. (82E) (1) A person directly affected by a designation notice may appeal to the Tribunal against the notice. (2) If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may— (a) allow the appeal, and (b) quash the notice.

Joint processing: consequential amendments

90

(1A) This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).

(A1) For the purposes of this Part— (a) an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and (b) a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.

,

(2A) “Designation notice” has the meaning given in section 82A.

, and

(6B) “Withdrawal notice” has the meaning given in section 82C.

designation notice (in Part 4) section 84

;

qualifying competent authority (in Part 4) section 82

;

withdrawal notice (in Part 4) section 84

.

Information Commissioner’s role

Duties of the Commissioner in carrying out functions

91

(120A) It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation— (a) to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and (b) to promote public trust and confidence in the processing of personal data. (120B) In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances— (a) the desirability of promoting innovation; (b) the desirability of promoting competition; (c) the importance of the prevention, investigation, detection and prosecution of criminal offences; (d) the need to safeguard public security and national security; (e) the fact that children merit specific protection with regard to their personal data because they may be less aware of the risks and consequences associated with processing of personal data and of their rights in relation to such processing. (120C) (1) The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under— (a) sections 120A and 120B, (b) section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and (c) section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles). (2) The Commissioner must— (a) review the strategy from time to time, and (b) revise the strategy as appropriate. (3) The Commissioner must publish the strategy and any revised strategy. (120D) (1) The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition. (2) The persons are— (a) such persons exercising regulatory functions as the Commissioner considers appropriate; (b) such other persons as the Commissioner considers appropriate. (3) In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.

(1A) In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)— (a) a review of what the Commissioner has done during the reporting period to comply with the duties under— (i) sections 120A and 120B, (ii) section 108 of the Deregulation Act 2015, and (iii) section 21 of the Legislative and Regulatory Reform Act 2006, including a review of the operation of the strategy prepared and published under section 120C; (b) a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D. (1B) In subsection (1A), “the reporting period” means the period to which the report relates.

Codes of practice for the processing of personal data

92

(124A) (1) The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State. (2) Regulations under this section— (a) must describe the personal data or processing to which the code of practice is to relate, and (b) may describe the persons or classes of person to whom it is to relate. (3) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code. (4) Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate— (a) trade associations; (b) data subjects; (c) persons who appear to the Commissioner to represent the interests of data subjects. (5) A code under this section may include transitional provision or savings. (6) Regulations under this section are subject to the negative resolution procedure. (7) In this section— - “good practice in the processing of personal data” means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation; - “trade association” includes a body representing controllers or processors.

(5) If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.

, and

Codes of practice: panels and impact assessments

93

In the 2018 Act, after section 124A (inserted by section 92 of this Act) insert—

(124B) (1) This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11). (2) The Commissioner must establish a panel of individuals to consider the code. (3) The panel must consist of— (a) individuals the Commissioner considers have expertise in the subject matter of the code, and (b) individuals the Commissioner considers— (i) are likely to be affected by the code, or (ii) represent persons likely to be affected by the code. (4) Before the panel begins to consider the code, the Commissioner must— (a) publish the code in draft, and (b) publish a statement that— (i) states that a panel has been established to consider the code, (ii) identifies the members of the panel, (iii) explains the process by which they were selected, and (iv) explains the reasons for their selection. (5) Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel. (6) Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that— (a) identifies the member of the panel, (b) explains the process by which the member was selected, and (c) explains the reasons for the member’s selection. (7) The Commissioner must make arrangements— (a) for the members of the panel to consider the code with one another (whether in person or otherwise), and (b) for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner. (8) If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable— (a) make any alterations to the code that the Commissioner considers appropriate in the light of the report, and (b) publish— (i) the code in draft, (ii) the report or a summary of it, and (iii) in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted. (9) The Commissioner may pay remuneration and expenses to the members of the panel. (10) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11). (11) The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of— (a) a code prepared under section 124A, or (b) an amendment of such a code, that is specified or described in the regulations. (12) Regulations under this section are subject to the negative resolution procedure. (124C) (1) Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of— (a) who would be likely to be affected by the code, and (b) the effect the code would be likely to have on them. (2) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.

Manifestly unfounded or excessive requests to the Commissioner

94

(A1) This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is manifestly unfounded or excessive.

,

(1A) In subsection (1)— (a) the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and (b) paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither manifestly unfounded nor excessive.

,

(5) Article 57(3) of the UK GDPR (performance of Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.

Analysis of performance

95

In the 2018 Act, after section 139 insert—

(139A) (1) The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators. (2) The analysis must be prepared and published at least annually. (3) In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.

.

Notices from the Commissioner

96

(141A) (1) This section applies in relation to a notice authorised or required by this Act to be given to a person by the Commissioner. (2) The notice may be given to the person by— (a) delivering it by hand to a relevant individual, (b) leaving it at the person’s proper address, (c) sending it by post to the person at that address, or (d) sending it by email to the person’s email address. (3) A “relevant individual” means— (a) in the case of a notice to an individual, that individual; (b) in the case of a notice to a body corporate (other than a partnership), an officer of that body; (c) in the case of a notice to a partnership, a partner in the partnership or a person who has the control or management of the partnership business; (d) in the case of a notice to an unincorporated body (other than a partnership), a member of its governing body. (4) For the purposes of subsection (2)(b) and (c), and section 7 of the Interpretation Act 1978 (services of documents by post) in its application to those provisions, a person’s proper address is— (a) in a case where the person has specified an address as one at which the person, or someone acting on the person’s behalf, will accept service of notices or other documents, that address; (b) in any other case, the address determined in accordance with subsection (5). (5) The address is— (a) in a case where the person is a body corporate with a registered office in the United Kingdom, that office; (b) in a case where paragraph (a) does not apply and the person is a body corporate, partnership or unincorporated body with a principal office in the United Kingdom, that office; (c) in any other case, an address in the United Kingdom at which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of the person. (6) A person’s email address is— (a) an email address published for the time being by that person as an address for contacting that person, or (b) if there is no such published address, an email address by means of which the Commissioner believes, on reasonable grounds, that the notice will come to the attention of that person. (7) A notice sent by email is treated as given 48 hours after it was sent, unless the contrary is proved. (8) In this section, “officer”, in relation to a body corporate, means a director, manager, secretary or other similar officer of the body. (9) This section does not limit other lawful means of giving a notice.

Enforcement

Power of the Commissioner to require documents

97

Power of the Commissioner to require a report

98

(j) make arrangements for an approved person to prepare a report on a specified matter; (k) provide to the Commissioner a report prepared in pursuance of such arrangements.

,

(3A) An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to— (a) the preparation of the report; (b) the contents of the report; (c) the form in which the report is to be provided; (d) the date by which the report is to be completed.

,

(11A) Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.

, and

  • approved person”, in relation to a report, means a person approved to prepare the report in accordance with section 146A;

.

(146A) (1) This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report. (2) The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report. (3) If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report. (4) If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor— (a) inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report, (b) inform the controller or processor of the reasons for that decision, and (c) approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so. (5) If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so. (6) It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.

, or (c) has failed to comply with a duty imposed on the person by section 146A(6).

(aa) provision specifying factors to be considered in determining whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j); (ab) provision about the factors the Commissioner may take into account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);

.

Assessment notices: removal of OFSTED restriction

99

In section 147 of the 2018 Act (assessment notices: restrictions), in subsection (6), omit paragraph (b) and the “or” before it.

Interview notices

100

(148A) (1) This section applies where the Commissioner suspects that a controller or processor— (a) has failed or is failing as described in section 149(2), or (b) has committed or is committing an offence under this Act. (2) For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to— (a) attend at a place specified in the notice, and (b) answer questions with respect to any matter relevant to the investigation. (3) An individual is within this subsection if the individual— (a) is the controller or processor, (b) is or was at any time employed by, or otherwise working for, the controller or processor, or (c) is or was at any time concerned in the management or control of the controller or processor. (4) An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)). (5) An interview notice must— (a) indicate the nature of the suspected failure or offence that is the subject of the investigation, (b) provide information about the consequences of failure to comply with the notice, and (c) provide information about the rights under sections 162 and 164 (appeals etc). (6) An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice. (7) If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal. (8) If an interview notice— (a) states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and (b) gives the Commissioner’s reasons for reaching that opinion, subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given. (9) The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given. (148B) (1) An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament. (2) An interview notice does not require an individual to answer questions in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client, and (b) in connection with the giving of legal advice to the client with respect to obligations, liabilities or rights under the data protection legislation. (3) An interview notice does not require an individual to answer questions in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person, (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and (c) for the purposes of such proceedings. (4) In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client. (5) An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence. (6) The reference to an offence in subsection (5) does not include an offence under— (a) this Act; (b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath); (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath); (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements). (7) A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings— (a) in giving evidence the individual provides information inconsistent with the statement, and (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf. (8) The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes. (9) The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters). (148C) It is an offence for an individual, in response to an interview notice— (a) to make a statement which the individual knows to be false in a material respect, or (b) recklessly to make a statement which is false in a material respect.

(ba) interview notices,

, and

(5A) In relation to interview notices, the guidance must include— (a) provision specifying factors to be considered in determining whether to give an interview notice to an individual; (b) provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases); (c) provision about the circumstances in which the Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given; (d) provision about the nature of interviews carried out in accordance with an interview notice; (e) provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.

(ba) an interview notice;

.

(ba) in relation to an interview notice, a statement under section 148A(8)(a),

.

interview notice (in Part 6) section 181

.

(3A) (1) Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period. (2) If the interview notice— (a) states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and (b) gives the Commissioner’s reasons for reaching that opinion, subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given. (3) During a relevant period, section 148B has effect as if for subsection (8) there were substituted— (8) The Commissioner may not give an individual an interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.

, and

Penalty notices

101

(A1) This paragraph applies where the Commissioner gives a notice of intent to a person. (A2) Within the period of 6 months beginning when the notice is given, or as soon as reasonably practicable thereafter, the Commission must give to the person— (a) a penalty notice, or (b) written notice that the Commissioner has decided not to give a penalty notice to the person.

,

(e) provision about the circumstances in which the Commissioner would consider it necessary to comply with the duty in paragraph 4(A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.

Annual report on regulatory action

102

(2A) The report under this section may include the annual report under section 161A.

(161A) (1) The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5). (2) The report must include the following information about UK GDPR investigations— (a) the number of investigations begun, continued or completed by the Commissioner during the reporting period, (b) the different types of act and omission that were the subject matter of the investigations, (c) the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations, (d) the duration of investigations that ended in the reporting period, and (e) the different types of outcome in investigations that ended in that period. (3) The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with— (a) processing of personal data by a competent authority for any of the law enforcement purposes, and (b) processing of personal data to which Part 4 applies. (4) The information included in the report in accordance with subsections (2) and (3) must include information about— (a) the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and (b) the reasons why that happened. (5) The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3). (6) In this section— - “enforcement powers” means the powers under—Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR,sections 142 to 159 of this Act,paragraph 2(a), (b) and (c) of Schedule 13 to this Act, andSchedules 15 and 16 to this Act; - “the law enforcement purposes” has the meaning given in section 31 of this Act; - “the reporting period” means the period to which the report relates; - “UK GDPR investigation” means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).

Complaints by data subjects

103

(164A) (1) A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act. (2) A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means. (3) If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning when the complaint is received. (4) If a controller receives a complaint under this section, the controller must without undue delay— (a) take appropriate steps to respond to the complaint, and (b) inform the complainant of the outcome of the complaint. (5) The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes— (a) making enquiries into the subject matter of the complaint, to the extent appropriate, and (b) informing the complainant about progress on the complaint. (164B) (1) The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations. (2) Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations. (3) Regulations under this section may include— (a) provision about a matter listed in subsection (4), or (b) provision conferring power on the Commissioner to determine those matters. (4) The matters are— (a) the form and manner in which a notification must be made, (b) the time at which, or period within which, a notification must be made, and (c) how the number of complaints made to a controller during a period is to be calculated. (5) Regulations under this section are subject to the negative resolution procedure.

Court procedure in connection with subject access requests

104

.

(180A) (1) This section applies where a court is required to determine whether a data subject is entitled to information by virtue of a right under— (a) Article 15 of the UK GDPR (right of access by the data subject); (b) Article 20 of the UK GDPR (right to data portability); (c) section 45 of this Act (law enforcement processing: right of access by the data subject); (d) section 94 of this Act (intelligence services processing: right of access by the data subject). (2) The court may require the controller to make available for inspection by the court so much of the information as is available to the controller. (3) But, unless and until the question in subsection (1) has been determined in the data subject’s favour, the court may not require the information to be disclosed to the data subject or the data subject’s representatives, whether by discovery (or, in Scotland, recovery) or otherwise. (4) Where the question in subsection (1) relates to a right under a provision listed in subsection (1)(a), (c) or (d), this section does not confer power on the court to require the controller to carry out a search for information that is more extensive than the reasonable and proportionate search required by that provision.

Consequential amendments to the EITSET Regulations

105

(ga) section 146A (assessment notices: approval of person to prepare report etc);

, and

(ia) section 148A (interview notices); (ib) section 148B (interview notices: restrictions); (ic) section 148C (false statements made in response to interview notices);

.

(b) subsection (2) has effect as if— (i) for “controller or processor” there were substituted “trust service provider”; (ii) paragraphs (h) and (i) were omitted;

,

(6A) Section 146A has effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.

(7A) Section 148A has effect as if— (a) in subsection (1)— (i) for “controller or processor” there were substituted “trust service provider”; (ii) in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”; (iii) in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (b) in subsection (3), for “controller or processor” (in each place) there were substituted “trust service provider”. (7B) (1) Section 148B has effect as if subsections (8) and (9) were omitted. (2) In that section— (a) subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”; (b) subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (c) subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.

Protection of prohibitions, restrictions and data subject’s rights

Protection of prohibitions, restrictions and data subject’s rights

106

(183A) (1) A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data. (2) Subsection (1) does not apply— (a) to a relevant enactment forming part of the main data protection legislation, or (b) to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation). (3) Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power. (4) In this section— - “the main data protection legislation” means the data protection legislation other than provision of or made under—Chapter 6 or 8 of the UK GDPR, orParts 5 to 7 of this Act; - “relevant enactment” means an enactment so far as passed or made on or after the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force; - “requirement” includes a prohibition or restriction. (5) The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)— (a) by authorising one person to require another person to process personal data, or (b) by removing restrictions on processing personal data, and the references in subsection (3) to a duty or power are to be read accordingly.

(183B) (1) This section is about the relationship between— (a) a pre-commencement enactment which imposes a duty, or confers a power, to process personal data, and (b) a provision of the main data protection legislation containing a requirement relating to the processing of personal data. (2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act). (3) Where the provision described in subsection (1)(b) is a provision of, or made under, the UK GDPR, section 5(A2) of the European Union (Withdrawal) Act 2018 (assimilated direct legislation subject to domestic enactments) does not apply to the relationship. (4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision with similar effect to section 183A(1) (or applying that provision) is made in connection with one such relationship but not another. (5) In this section— (a) “the main data protection legislation” and “requirement” have the same meaning as in section 183A, and (b) “pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(2) of the Data (Use and Access) Act 2025 comes into force. (6) Section 183A(5) applies for the purposes of subsection (1)(a) of this section as it applies for the purposes of section 183A(1).

(2A) Subsection (1) does not apply— (a) to an enactment contained in, or made under, a provision listed in subsection (2), (b) to an enactment contained in, or made under, a provision listed in subsection (3), (c) to the extent that an enactment makes express provision to the contrary referring to this section or to a provision listed in subsection (2), or (d) to the extent that subsection (1) is disapplied by section 186A(3).

, and

(186A) (1) This section is about the relationship between— (a) a pre-commencement enactment which prohibits or restricts the disclosure of information or authorises the withholding of information, and (b) a provision of the UK GDPR or this Act listed in section 186(2). (2) The relationship is not changed by section 5(A1) of the European Union (Withdrawal) Act 2018 (removal of the principle of supremacy of EU law) (or the repeal of section 5(1) to (3) of that Act). (3) Subsection (1) of section 186 does not apply to the relationship so far as there is a contrary intention, whether express or implied (taking account of, among other things, subsection (2) of this section). (4) Nothing is to be implied about a relationship described in subsection (1) merely due to the fact that express provision stating that section 186(1) applies (or with similar effect) is made in connection with one such relationship but not another. (5) In this section, “pre-commencement enactment” means an enactment so far as passed or made before the day on which section 106(4) of the Data (Use and Access) Act 2025 comes into force, other than an enactment contained in, or made under, a provision listed in section 186(2) or (3).

Miscellaneous

Regulations under the UK GDPR

107

(Article 91A) (1) This Article makes provision about regulations made by the Secretary of State under this Regulation (“UK GDPR regulations”). (2) Before making UK GDPR regulations, the Secretary of State must consult— (a) the Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (3) Paragraph 2 does not apply to regulations made under Article 49 or 49A where the Secretary of State has made an urgency statement in respect of them. (4) UK GDPR regulations may— (a) make different provision for different purposes; (b) include consequential, supplementary, incidental, transitional, transitory or saving provision. (5) UK GDPR regulations are to be made by statutory instrument. (6) For the purposes of this Regulation, where regulations are subject to “the negative resolution procedure”, the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament. (7) For the purposes of this Regulation, where regulations are subject to “the affirmative resolution procedure”, the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament. (8) For the purposes of this Regulation, where regulations are subject to “the made affirmative resolution procedure”— (a) the statutory instrument containing the regulations must be laid before Parliament after being made, together with the urgency statement in respect of them, and (b) the regulations cease to have effect at the end of the period of 120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament. (9) In calculating the period of 120 days, no account is to be taken of any whole days that fall within a period during which— (a) Parliament is dissolved or prorogued, or (b) both Houses of Parliament are adjourned for more than 4 days. (10) Where regulations cease to have effect as a result of paragraph 8, that does not— (a) affect anything previously done under the regulations, or (b) prevent the making of new regulations. (11) Any provision that may be included in UK GDPR regulations subject to the negative resolution procedure may be made by regulations made under this Regulation or another enactment that are subject to the affirmative resolution procedure or the made affirmative resolution procedure. (12) A requirement under this Article to consult may be satisfied by consultation before, as well as by consultation after, the provision conferring the power to make regulations comes into force. (13) In this Article, “urgency statement”, in relation to regulations, means a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.

Further minor provision about data protection

108

Schedule 11 contains further minor provision about data protection.

Chapter 2 — Privacy and electronic communications

The PEC Regulations

109

In this Chapter, “the PEC Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).

Interpretation of the PEC Regulations

110
  • direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;

.

(1A) In the application of these Regulations in relation to— (a) information that is sent but not received, (b) a communication that is transmitted but not received, (c) an electronic mail that is sent but not received, or (d) an unsuccessful attempt to make a call, a reference to the recipient of the information, communication, electronic mail or call is to be read as a reference to the intended recipient.

(5) References in these Regulations to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except that Article 3(4) of that Regulation does not apply to the interpretation of a reference to a period in regulation 16A. (6) In paragraph (5), “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

Duty to notify the Commissioner of personal data breach: time periods

111

(3A) Where notification under paragraph (2) is not made within 72 hours, it must be accompanied by reasons for the delay.

This paragraph is to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

, and

(3) To the extent that the information set out in Annex 1 is not available to be included in the notification, it may be provided in phases without undue further delay.

Storing information in the terminal equipment of a subscriber or user

112

(6) (1) Subject to Schedule A1, a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user. (2) In paragraph (1) and Schedule A1— (a) a reference (however expressed) to storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user includes a reference to instigating the storage or access, and (b) except as otherwise provided, a reference (however expressed) to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment.

(6A) (1) The Secretary of State may by regulations made by statutory instrument— (a) amend these Regulations— (i) by adding an exception to the prohibition in regulation 6(1), or (ii) by omitting or varying an exception to that prohibition, and (b) make consequential, supplementary, incidental, transitional, transitory or saving provision, including provision amending these Regulations. (2) Regulations under paragraph (1) may make different provision for different purposes. (3) Before making regulations under paragraph (1), the Secretary of State must consult— (a) the Information Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (4) A statutory instrument containing regulations under paragraph (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.

Emergency alerts: interpretation of time periods

113

In regulation 16A of the PEC Regulations (emergency alerts), in paragraph (6), for the words from “7 days” to “paragraph (3)(b)” substitute “the period of 7 days beginning with the day on which the time period specified by the relevant public authority pursuant to paragraph (3)(b) expires”.

Use of electronic mail for direct marketing by charities

114

(3A) A charity may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) the sole purpose of the direct marketing is to further one or more of the charity’s charitable purposes; (b) the charity obtained the contact details of the recipient of the electronic mail in the course of the recipient— (i) expressing an interest in one or more of the purposes that were the charity’s charitable purposes at that time; or (ii) offering or providing support to further one or more of those purposes; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of direct marketing by the charity, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.

(5) In this regulation, “charity” means— (a) a charity as defined in section 1(1) of the Charities Act 2011, (b) a charity as defined in section 1(1) of the Charities Act (Northern Ireland) 2008 (c. 12 (N.I.)), including an institution treated as such a charity for the purposes of that Act by virtue of the Charities Act 2008 (Transitional Provision) Order (Northern Ireland) 2013 (S.R. (N.I.) 2013 No. 211), and (c) a body entered in the Scottish Charity Register, other than a body which no longer meets the charity test in section 7 of the Charities and Trustee Investment (Scotland) Act 2005 (asp 10), and, in relation to such a charity, institution or body, “charitable purpose” has the meaning given in the relevant Act.

Commissioner’s enforcement powers

115

(12) In Northern Ireland, the penalty is recoverable— (a) if a county court so orders, as if it were payable under an order of that court; (b) if the High Court so orders, as if it were payable under an order of that court. (13) The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5). (14) Regulations under paragraph (13) may make transitional provision. (15) Before making regulations under paragraph (13), the Secretary of State must consult— (a) the Information Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (16) A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.

(31) (1) Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations. (2) In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.

Codes of conduct

116

(32A) (1) The Commissioner must encourage representative bodies to produce codes of conduct intended to contribute to compliance with these Regulations. (2) Under paragraph (1), the Commissioner must encourage representative bodies to produce codes which take account of, among other things, the specific features of different sectors. (3) A code of conduct described in paragraph (1) may, for example, make provision with regard to— (a) rights and obligations under these Regulations; (b) out-of-court proceedings and other dispute resolution procedures for resolving disputes arising in connection with these Regulations. (4) The Commissioner must encourage representative bodies to submit codes of conduct described in paragraph (1) to the Commissioner in draft. (5) Where a representative body does so, the Commissioner must— (a) provide the representative body with an opinion on whether the code correctly reflects the requirements of these Regulations, (b) decide whether to approve the code, and (c) if the code is approved, register and publish the code. (6) The Commissioner may only approve a code if, among other things— (a) the code contains a mechanism for monitoring whether persons who undertake to apply the code comply with its provisions, and (b) in relation to persons other than public bodies, the mechanism involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B. (7) In relation to amendments of a code of conduct that is for the time being approved under this regulation— (a) paragraphs (4) and (5) apply as they apply in relation to a code, and (b) the requirements in paragraph (6) must be satisfied by the code as amended. (8) A code of conduct described in paragraph (1) may be contained in the same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes). (9) In this regulation— - “public body” has the meaning given in section 7 of the Data Protection Act 2018 (for the purposes of the UK GDPR); - “representative body” means an association or other body representing categories of—communications providers, orother persons engaged in activities regulated by these Regulations; - “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018. (32B) (1) The Commissioner may, in accordance with this regulation, accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1). (2) The Commissioner may accredit a body only where the Commissioner is satisfied that the body has— (a) demonstrated its independence, (b) demonstrated that it has an appropriate level of expertise in relation to the subject matter of the code, (c) established procedures which allow it— (i) to assess a person’s eligibility to apply the code, (ii) to monitor compliance with the code, and (iii) to review the operation of the code periodically, (d) established procedures and structures to handle complaints about infringements of the code or about the manner in which the code has been, or is being, implemented by a person, (e) made arrangements to publish information about the procedures and structures described in sub-paragraph (d), and (f) demonstrated that it does not have a conflict of interest. (3) The Commissioner must prepare and publish guidance about how the Commissioner proposes to take decisions about accreditation under this regulation. (4) A body accredited under this regulation in relation to a code must take appropriate action where a person infringes the code. (5) If the action taken by a body under paragraph (4) consists of suspending or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action. (6) The Commissioner must revoke the accreditation of a body under this regulation if the Commissioner considers that the body— (a) no longer meets the requirements for accreditation, or (b) has failed, or is failing, to comply with paragraph (4) or (5). (7) In this regulation, “public body” has the same meaning as in regulation 32A. (32C) Adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with these Regulations.

where the request is made in connection with— (a) the Commissioner’s enforcement functions, or (b) the Commissioner’s functions under regulation 32A or 32B (codes of conduct).

Part 6 — The Information Commission

The Information Commission

117

(114A) (1) A body corporate called the Information Commission is established. (2) Schedule 12A makes further provision about the Commission.

(8A) “The Commission” means the Information Commission (see section 114A).

(la) paragraph 22(6) of Schedule 12A;

.

the Commission section 3

.

Abolition of the office of Information Commissioner

118

Transfer of functions to the Information Commission

119

Transfer of property etc to the Information Commission

120

Part 7 — Other provision about use of, or access to, data

Information standards for health and social care

Information standards for health and adult social care in England

121

Schedule 15 makes provision about information standards for health and adult social care in England (under Part 9 of the Health and Social Care Act 2012) and information technology.

Smart meter communication services

Grant of smart meter communication licences

122

Schedule 16 makes provision in connection with the grant of smart meter communication licences.

Information to improve public service delivery

Disclosure of information to improve public service delivery to undertakings

123

, or (b) the assisting of undertakings in connection with any trade, business or charitable purpose.

(13) In this section “undertaking” means— (a) any person, other than a public authority, carrying on a trade or business, whether or not with a view to profit, or (b) any body, or the trustees of a trust, established for charitable purposes only. (14) In this section, in so far as it forms part of the law of Scotland or Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Charities Act 2011).

Retention of information by providers of internet services

Retention of information by providers of internet services in connection with death of child

124

(8A) The power to give a notice conferred by subsection (1) does not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).

(A1) Subsection (C1) applies if a senior coroner (in England and Wales), a procurator fiscal (in Scotland) or a coroner (in Northern Ireland) (“the investigating authority”)— (a) notifies OFCOM that they are conducting an investigation in connection with the death of a child, and (b) provides OFCOM with the details in subsection (B1). (B1) The details are— (a) the name of the child who has died, (b) the child’s date of birth, (c) any email addresses used by the child (so far as the investigating authority knows), and (d) if any regulated service has been brought to the attention of the investigating authority as being of interest in connection with the child’s death, the name of the service. (C1) Where this subsection applies, OFCOM— (a) must give a notice to the provider of a service within subsection (E1) requiring the provider to ensure the retention of information relating to the use of the service by the child who has died, and (b) may give a notice to any other relevant person requiring the person to ensure the retention of information relating to the use of a service within subsection (E1) by that child. (D1) The references in subsection (C1) to ensuring the retention of information relating to the child’s use of a service include taking all reasonable steps, without delay, to prevent the deletion of such information by the routine operation of systems or processes. (E1) A service is within this subsection if it is— (a) a regulated service of a kind described in regulations made by the Secretary of State, or (b) a regulated service notified to OFCOM by the investigating authority as described in subsection (B1)(d). (F1) A notice under subsection (C1) may require information described in that subsection to be retained only if it is information— (a) of a kind which OFCOM have power to require under a notice under subsection (1) (see, in particular, subsection (2)(a) to (d)), or (b) which a person might need to retain to enable the person to provide information in response to a notice under subsection (1) (if such a notice were given). (G1) OFCOM must share with the investigating authority any information they receive in response to requirements mentioned in section 102(5A)(d) that are included in a notice under subsection (C1).

;

(5A) The powers to give a notice conferred by this section do not include power to require processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed by the notice is to be taken into account).

(ca) specify when the information must be provided (which may be on or by a specified date, within a specified period, or at specified intervals), and

;

(5A) An information notice under section 101(C1) must— (a) specify or describe the information to be retained, (b) specify why OFCOM require the information to be retained, (c) require the information to be retained for the period of one year beginning with the date of the notice, (d) require the person to whom the notice is given— (i) if the child to whom the notice relates used the service in question, to notify OFCOM by a specified date of steps taken to ensure the retention of information; (ii) if the child did not use the service, or the person does not hold any information of the kind required, to notify OFCOM of that fact by a specified date, and (e) contain information about the consequences of not complying with the notice. (5B) If OFCOM give an information notice to a person under section 101(C1), they may, in response to information received from the investigating authority, extend the period for which the person is required to retain information by a maximum period of six months. (5C) The power conferred by subsection (5B) is exercisable— (a) by giving the person a notice varying the notice under section 101(C1) and stating the further period for which information must be retained and the reason for the extension; (b) any number of times.

;

(9A) OFCOM must cancel an information notice under section 101(C1) by notice to the person to whom it was given if advised by the investigating authority that the information in question no longer needs to be retained.

;

  • the investigating authority” has the same meaning as in section 101;

.

(6A) A person who is given an information notice under section 101(C1) commits an offence if— (a) the person deletes or alters, or causes or permits the deletion or alteration of, any information required by the notice to be retained, and (b) the person’s intention was to prevent the information being available, or (as the case may be) to prevent it being available in unaltered form, for the purposes of any official investigation into the death of the child to whom the notice relates. (6B) For the purposes of subsection (6A) information has been deleted if it is irrecoverable (however that occurred).

(6A) An individual named as a senior manager of an entity commits an offence if— (a) the entity commits an offence under section 109(6A) (deletion etc of information), and (b) the individual has failed to take all reasonable steps to prevent that offence being committed.

;

(ca) regulations under section 101(E1)(a),

.

  • the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3(9) of that Act);

;

the data protection legislation section 236

.

Information for research about online safety matters

Information for research about online safety matters

125

(154A) (1) The Secretary of State may by regulations require providers of regulated services to provide information for purposes related to the carrying out of independent research into online safety matters. (2) Regulations under this section may (for example) provide for— (a) the making of applications by persons seeking information; (b) the procedure to be followed in the making and determination of applications; (c) the grounds on which applications are to be determined; (d) the imposition of requirements described in subsection (1) to be effected by means of notices given to providers of regulated services (“researcher access notices”); (e) the contents of researcher access notices; (f) the procedure to be followed in the giving of researcher access notices; (g) the form in which, and the means by which, information is to be provided; (h) the safeguards to be applied in respect of the handling of information; (i) the charging of fees payable by applicants for information under the regulations and by providers of regulated services; (j) the enforcement of requirements imposed by the regulations; (k) appeals in respect of decisions taken under the regulations. (3) Provision about enforcement under subsection (2)(j) may include provision— (a) about investigations (including the making of reports); (b) conferring powers of entry, inspection and audit; (c) imposing monetary penalties; (d) creating offences, but such provision may not impose a penalty for an offence that is greater than a penalty of any of the descriptions mentioned in section 113. (4) Regulations under this section— (a) may authorise or require anything that is to be done under, or for the purposes of, the regulations to be done by an appropriate person; (b) may confer a discretion on an appropriate person for the purposes of provision under paragraph (a); (c) may apply (with or without modifications) other provisions of this Act. (5) Regulations under this section may apply generally or only in relation to specified descriptions of— (a) regulated services; (b) persons carrying out independent research; (c) research into online safety matters or the purposes of such research; (d) information, and provision made by virtue of section 224(1) in connection with this section may, in particular, make different provision for different descriptions of services, researchers, research or information. (6) Regulations under this section may not require— (a) processing of personal data that would contravene the data protection legislation (but in determining whether processing of personal data would do so, the duty imposed under the regulations to provide information is to be taken into account); (b) provision of information in respect of which a claim to legal professional privilege, or (in Scotland) to confidentiality of communications, could be maintained in legal proceedings. (7) Before making regulations under this section the Secretary of State must consult— (a) OFCOM, (b) the Information Commissioner, (c) persons who appear to the Secretary of State to represent providers of regulated services, (d) persons who appear to the Secretary of State to represent the interests of persons carrying out independent research into online safety matters, and (e) such other persons as the Secretary of State considers appropriate. (8) For the purposes of this section— (a) “independent research” is research carried out other than on behalf of a provider of a regulated service; (b) references to an “appropriate person” are references to— (i) OFCOM, or (ii) such other person as the Secretary of State considers appropriate to carry out functions under regulations made under this section (and the regulations may include provision establishing a body for this purpose).

(8) A statutory instrument containing (whether alone or with other provision) the first regulations under the following provisions may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament— (a) section 154A(1); (b) paragraph 1(1) of Schedule 11. (9) Any other statutory instrument containing regulations under a provision mentioned in subsection (8) is subject to annulment in pursuance of a resolution of either House of Parliament.

Retention of biometric data

Retention of biometric data and recordable offences

126
  • recordable-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a recordable offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted);

.

(5A) For the purposes of section 18A, a person is to be treated as having been convicted of an offence in a country or territory outside England and Wales and Northern Ireland if, in respect of such an offence, a court exercising jurisdiction under the law of that country or territory has made a finding equivalent to— (a) a finding that the person is not guilty by reason of insanity, or (b) a finding that the person is under a disability and did the act charged against the person in respect of the offence.

— (i)

, and

or (ii) in a country or territory outside England and Wales and Northern Ireland, of a recordable-equivalent offence,

.

(7A) In subsection (6), “qualifying-equivalent offence” means an offence under the law of a country or territory outside England and Wales and Northern Ireland where the act constituting the offence would constitute a qualifying offence if done in England and Wales or Northern Ireland (whether or not the act constituted such an offence when the person was convicted).

Retention of pseudonymised biometric data

127

(7) Section 18 material which is not a DNA sample may be retained indefinitely by a law enforcement authority if— (a) the authority obtains or acquires the material directly or indirectly from an overseas law enforcement authority, (b) the authority obtains or acquires the material in a form which includes information which identifies the person to whom the material relates, (c) as soon as reasonably practicable after obtaining or acquiring the material, the authority takes the steps necessary for it to hold the material in a pseudonymised form, and (d) having taken those steps, the law enforcement authority continues to hold the material in a pseudonymised form. (8) In a case where section 18 material is being retained by a law enforcement authority under subsection (7), if— (a) the law enforcement authority ceases to hold the material in a pseudonymised form, and (b) the material relates to a person who has no previous convictions or only one exempt conviction, the material may be retained by the law enforcement authority until the end of the retention period specified in subsection (9). (9) The retention period is the period of 3 years beginning with the date on which the law enforcement authority first ceases to hold the material in a pseudonymised form.

(d) an overseas law enforcement authority;

, and

  • overseas law enforcement authority” means a person formed or existing under the law of a country or territory outside the United Kingdom so far as exercising functions which—correspond to those of a police force, orotherwise involve the investigation or prosecution of offences;

.

Retention of biometric data from INTERPOL

128

(18AA) (1) This section applies to section 18 material which is not a DNA sample where the law enforcement authority obtained or acquired the material as part of a request for assistance, or a notification of a threat, sent to the United Kingdom via INTERPOL’s systems. (2) The law enforcement authority may retain the material until the National Central Bureau informs the authority that the request or notification has been cancelled or withdrawn. (3) If the law enforcement authority is the National Central Bureau, it may retain the material until it becomes aware that the request or notification has been cancelled or withdrawn. (4) In this section— - “INTERPOL” means the organisation called the International Criminal Police Organization - INTERPOL; - “the National Central Bureau” means the body appointed for the time being in accordance with INTERPOL’s constitution to serve as the United Kingdom’s National Central Bureau. (5) The reference in subsection (1) to material obtained or acquired as part of a request or notification includes material obtained or acquired as part of a communication, sent to the United Kingdom via INTERPOL’s systems, correcting, updating or otherwise supplementing the request or notification. (18AB) (1) The Secretary of State may by regulations amend section 18AA to make such changes as the Secretary of State considers appropriate in consequence of— (a) changes to the name of the organisation which, when section 18AA was enacted, was called the International Criminal Police Organization - INTERPOL (“the organisation”), (b) changes to arrangements made by the organisation which involve fingerprints or DNA profiles being provided to members of the organisation (whether changes to existing arrangements or changes putting in place new arrangements), or (c) changes to the organisation’s arrangements for liaison between the organisation and its members or between its members. (2) Regulations under this section are subject to affirmative resolution procedure.

Trust services

The eIDAS Regulation

129

In sections 130 to 134, “the eIDAS Regulation” means Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.

Recognition of EU conformity assessment bodies

130

In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert—

(Article 24B) For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to be treated as if it were a conformity assessment body in relation to a description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.

Removal of recognition of EU standards etc

131

Recognition of overseas trust products

132

(Article 45A) (1) The Secretary of State may by regulations provide that, for the purposes of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified description is to be treated as qualified. (2) In this Article— - “overseas”, in relation to a trust product, means provided by a person established in a country or territory outside the United Kingdom; - “specified” means specified by regulations under this Article; - “trust product” means an electronic signature, an electronic seal, an electronic time stamp or an electronic registered delivery service. (3) The Secretary of State may not make regulations under this Article specifying a description of overseas trust product unless satisfied that the reliability of such a product is at least equivalent to the reliability of a comparable trust product that is qualified. (4) When making regulations under this Article in relation to a description of overseas trust product, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of product and related trust services. (Article 45B) (1) The Secretary of State may by regulations provide that an overseas electronic signature of a specified description is to be treated— (a) for the purposes of Article 27(1), as an advanced electronic signature that complies with the Implementing Decision; (b) for the purposes of Article 27(2), as an advanced electronic signature based on a qualified certificate for electronic signature, or a qualified signature, that complies with the Implementing Decision. (2) The Secretary of State may by regulations provide that an overseas electronic seal of a specified description is to be treated— (a) for the purposes of Article 37(1), as an advanced electronic seal that complies with the Implementing Decision; (b) for the purposes of Article 37(2), as an advanced electronic seal based on a qualified certificate for electronic seal, or a qualified seal, that complies with the Implementing Decision. (3) In this Article— - “the Implementing Decision” means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies; - “overseas”, in relation to an electronic signature or electronic seal, means provided by a person established in a country or territory outside the United Kingdom; - “specified” means specified by regulations made under this Article. (4) The Secretary of State may not make regulations under point (a) or (b) of paragraph 1 or point (a) or (b) of paragraph 2 specifying a description of overseas electronic signature or overseas electronic seal unless satisfied that the reliability of such a signature or seal is at least equivalent to the reliability of a signature or seal described in that point. (5) When making regulations under this Article in relation to a description of overseas electronic signature or overseas electronic seal, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of signature or seal and related trust services. (Article 45C) (1) Before making regulations under Article 45A or 45B, the Secretary of State must consult the supervisory body. (2) Regulations under Article 45A or 45B— (a) may describe something by (among other things) describing something that meets a condition specified in the regulations or is provided by a person who meets such a condition, and (b) may include a condition referring to (among other things) the law of the other country or territory or a standard or other document, including the law, standard or other document as amended from time to time. (3) Regulations under Article 45A or 45B may— (a) make different provision for different purposes, including for the purposes of different provisions of this Regulation, and (b) include transitional or transitory provision or savings. (4) Regulations under Article 45A or 45B are to be made by statutory instrument. (5) A statutory instrument containing regulations under Article 45A or 45B is subject to annulment in pursuance of either House of Parliament.

Co-operation between supervisory authority and overseas authorities

133

(3) In this Article— - “designated” means designated by regulations made by the Secretary of State that are in force; - “overseas authority” means a person, or description of person, with functions relating to the regulation or supervision of trust services outside the United Kingdom. (4) Before making regulations under this Article, the Secretary of State must consult the supervisory body. (5) Regulations under this Article may include transitional or transitory provision or savings. (6) Regulations under this Article are to be made by statutory instrument. (7) A statutory instrument containing regulations under this Article is subject to annulment in pursuance of either House of Parliament.

Time periods: the eIDAS Regulation and the EITSET Regulations

134

(Article 3A) References in this Regulation to a period expressed in hours, days, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

(3) References in these regulations to a period expressed in days or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

Copyright works and artificial intelligence systems

Economic impact assessment

135

including the impact on copyright owners, developers and users who are individuals, micro businesses, small businesses or medium-sized businesses.

Report on the use of copyright works in the development of AI systems

136

including enforcement by a regulator.

including the likely effect on copyright owners, developers and users who are individuals, micro businesses, small businesses or medium-sized businesses.

Progress statement

137

Purported intimate images

Creating, or requesting the creation of, purported intimate image of adult

138

(66E) (1) A person (A) commits an offence if— (a) A intentionally creates a purported intimate image of another person (B), (b) B does not consent to the creation of the purported intimate image, and (c) A does not reasonably believe that B consents. (2) “Purported intimate image” of a person means an image which— (a) appears to be, or to include, a photograph or film of the person (but is not, or is not only, a photograph or film of the person), (b) appears to be of an adult, and (c) appears to show the person in an intimate state. (3) Subsections (5) to (9) of section 66D (person in an intimate state) apply for the purposes of this section as if references in those subsections to a photograph or film were references to an image. (4) References in this section to creating a purported intimate image of a person do not include doing so by modifying a photograph or film of the person where what is created by the modification is an image which— (a) appears to show the person, but (b) does not appear to show— (i) something within section 66D(5)(a) to (e) (read with subsections (6) and (7) of that section) which is not shown in the photograph or film, or (ii) a person who is not shown in the photograph or film. (5) It is a defence for a person charged with an offence under this section to prove that the person had a reasonable excuse for creating the purported intimate image. (6) A person who commits an offence under this section is liable on summary conviction to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both). (7) The Secretary of State must— (a) review the operation of subsection (5), (b) publish the outcome of the review in a report before the end of the period of two years beginning with the day on which this section comes into force, and (c) lay the report before Parliament. (66F) (1) A person (A) commits an offence if— (a) A intentionally requests the creation of a purported intimate image of another person (B) (either in general or specific terms), (b) B does not consent to A requesting the creation of the purported intimate image, and (c) A does not reasonably believe that B consents. (2) A person (A) commits an offence if— (a) A intentionally requests that, if a purported intimate image of another person (B) is created, it includes or excludes something in particular (whether relating to B’s appearance, the intimate state in which B is shown or anything else), (b) B does not consent to A requesting the inclusion or exclusion of that thing, and (c) A does not reasonably believe that B consents. (3) References in this section to making a request (however expressed) include doing an act which could reasonably be taken to be a request (such as, for example, indicating agreement in response to an offer or complying with conditions of an offer). (4) References in this section to making a request (however expressed) are references to— (a) making a request directed to a particular person or persons, or (b) making a request so that it is available to one or more persons (or people generally), without directing it to a particular person or persons. (5) References in this section to consent to a person requesting something are— (a) in a case described in subsection (4)(a), references to consent to a request being made that is directed to the particular person or persons, and (b) in a case described in subsection (4)(b), references to consent to a request being made so that it is available to the person or persons (or people generally), as appropriate. (6) An offence under this section is committed— (a) regardless of whether the purported intimate image is created, (b) regardless of whether the purported intimate image, or the particular thing to be included in or excluded from such an image, is also requested by another person, and (c) regardless of where in the world the person or persons mentioned in subsection (4)(a)and (b) is or are located. (7) It is a defence for a person charged with an offence under this section to prove that the person had a reasonable excuse for making the request. (8) A person who commits an offence under this section is liable on summary conviction to imprisonment for a term not exceeding the maximum term for summary offences or a fine (or both). (9) In this section, references to a purported intimate image, to creating such an image and to a person shown in an intimate state have the same meaning as in section 66E. (10) The Secretary of State must— (a) review the operation of subsection (7), (b) publish the outcome of the review in a report before the end of the period of two years beginning with the day on which this section comes into force, and (c) lay the report before Parliament. (66G) (1) This section applies for the purposes of sections 66E and 66F. (2) “Consent” to an act includes general consent covering the particular act as well as specific consent to that particular act (and see also section 66F(5)). (3) Whether a belief is “reasonable” is to be determined having regard to all the circumstances, including any steps A has taken to ascertain whether B consents. (4) “Photograph” includes the negative as well as the positive version. (5) “Film” means a moving image. (6) A reference to an “image”, “photograph” or “film” includes data stored by any means which is capable of conversion into an image, photograph or film. (7) An image of a person appears to be an image of an adult if— (a) the impression conveyed by the image is that the person shown is aged 18 or over, or (b) the predominant impression conveyed by the image is that the person shown is aged 18 or over (even if some of the physical characteristics shown are those of a person under 18). (8) The “maximum term for summary offences” means— (a) if the offence is committed before the time when section 281(5) of the Criminal Justice Act 2003 comes into force, six months; (b) if the offence is committed after that time, 51 weeks. (66H) (1) Notwithstanding section 127(1) of the Magistrates’ Courts Act 1980, a magistrates’ court may try an information or written charge relating to an offence under section 66E or 66F if the information is laid or the charge is issued— (a) before the end of the period of 3 years beginning with the day on which the offence was committed, and (b) before the end of the period of 6 months beginning with the day on which evidence which the prosecutor thinks is sufficient to justify a prosecution comes to the prosecutor’s knowledge. (2) A certificate signed by or on behalf of a prosecutor stating the date on which evidence described in subsection (1)(b) came to the prosecutor’s knowledge is conclusive evidence of that fact.

(177DA) (1) This section applies where a person commits an offence under section 42 as respects which the corresponding offence under the law of England and Wales is an offence under section 66E of the Sexual Offences Act 2003 (creating purported intimate image of adult). (2) The purported intimate image to which the offence relates, and anything containing it, is to be regarded for the purposes of section 177C(3) (and section 94A(3)(b)(ii)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring).

(38ZA) An offence under section 66F of the Sexual Offences Act 2003 (requesting the creation of purported intimate image of adult).

(154A) (1) Subsection (2) applies where a person commits an offence under section 66E of the Sexual Offences Act 2003 (creating purported intimate image of adult). (2) The purported intimate image to which the offence relates, and anything containing it, is to be regarded for the purposes of section 153 (and section 157(3)(b)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring). (3) Subsection (4) applies where a person commits an offence under section 66F of the Sexual Offences Act 2003 (requesting the creation of purported intimate image of adult). (4) A purported intimate image which is connected with the offence, and anything containing it, is to be regarded for the purposes of section 153 (and section 157(3)(b)) as used for the purposes of committing the offence (including where it is committed by aiding, abetting, counselling or procuring). (5) A purported intimate image is connected with an offence under section 66F of the Sexual Offences Act 2003 if — (a) it appears to be of a person who was the subject of the request to which the offence relates (whether or not it is what was requested), and (b) it was in the offender’s possession, or under the offender’s control, as a result of that request.

Part 8 — Final provisions

Power to make consequential amendments

139

Regulations

140

Extent

141

Commencement

142

Transitional, transitory and saving provision

143

Short title

144

This Act may be cited as the Data (Use and Access) Act 2025.

Schedule 1

In the New Roads and Street Works Act 1991, after Schedule 5 insert—

Schedule 2

In the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)), after Schedule 2 insert—

Schedule 3

Part 1 — Amendments of the Births and Deaths Registration Act 1953

1

The Births and Deaths Registration Act 1953 is amended as follows.

2

(6) In subsection (5) “the relevant register of births”, in relation to the re-registration of the birth of a child, means the register of births in which the entry relating to the child was previously made.

3

(2A) In this section the “relevant registration officer” for a register means— (a) the registrar of births and deaths for the sub-district for which the register is or has been kept, or (b) the superintendent registrar for the district containing that sub-district.

4

In Part 3 (general), the italic heading before section 25 becomes “Registers, etc”.

5

(5) In this section the “appropriate registration officer”, in relation to a register, means— (a) in the case of a register of live-births or of deaths in hard copy form, the superintendent registrar having custody of the register; (b) in the case of a register of live-births or of deaths not in hard copy form— (i) the registrar of births and deaths for the sub-district for which the register is or has been kept, or (ii) the superintendent registrar for the district containing that sub-district; (c) in the case of a register of still-births, the Registrar General.

6

In section 29A (alternative procedure for certain corrections), in subsection (4)—

  • Appropriate registration officer” has the same meaning as in section 29 of this Act.
7

(1ZA) The Registrar General shall cause the following indexes to be made and kept in the General Register Office— (a) an index of the entries in the registers kept under section 1 of this Act; (b) an index of the entries in the registers kept under section 15 of this Act.

8

In section 31 (searches of indexes kept by superintendent registrars), for subsection (1) substitute—

(1) The superintendent registrar for each district shall cause the following indexes to be made— (a) an index of the entries in the registers of live-births kept for the sub-districts within that district; (b) an index of the entries in the registers of deaths kept for the sub-districts within that district. (1A) The indexes must be kept with the other records of the register office for the district.

9

For section 32 (searches in registers kept by registrars) substitute—

(32) (1) Any person is entitled to obtain from a registrar for a sub-district, at any time when the registrar’s office is required to be open for the transaction of public business, a copy certified by the registrar of any entry in any register of births or register of deaths kept for that sub-district. (2) But subsection (1) does not apply in relation to any register of still-births except as the registrar may, with the consent of the Registrar General, in any particular case allow.

10

(1A) In subsection (1) the “appropriate registration officer” means— (a) in the case of a live-birth, the Registrar General, a superintendent registrar or a registrar; (b) in the case of a still-birth— (i) the Registrar General, or (ii) a registrar acting at the time of the registration of the still-birth or with the consent of the Registrar General.

11

In section 33A (short certificate of death), in subsection (2), for the words from “the records and registers” to “may be” substitute “the register in which the entry relating to the death is made, or, in the case of the Registrar General, from the records in the Registrar General’s custody”.

12

In section 34 (entry in register as evidence of birth or death), in subsection (5), before “on which” insert “in or”.

13

(aa) to carry out, on request, a search to find out whether any of the registers kept under this Act contains a particular entry;

;

14

In section 35 (offences relating to registers), in paragraph (b), after “deaths” insert “kept in hard copy form”.

15

In section 40 (sending and providing notices, information or other documents), omit “, return”.

16

In section 41 (interpretation), after subsection (3) insert—

(4) For the purposes of this Act a register is in hard copy form if it consists of a paper copy or similar form capable of being read with the naked eye.

Part 2 — Amendments of other legislation

Registration Service Act 1953

17

The Registration Service Act 1953 is amended as follows.

18

In section 10 (district register offices), in subsection (1), omit the words from “, and shall provide” to the end.

19

In section 12 (provision of register boxes), omit “registrar of births and deaths and”.

20

In section 13 (local schemes of organisation), in subsection (2), after paragraph (b) insert—

(ba) determining the equipment or facilities to be provided at those offices and stations by the council for the non-metropolitan county or metropolitan district;

.

Public Records Act 1958

21

In Schedule 1 to the Public Records Act 1958 (definition of public records), in paragraph 2(2)(b), after “adoptions,” insert “or to any other records held by the Registrar General of information entered in any register of births or deaths kept under any such enactment,”.

Social Security Administration Act 1992

22

In section 124 of the Social Security Administration Act 1992 (provisions relating to age, death and marriage), after subsection (5) insert—

(6) The reference in subsection (1) above to a register in the custody of a registrar or superintendent registrar includes, in relation to registers of births or deaths kept under the Births and Deaths Registration Act 1953, a reference to any such register kept for the registrar’s sub-district or (as the case may be) for a sub-district within the superintendent registrar’s district; and references in subsection (3) above to the custodian of the register are to be read accordingly.

Education Act 1996

23
  • register” means a register of births or register of deaths kept under that Act,

;

  • the relevant registrar” for a register means— in the case of a register in hard copy form (within the meaning of the Births and Deaths Registration Act 1953), the superintendent registrar having custody of the register; in the case of a register not in hard copy form (within the meaning of that Act)— the registrar of births and deaths for the sub-district for which the register is or has been kept, or the superintendent registrar for the district containing that sub-district.

Adoption and Children Act 2002

24

In section 78 of the Adoption and Children Act 2002 (Adopted Children Register: searches and copies), in subsection (4)—

Gender Recognition Act 2004

25

The Gender Recognition Act 2004 is amended as follows.

26

, or (c) an entry in a register kept under section 1 of the Births and Deaths Registration Act 1953,

.

(3) “The appropriate Registrar General” means— (a) in relation to a UK birth register entry of which a certified copy is kept by a Registrar General or which is in a register so kept, whichever Registrar General keeps that certified copy or that register; (b) in relation to a UK birth register entry in a register kept under section 1 of the Births and Deaths Registration Act 1953, the Registrar General for England and Wales. (3A) For the purposes of this section each of the following is a Registrar General— (a) the Registrar General for England and Wales; (b) the Registrar General for Scotland; (c) the Registrar General for Northern Ireland.

27

In Part 1 of Schedule 3 (registration: England and Wales), in paragraphs 5(3) and 8(2), for “or (b)” substitute “, (b) or (c)”.

Presumption of Death Act 2013

28

In Schedule 1 to the Presumption of Death Act 2013 (Register of Presumed Deaths), in paragraph 7 (interpretation)—

— (a)

;

, or (b) the index kept in the General Register Office of such entries.

Schedule 4

In the UK GDPR, at the end insert—

Schedule 5

In the UK GDPR, after Annex 1 (inserted by Schedule 4 to this Act) insert—

Schedule 6

The UK GDPR

1

The UK GDPR is amended as follows.

2
3

In Article 13(2)(f) (information about automated decision-making to be provided where personal data is collected from the data subject), for “referred to in Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

4

In Article 14(2)(g) (information about automated decision-making to be provided where personal data is not obtained from the data subject), for “referred to in Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

5

In Article 15(1)(h) (right of access by the data subject), for “referred to in Article 22(1) and (4)” substitute “which is subject to the requirement to provide safeguards under Article 22C”.

6

In the heading of Section 4 of Chapter 3, omit “and automated decision-making”.

7

In Article 23(1) (restrictions), for “provided for in Articles 12 to 22”, in both places it occurs, substitute “arising under or by virtue of Articles 12 to 22D”.

8

In Article 47(2)(e) (binding corporate rules), for the words from “the right not” to “Article 22” substitute “the right to protection in accordance with, and with regulations made under, Articles 22A to 22D in connection with decisions based solely on automated processing (including decisions reached by means of profiling)”.

9

In Article 83(5) (general conditions for imposing administrative fines)—

(ba) Article 22B or 22C (restrictions on, and safeguards for, automated decision-making);

.

The 2018 Act

10

The 2018 Act is amended as follows.

11

Omit section 14 (automated decision-making authorised by law: safeguards).

12

In section 43(1)(d) (overview and scope of provisions in Part 3 about rights of the data subject), for “sections 49 and 50” substitute “sections 50A to 50D”.

13
14
15

In section 149(2)(b) (enforcement notices)—

16

In section 157(2)(a) (maximum amount of penalty), for “49,” substitute “50B, 50C,”.

Schedule 7

Introduction

1

Chapter 5 of the UK GDPR (transfers of personal data to third countries or international organisations) is amended as follows.

General principles for transfers

2

(Article 44A) (1) A controller or processor may transfer personal data to a third country or an international organisation only if— (a) the condition in paragraph 2 is met, and (b) the transfer is carried out in compliance with the other provisions of this Regulation. (2) The condition is met if the transfer— (a) is approved by regulations under Article 45A that are in force at the time of the transfer, (b) is made subject to appropriate safeguards (see Article 46), or (c) is made in reliance on a derogation for specific situations (see Article 49). (3) A transfer may not be made in reliance on paragraph 2(b) or (c) if, or to the extent that, it would breach a restriction in regulations under Article 49A.

Transfers approved by regulations

3

Omit Article 45 (transfers on the basis of an adequacy decision).

4

After that Article insert—

(Article 45A) (1) For the purposes of Article 44A, the Secretary of State may by regulations approve transfers of personal data to— (a) a third country, or (b) an international organisation. (2) The Secretary of State may only make regulations under this Article approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B). (3) In making regulations under this Article, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom. (4) Regulations under this Article may, among other things— (a) make provision in relation to a third country or international organisation specified in the regulations or a description of country or organisation; (b) approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations; (c) identify a transfer of personal data by any means, including by reference to— (i) a sector or geographic area within a third country, (ii) the controller or processor, (iii) the recipient of the personal data, (iv) the personal data transferred, (v) the means by which the transfer is made, or (vi) relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time; (d) confer a discretion on a person. (5) Regulations under this Article are subject to the negative resolution procedure. (Article 45B) (1) For the purposes of Article 45A, the data protection test is met in relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under— (a) this Regulation, (b) Part 2 of the 2018 Act, and (c) Parts 5 to 7 of that Act, so far as relevant to general processing. (2) In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things— (a) respect for the rule of law and for human rights in the country or by the organisation, (b) the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation, (c) arrangements for judicial or non-judicial redress for data subjects in connection with such processing, (d) rules about the transfer of personal data from the country or by the organisation to other countries or international organisations, (e) relevant international obligations of the country or organisation, and (f) the constitution, traditions and culture of the country or organisation. (3) In paragraphs 1 and 2— (a) the references to the protection provided for data subjects are to that protection taken as a whole, (b) the references to general processing are to processing to which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and (c) the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3. (4) When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))— (a) the references in paragraphs 1 to 3 to personal data are to be read as references only to personal data likely to be the subject of such transfers, and (b) the reference in paragraph 2(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.

Transfers approved by regulations: monitoring

5

After Article 45B (inserted by paragraph 4) insert—

(Article 45C) (1) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations. (2) Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations. (3) Where regulations under Article 45A are amended or revoked in accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation. (4) The Secretary of State must publish— (a) a list of the third countries and international organisations, and the descriptions of such countries and organisations, which are for the time being approved by regulations under Article 45A as places or persons to which personal data may be transferred, and (b) a list of the third countries and international organisations, and the descriptions of such countries and organisations, which have been but are no longer approved by such regulations. (5) In the case of regulations under Article 45A which approve only certain transfers to a third country or international organisation specified or described in the regulations (in accordance with Article 45A(4)(b)), the lists published under paragraph 4 must specify or describe the relevant transfers.

Transfers subject to appropriate safeguards

6

(1A) A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only— (a) in a case in which— (i) safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and (ii) the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or (b) in a case in which— (i) safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and (ii) each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).

(6) For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under— (a) this Regulation, (b) Part 2 of the 2018 Act, and (c) Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies. (7) For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred. (8) In this Article— (a) references to the protection provided for the data subject are to that protection taken as a whole; (b) “relevant person” means a public body or another person exercising functions of a public nature.

7

In the heading of Article 47 (binding corporate rules) at the beginning insert “Transfers subject to appropriate safeguards:”.

8

After Article 47 insert—

(Article 47A) (1) The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations. (2) The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force. (3) Regulations under paragraph 1 are subject to the negative resolution procedure. (4) The Secretary of State may by regulations make provision about further safeguards that may be relied on for the purposes of Article 46(1A)(a). (5) The Secretary of State may only make regulations under paragraph 4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations. (6) Regulations under paragraph 4 may, among other things— (a) make provision by adopting safeguards prepared or published by another person; (b) make provision about ways of providing safeguards which require authorisation from the Commissioner. (7) Regulations under paragraph 4 which amend Article 46 may do so only in the following ways— (a) by adding ways of providing safeguards, or (b) by varying or omitting ways of providing safeguards which were added by regulations under this Article. (8) Regulations under paragraph 4 are subject to the affirmative resolution procedure.

Derogations for specific situations

9

(4A) The Secretary of State may by regulations specify for the purposes of point (d) of paragraph 1— (a) circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and (b) circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.

(7) Regulations under this Article— (a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them; (b) otherwise, are subject to the affirmative resolution procedure. (8) For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.

Public interest restrictions

10

After Article 49 insert—

(Article 49A) (1) The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where— (a) the transfer is not approved by regulations under Article 45A for the time being in force, and (b) the Secretary of State considers the restriction to be necessary for important reasons of public interest. (2) Regulations under this Article— (a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them; (b) otherwise, are subject to the affirmative resolution procedure. (3) For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.

Schedule 8

Introduction

1

Chapter 5 of Part 3 of the 2018 Act (transfers of personal data to third countries etc) is amended as follows.

Overview and interpretation

2

In section 72 (overview and interpretation), in subsection (1)(b)—

General principles for transfer

3

(A1) This section applies in relation to a transfer of personal data to a third country or international organisation for a law enforcement purpose.

, and— (c) the transfer is carried out in accordance with the other provisions of this Part.

(3) Condition 2 is that the transfer— (a) is approved by regulations under section 74AA that are in force at the time of the transfer, (b) is made subject to appropriate safeguards (see section 75), or (c) is based on special circumstances (see section 76).

(aa) the intended recipient is a person in a third country who— (i) is not a person described in paragraph (a), but (ii) is a processor whose processing, on behalf of the controller, of the personal data transferred is governed by, or authorised in accordance with, a contract with the controller that complies with section 59,

, and

Transfers approved by regulations

4

(74AA) (1) For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to— (a) a third country, or (b) an international organisation. (2) The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB). (3) In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom. (4) Regulations under this section may, among other things— (a) make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation; (b) approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations; (c) identify a transfer of personal data by any means, including by reference to— (i) a sector or geographic area within a third country, (ii) the controller or processor, (iii) the recipient of the personal data, (iv) the personal data transferred, (v) the means by which the transfer is made, or (vi) relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time; (d) confer a discretion on a person. (5) Regulations under this section are subject to the negative resolution procedure. (74AB) (1) For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under— (a) this Part, and (b) Parts 5 to 7, so far as relevant to law enforcement processing. (2) In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things— (a) respect for the rule of law and for human rights in the country or by the organisation, (b) the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation, (c) arrangements for judicial or non-judicial redress for data subjects in connection with such processing, (d) rules about the transfer of personal data from the country or by the organisation to other countries or international organisations, (e) relevant international obligations of the country or organisation, and (f) the constitution, traditions and culture of the country or organisation. (3) In subsections (1) and (2)— (a) the references to the protection provided for data subjects are to that protection taken as a whole, (b) the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and (c) the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2). (4) When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))— (a) the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and (b) the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.

Transfers approved by regulations: monitoring

5

Transfers subject to appropriate safeguards

6

(1A) A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if— (a) an appropriate legal instrument binds the intended recipient of the data (see subsection (4)), or (b) the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5)).

(4) For the purposes of this section, a legal instrument is “appropriate”, in relation to a transfer of personal data, if— (a) the instrument is intended to be relied on in connection with the transfer or that type of transfer, (b) at least one competent authority is a party to the instrument, and (c) each competent authority that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)). (5) For the purposes of this section, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under— (a) this Part, and (b) Parts 5 to 7, so far as they relate to processing by a competent authority for any of the law enforcement purposes. (6) For the purposes of subsections (1A)(b) and (4)(c), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred. (7) In this section, references to the protection provided for the data subject are to that protection taken as a whole.

Transfers based on special circumstances

7

(A1) A transfer of personal data to a third country or international organisation is based on special circumstances where— (a) it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate safeguards), and (b) it is necessary for a special purpose.

(2A) In accordance with the third data protection principle, the amount of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.

Transfers to particular recipients

8

For the italic heading before section 77 substitute “Additional conditions”.

9

Subsequent transfers

10

(A1) Subsections (1) to (6) apply where a transfer to which section 73 applies takes place otherwise than in reliance on section 73(4)(aa) (transfer to processor).

— (a)

,

“UK authoriser”), or (b) that— (i) the personal data is not to be so transferred without such authorisation except where subsection (1A) applies, and (ii) where a transfer is made without such authorisation, the UK authoriser must be informed without delay.

(1A) This subsection applies if— (a) the transfer is necessary for the prevention of an immediate and serious threat to the public security or national security of a third country or the United Kingdom, and (b) authorisation from the UK authoriser cannot be obtained in good time.

(7) Where a transfer takes place in reliance on section 73(4)(aa) (transfer to processor), the transferring controller must make it a condition of the transfer that the data is only to be further transferred to a third country or international organisation where— (a) the terms of any relevant contract entered into, or authorisation given, by the transferring controller in accordance with section 59 are complied with, and (b) the further transfer satisfies the requirements in section 73(1).

Schedule 9

Part 1 — Minor and consequential amendments

The UK GDPR

1

The UK GDPR is amended as follows.

2

In Article 13(1)(f) (information to be provided where personal data is collected from the data subject)—

3

In Article 14(1)(f) (information to be provided where personal data is not obtained from the data subject)—

4

In Article 15(2) (right of access by the data subject)—

5
6

In Article 42(2) (certification) omit “appropriate” in both places.

7

In Article 46(2)(d) (transfers subject to appropriate safeguards: standard data protection clauses), after “Commissioner” insert “for the purposes of this Article”.

8

In Article 57(1) (Commissioner’s tasks)—

(sa) provide authorisation required under regulations made under Article 47A;

.

9

In Article 58(3) (authorisation and advisory powers of the Commissioner), after point (j) insert—

(k) to provide authorisation required under regulations made under Article 47A

.

10

In Article 83(5)(c) (general conditions for imposing administrative fines), for “44” substitute “44A”.

The 2018 Act

11

The 2018 Act is amended as follows.

12

Omit section 17A (transfers based on adequacy regulations) and the italic heading before it.

13

Omit section 17B (transfers based on adequacy regulations: review etc).

14

Omit section 17C (standard data protection clauses).

15

Omit section 18 (transfers of personal data to third countries etc: public interest).

16

In section 24(2) (manual unstructured data held by FOI public authorities)—

17

In section 26(2) (national security and defence exemption), omit paragraph (fa).

18

In section 75 (transfers on the basis of appropriate safeguards), after subsection (7) (inserted by Schedule 8 to this Act) insert—

(8) For provision about standard data protection clauses which the Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.

19

In section 78A (law enforcement processing: national security exemption) (inserted by section 88 of this Act), in subsection (2)(e), after sub-paragraph (i) insert—

(ia) section 119A (standard clauses for transfers to third countries);

.

20

(aa) may make provision generally or in relation to types of transfer described in the document,

.

21

In section 149(2)(e) (enforcement notices), for “44 to 49” substitute “44A to 49A”.

22

(14) For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for regulations to come into force without delay.

23

In section 205(2)(e) (references to periods of time) omit “and (9)”.

24

In paragraph 26(9)(d) of Schedule 2 (exemptions etc for journalistic, academic, artistic and literary purposes), for “44” substitute “44A”.

25

(2) Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and 49A(1) of the UK GDPR.

, and

(3) In its application to transfers treated as approved by virtue of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.

(aa) changing references to provision made by regulations under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;

.

(2) In its application to transfers treated as approved by virtue of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA(4)(b) were omitted.

Part 2 — Transitional provision

The UK GDPR: transfers approved by regulations

26

The UK GDPR: transfers subject to appropriate safeguards

27

The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

28
29

The UK GDPR: transfers necessary for important reasons of public interest

30

The UK GDPR: restrictions on transfers of personal data to third countries and international organisations

31

Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations

32

Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards

33

Schedule 10

The UK GDPR

1

The UK GDPR is amended as follows.

2

In Article 12(4) (transparent information, communication and modalities for the exercise of the rights of the data subject), for “lodging a complaint with the Commissioner” substitute “making a complaint to the controller under section 164A of the 2018 Act, making a complaint to the Commissioner under section 165 of that Act”.

3

(ca) the right to make a complaint to the controller under section 164A of the 2018 Act;

.

4

(da) the right to make a complaint to the controller (see section 164A of the 2018 Act);

.

5

(ea) the right to make a complaint to the controller under section 164A of the 2018 Act;

.

6

In Article 47 (binding corporate rules), in paragraph 2(e), for “lodge a complaint with the Commissioner and” substitute “make a complaint to the controller under section 164A of the 2018 Act, the right to make a complaint to the Commissioner under section 165 of the 2018 Act, the right to lodge a complaint”.

7

The 2018 Act

8

The 2018 Act is amended as follows.

9

In section 26(2)(f) (national security and defence exemption), omit sub-paragraph (ai) (inserted by section 88 of this Act).

10

(da) the existence of the right to make a complaint to the controller (see section 164A);

, and

(ca) of the data subject’s right to make a complaint to the controller under section 164A,

, and

11

(ea) the existence of the data subject’s right to make a complaint to the controller (see section 164A);

, and

(ca) of the data subject’s right to make a complaint to the controller under section 164A,

, and

12

In section 45A (exemption from sections 44 and 45: legal professional privilege) (inserted by section 79 of this Act), in subsection (2), after paragraph (c) insert—

(ca) the data subject’s right to make a complaint to the controller under section 164A,

.

13

(iia) of the data subject’s right to make a complaint to the controller under section 164A,

, and

(ba) of the data subject’s right to make a complaint to the controller under section 164A,

, and

14

In section 93(1)(e) (right to information), after “Commissioner”, in the first place it occurs, insert “under section 165”.

15

In section 94(2)(f) (right of access), after “Commissioner”, in the first place it occurs, insert “under section 165”.

16

(5A) The fifth type of failure is where a controller has failed, or is failing, to comply with section 164A or with regulations under section 164B.

17

In section 155 (penalty notices), in subsection (1)(a), for “or (5)” substitute “, (5) or (5A)”.

18

In section 157 (maximum amount of penalty), after subsection (4) insert—

(4A) In relation to an infringement of section 164A or of regulations under section 164B, the maximum amount of the penalty that may be imposed by a penalty notice is the standard maximum amount.

19

In section 165 (complaints by data subjects), in the heading, at the end insert “to the Commissioner”.

20
21

(za) the right under section 164A (complaints to the controller);

, and

Schedule 11

The UK GDPR

1

The UK GDPR is amended as follows.

2

(15A) - “direct marketing” means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;

.

(29) - “enactment” has the same meaning as in the 2018 Act (see section 205 of that Act); (30) - “tribunal” means any tribunal in which legal proceedings may be brought.

3

After Article 4 insert—

(Article 4A) (1) References in this Regulation to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of the Periods of Time Regulation, except in Article 91A(8) and (9). (2) In this Article, “the Periods of Time Regulation” means Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits.

4

In Article 9 (processing of special categories of personal data)—

5

In Article 12(5) (information etc to be provided free of charge), at the beginning insert “Subject to Article 15(3),”.

6

In Article 23(1)(h) (restrictions), for “(a)” substitute “(c)”.

7

In Article 24(3) (responsibility of the controller), for “an element by which to demonstrate” substitute “a means of demonstrating”.

8

In Article 25(3) (data protection by design and by default), for “an element to demonstrate” substitute “a means of demonstrating”.

9

In Article 28(5) (processors), for “an element by which to demonstrate” substitute “a means of demonstrating”.

10

In Article 32(3) (security of processing), for “an element by which to demonstrate” substitute “a means of demonstrating”.

11

In Article 37(1)(a), after “courts” insert “and tribunals”.

12

Omit Article 59 (activity reports).

The 2018 Act

13

The 2018 Act is amended as follows.

14

In section 3(9) (definition of “the data protection legislation”)—

15

Omit section 20 (meaning of “court” in Part 2).

16

In section 94 (data subject’s right of access under Part 4), in subsection (10), for “subsection (6)” substitute “subsections (3), (5) and (6)”.

17

In section 119A(11) (standard clauses for transfers to third countries etc), after “any” insert “whole days that fall within a”.

18

In section 124(5) (data protection and journalism code), in the definition of “good practice in the processing of personal data for the purposes of journalism”—

and includes compliance with the requirements of the data protection legislation;

.

19
20

In section 139 (reporting to Parliament), omit subsection (2).

21

In section 161(6) (approval of first guidance about regulatory action), after “any” insert “whole days that fall within a”.

22

In section 170(2)(a) (unlawful obtaining etc of personal data), after “preventing” insert “, investigating”.

23
24

In section 181 (interpretation of Part 6) omit the definition of “representative”.

25

In section 184(4) (prohibition of requirement to produce relevant records), after “prevention” insert “, investigation”.

26

In section 192(6) (approval of the Framework), after “any” insert “whole days that fall within a”.

27

In section 206 (index of defined expressions), in the Table, omit the entry for “representative (in Part 6)”.

28

(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),

.

29
30

In paragraph 8(1)(b) of Schedule 8 (conditions for sensitive processing under Part 3: preventing fraud), after sub-paragraph (ii) (but before the “or” at the end of that sub-paragraph) insert—

(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),

.

31

In paragraph 2(a) of Schedule 11 (other exemptions under Part 4: crime), after “prevention” insert “, investigation”.

Victims and Prisoners Act 2024

32

The following provisions (inserted by section 31 of the Victims and Prisoners Act 2024) extend to Scotland and Northern Ireland (as well as to England and Wales)—

Schedule 12

In the PEC Regulations, before Schedule 1 insert—

Schedule 13

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

Schedule 14

Schedule 12A to the Data Protection Act 2018

1

In the Data Protection Act 2018, after Schedule 12 insert—

Schedule 12A (1) (1) The Commission is not to be regarded— (a) as a servant or agent of the Crown, or (b) as enjoying any status, immunity or privilege of the Crown. (2) The Commission’s property is not to be regarded— (a) as property of the Crown, or (b) as property held on behalf of the Crown. (2) (1) The number of members of the Commission is to be determined by the Secretary of State. (2) That number must not be— (a) less than 3, or (b) more than 14. (3) The Secretary of State may by regulations substitute a different number for the number for the time being specified in sub-paragraph (2)(b). (4) Regulations under this paragraph are subject to the negative resolution procedure. (3) (1) The Commission is to consist of— (a) the non-executive members, and (b) the executive members. (2) The non-executive members are— (a) a chair appointed by His Majesty by Letters Patent on the recommendation of the Secretary of State, and (b) such other members as the Secretary of State may appoint. (3) The executive members are— (a) a chief executive appointed by the non-executive members or in accordance with paragraph 25, and (b) such other members, if any, as the non-executive members may appoint. (4) The Secretary of State must consult the chair of the Commission before appointing a non-executive member. (5) The non-executive members must consult the Secretary of State before appointing the chief executive. (6) The non-executive members must consult the chief executive about whether there should be any executive members within sub-paragraph (3)(b) and, if so, how many there should be. (7) The Secretary of State may by direction set a maximum and a minimum number of executive members. (8) The Commission may appoint one of the non-executive members as a deputy to the chair. (4) The Secretary of State must exercise the powers conferred on the Secretary of State by paragraphs 2 and 3 so as to secure that the number of non-executive members of the Commission is, so far as practicable, at all times greater than the number of executive members. (5) (1) The Secretary of State may not recommend a person for appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition. (2) A person may not be appointed as a member of the Commission unless the person has been selected on merit on the basis of fair and open competition. (6) (1) Before— (a) recommending a person for appointment as the chair of the Commission, or (b) appointing a person as a non-executive member of the Commission, the Secretary of State must be satisfied that the person does not have a conflict of interest. (2) The Secretary of State must check from time to time that none of the non-executive members has a conflict of interest. (3) The Secretary of State may require a non-executive member to provide whatever information the Secretary of State considers necessary for the purpose of checking that the member does not have a conflict of interest. (4) A non-executive member who is required to provide information under sub-paragraph (3) must provide it within such period as may be specified by the Secretary of State. (5) In this Schedule, “conflict of interest”, in relation to a person, means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission. (7) (1) The chair of the Commission holds and vacates office in accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph. (2) The chair must be appointed for a term of not more than 7 years. (3) On the recommendation of the Secretary of State, His Majesty may by Letters Patent extend the term of the chair’s appointment but not so the term as extended is more than 7 years. (4) A person cannot be appointed as the chair more than once. (5) The chair may be relieved from office by His Majesty at the chair’s own request. (6) The chair may be removed from office by His Majesty on an Address from both Houses of Parliament. (7) No motion is to be made in either House of Parliament for such an Address unless the Secretary of State has presented a report to that House stating that the Secretary of State is satisfied that— (a) the chair is guilty of serious misconduct, (b) the chair has a conflict of interest (see paragraph 6(5)), (c) the chair has failed to comply with paragraph 6(4), or (d) the chair is unable, unfit or unwilling to carry out the chair’s functions. (8) (1) A deputy chair of the Commission may resign that office by giving written notice to the Commission. (2) A deputy chair of the Commission ceases to hold that office on ceasing to be a non-executive member of the Commission. (3) A deputy chair of the Commission may be removed from that office by the Commission. (9) (1) This paragraph applies to a non-executive member of the Commission appointed by the Secretary of State. (2) The member holds and vacates office in accordance with the terms of their appointment, subject to the provisions of this paragraph. (3) The member must be appointed for a term of not more than 7 years. (4) The Secretary of State may extend the term of the member’s appointment but not so that the term as extended is more than 7 years. (5) The Secretary of State may not appoint the member as a non-executive member of the Commission on a subsequent occasion. (6) The member may resign from office by giving written notice to the Secretary of State and the Commission. (7) The Secretary of State may remove the member from office by written notice if satisfied that— (a) the member is guilty of serious misconduct, (b) the member has a conflict of interest (see paragraph 6(5)), (c) the member has failed to comply with paragraph 6(4), or (d) the member is unable, unfit or unwilling to carry out the member’s functions. (8) At the time of removing the member from office the Secretary of State must make public the decision to do so. (9) The Secretary of State must— (a) give the member a statement of reasons for the removal, and (b) if asked to do so by the member, publish the statement. (10) (1) The Commission may pay to the non-executive members of the Commission such remuneration and allowances as the Secretary of State may determine. (2) The Commission may pay, or make provision for paying, to or in respect of the non-executive members of the Commission, such sums by way of pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the Secretary of State may determine. (3) The Commission may make a payment to a person of such amount as the Secretary of State may determine where— (a) the person ceases to be a non-executive member of the Commission otherwise than on the expiry of the person’s term of office, and (b) it appears to the Secretary of State that there are special circumstances which make it appropriate for the person to receive compensation. (11) (1) The executive members of the Commission are to be employees of the Commission. (2) The executive members are to be employed by the Commission on such terms and conditions, including those as to remuneration, as the non-executive members of the Commission may determine. (3) The Commission must— (a) pay to or in respect of the executive members of the Commission such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the non-executive members of the Commission may determine, and (b) provide and maintain for them such pension schemes (whether contributory or not) as the non-executive members of the Commission may determine. (12) (1) The Commission may— (a) appoint other employees, and (b) make such other arrangements for the staffing of the Commission as it considers appropriate. (2) In appointing an employee, the Commission must have regard to the principle of selection on merit on the basis of fair and open competition. (3) Employees appointed by the Commission are to be appointed on such terms and conditions, including those as to remuneration, as the Commission may determine. (4) The Commission may— (a) pay to or in respect of those employees such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of employment) as the Commission may determine, and (b) provide and maintain for them such pension schemes (whether contributory or not) as the Commission may determine. (13) (1) The Commission may establish committees. (2) A committee of the Commission may consist of or include persons who are neither members nor employees of the Commission. (3) But a committee of the Commission to which functions are delegated under paragraph 14(1)(c) must include at least one person who is either a member or an employee of the Commission. (4) Where a person who is neither a member nor an employee of the Commission is a member of a committee of the Commission, the Commission may pay to that person such remuneration and expenses as it may determine. (14) (1) The Commission may delegate any of its functions to— (a) a member of the Commission, (b) an employee of the Commission, or (c) a committee of the Commission. (2) A function is delegated under sub-paragraph (1) to the extent and on the terms that the Commission determines. (3) A committee of the Commission may delegate any function delegated to it to a member of the committee. (4) A function is delegated under sub-paragraph (3) to the extent and on the terms that the committee determines. (5) The power of a committee of the Commission to delegate a function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do. (6) The delegation of a function by the Commission or a committee of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function. (15) The Commission may require a committee of the Commission to give the Commission advice about matters relating to the discharge of the Commission’s functions. (16) (1) The Commission may make arrangements for regulating— (a) its own procedure, and (b) the procedure of a committee of the Commission. (2) The non-executive members of the Commission may by majority make arrangements for regulating the procedure for the carrying out of the separate functions which are conferred on them under this Schedule. (3) Arrangements under this paragraph may include arrangements as to quorum and the making of decisions by a majority. (4) The Commission must publish arrangements which it makes under this paragraph. (5) This paragraph is subject to paragraph 18. (17) The Commission must make arrangements for the keeping of proper records of— (a) its proceedings, (b) the proceedings of a committee of the Commission, (c) the proceedings at a meeting of the non-executive members of the Commission, (d) anything done by a member or employee of the Commission under paragraph 14(1), and (e) anything done by a member of a committee of the Commission under paragraph 14(3). (18) (1) This paragraph applies if— (a) a member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the Commission, (b) a non-executive member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the non-executive members, or (c) a member of a committee of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the committee. (2) The member with the interest must declare it. (3) The declaration must be recorded in the minutes of the meeting. (4) The member with the interest may not take part in a discussion or decision at the meeting relating to the matter, unless— (a) in the case of a meeting of the Commission, the other members of the Commission who are present have resolved unanimously that the interest is to be disregarded, (b) in the case of a meeting of the non-executive members, the other non-executive members who are present have resolved unanimously that the interest is to be disregarded, or (c) in the case of a meeting of a committee, the other members of the committee who are present have, in the manner authorised by the Commission, resolved that the interest is to be disregarded. (5) In giving authorisation for the purposes of sub-paragraph (4)(c), the Commission must secure that a resolution for those purposes does not allow a member to take part in a discussion or decision at a meeting of a committee to which functions are delegated under paragraph 14(1)(c) unless the number of other members of the committee in favour of the resolution— (a) is not less than two thirds of those who are both present and entitled to vote on the resolution, and (b) is not less than its quorum. (6) For the purposes of this paragraph, a notification given at or sent to a meeting of the Commission that a person— (a) is a member of a company or firm, and (b) is to be regarded as interested in any matter involving that company or firm, is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the Commission, of the non-executive members or of a committee. (7) For the purposes of this paragraph, a notification given at or sent to a meeting of the non-executive members of the Commission or of a committee of the Commission that— (a) a person is a member of a company or firm, and (b) is to be regarded as interested in any matter involving that company or firm, is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the non-executive members or (as the case may be) of the committee. (8) A notification described in sub-paragraph (6) or (7) remains in force until it is withdrawn. (9) A person required to make a declaration for the purposes of this paragraph in relation to any meeting— (a) is not required to attend the meeting, but (b) is to be taken to have complied with the requirements of this paragraph if the person takes reasonable steps to secure that notice of the person’s interest is read out, and taken into consideration, at the meeting in question. (19) (1) The validity of proceedings of the Commission, of the non-executive members of the Commission or of a committee of the Commission is not affected by— (a) a vacancy in the membership of the Commission or of the committee, (b) a defect in the appointment of a member of the Commission, (c) a failure of the Secretary of State to comply with the requirements of paragraph 4, or (d) a failure to comply with arrangements under paragraph 16 or with a requirement under paragraph 18. (2) Nothing in sub-paragraph (1)(d) validates proceedings of a meeting which is inquorate unless it is inquorate by reason only of a matter within sub-paragraph (1)(b) or (c). (20) The Secretary of State may make payments to the Commission. (21) (1) All fees, charges, penalties and other sums received by the Commission in carrying out its functions are to be paid to the Secretary of State. (2) Sub-paragraph (1) does not apply where the Secretary of State otherwise directs. (3) Any sums received by the Secretary of State under this paragraph are to be paid into the Consolidated Fund. (22) (1) The Commission must keep proper accounts and proper records in relation to them. (2) The Commission must prepare a statement of accounts in respect of each financial year in the form specified by the Secretary of State. (3) The Commission must send a copy of each statement of accounts to the Secretary of State and the Comptroller and Auditor General before the end of August next following the financial year to which the statement relates. (4) The Comptroller and Auditor General must— (a) examine, certify and report on the statement of accounts, and (b) send a copy of the certified statement and the report to the Secretary of State. (5) The Secretary of State must lay before Parliament each document received under sub-paragraph (4)(b). (6) In this paragraph “financial year” means— (a) the period beginning with the date on which the Commission is established and ending with the 31 March following that date, and (b) each successive period of 12 months. (23) (1) The application of the Commission’s seal must be authenticated by the signature of— (a) the chair of the Commission, or (b) another person authorised for that purpose by the Commission. (2) A document purporting to be duly executed under the Commission’s seal or signed on its behalf— (a) is to be received in evidence, and (b) is to be taken to be executed or signed in that way, unless the contrary is shown. (3) This paragraph does not extend to Scotland. (24) The Commission may do anything it thinks appropriate for the purposes of, or in connection with, its functions. (25) (1) The first chief executive of the Commission is to be appointed by the chair of the Commission. (2) Before making the appointment the chair must consult the Secretary of State. (3) The appointment must be for a term of not more than 2 years. (4) The chair may extend the term of the appointment but not so the term as extended is more than 2 years. (5) For the term of appointment, the person appointed under sub-paragraph (1) is “the interim chief executive”. (6) Until the expiry of the term of appointment, the powers conferred on the non-executive members by paragraph 11(2) and (3) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members). (7) In sub-paragraphs (5) and (6), the references to the term of appointment are to the term of appointment described in sub-paragraph (3), including any extension of the term under sub-paragraph (4). (26) In this Schedule— (a) references to pensions, allowances or gratuities include references to any similar benefits provided on death or retirement, and (b) references to the payment of pensions, allowances or gratuities to or in respect of a person include references to the making of payments towards the provision of pensions, allowances or gratuities to be paid to or in respect of a person.

Transitional provision: first chair

2

Transitional provision: consultation about non-executive members

3

Transitional provision: consultation about interim chief executive

4

Schedule 15

1

Chapter 1 of Part 9 of the Health and Social Care Act 2012 (health and adult social care services: information standards) is amended as follows.

2

Before section 250 insert—

.

3

(e) a relevant IT provider.

  • information technology” includes— computers, other devices whose uses include the processing of information by electronic means (“IT devices”), parts, accessories and other equipment made or adapted for use in connection with computers or IT devices, software and code made or adapted for use in connection with computers or IT devices, and networks and other infrastructure (whether physical or virtual) used in connection with other information technology;
  • IT service” means an information technology service, including any service (whether physical or virtual) which consists of, or is provided in connection with, the development, making available, operation or maintenance of information technology;

,

  • relevant IT provider” means a person involved in marketing, supplying, providing or otherwise making available— information technology, an IT service, or a service which consists of processing information using information technology, whether for payment or free of charge, but only so far as the technology or service is used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.
4

After section 250 insert—

(250A) (1) An information standard relating to information technology or IT services may, among other things, make provision about— (a) the design, quality, capabilities or other characteristics of such technology or services; (b) contracts or other arrangements under which such technology or services are marketed, supplied, provided or otherwise made available. (2) An information standard may include technical provision about information technology or IT services, including provision about— (a) functionality; (b) connectivity; (c) interoperability; (d) portability; (e) storage of, and access to, information; (f) security of information. (3) An information standard may make provision by reference to open standards or proprietary standards.

5

(3) The power under section 250(1) may be exercised by— (a) adopting an information standard prepared or published by another person, including as it has effect from time to time, or (b) making provision by reference to an international agreement or another document, including as it has effect from time to time.

6

After section 251 insert—

.

7

For the heading of section 251ZA (information standards: compliance) substitute “Monitoring compliance”.

8

After that section insert—

(251ZB) (1) If the Secretary of State has reasonable grounds to suspect that a relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may give the provider a written notice which— (a) identifies the standard in question, (b) sets out the Secretary of State’s grounds for suspecting that the provider is not complying with the standard, (c) asks the provider to comply with the standard within a period specified in the notice, (d) asks the provider, within a period specified in the notice, to provide evidence to the Secretary of State’s satisfaction that the provider is complying with the standard, and (e) if the Secretary of State considers it appropriate, sets out the steps that the Secretary of State considers the provider must take, within a period specified in the notice, in order to comply with the standard. (2) A period specified for the purposes of subsection (1)(c), (d) or (e) must be a period of at least 28 days beginning with the day on which the notice is given. (3) The Secretary of State may, by giving the relevant IT provider a further written notice, vary or revoke a notice given under subsection (1). (251ZC) (1) If the Secretary of State has reasonable grounds to suspect that a relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may publish a statement to that effect. (2) The statement may include the text of a notice given to the provider under section 251ZB. (3) Before publishing a statement under this section, the Secretary of State must give the relevant IT provider— (a) a copy of the terms of the proposed statement, and (b) an opportunity to make representations about the decision to publish a statement and the terms of the statement. (4) If, after considering any representations, the Secretary of State decides to publish the statement, the Secretary of State must inform the relevant IT provider before publishing it. (5) This section does not authorise the processing of information if the processing would contravene the data protection legislation (but in determining whether it would do so, take into account the power conferred by this section). (6) In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act). (251ZD) (1) The Secretary of State may— (a) direct a public body to exercise some or all of the functions listed in subsection (3), and (b) give the public body directions about the exercise of those functions, including directions about the processing of information that the body obtains in exercising those functions. (2) The Secretary of State may make arrangements for a person prescribed by regulations under this subsection to exercise some or all of the functions listed in subsection (3). (3) Those functions are— (a) the Secretary of State’s functions under section 251ZA, so far as they relate to relevant IT providers, and (b) the Secretary of State’s functions under section 251ZB. (4) Arrangements under subsection (2) may— (a) provide for the Secretary of State to make payments to the person, and (b) make provision as to the circumstances in which such payments are to be repaid to the Secretary of State. (5) Section 304(9) applies in relation to the power to make arrangements under subsection (2) as it applies to a power of the Secretary of State to give directions under this Act. (251ZE) (1) Regulations may make provision for the establishment and operation of a scheme for the accreditation of information technology and IT services so far as used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care. (2) The regulations may provide for the scheme to be established and operated by a person specified in the regulations (“the operator”). (3) The regulations may, among other things, confer power on the operator— (a) to establish the procedure for accreditation under the scheme, (b) to set the criteria for accreditation under the scheme (“the accreditation criteria”), (c) to keep an accreditation under the scheme under review, and (d) to charge a reasonable fee in respect of an application for accreditation. (4) The regulations may, among other things, make provision requiring the operator— (a) to set some or all of the accreditation criteria by reference to information standards, (b) to publish details of the scheme, including the accreditation criteria, (c) to provide for the review of a decision to refuse an application for accreditation, and (d) to provide advice to applicants for accreditation with a view to ensuring that the accreditation criteria are met.

Schedule 16

Part 1 — Amendments of the Energy Act 2008

1

The Energy Act 2008 is amended as follows.

2

In the italic heading before section 88, after “meters” insert “: modification of licence conditions etc by Secretary of State”.

3

After section 91 insert—

(91A) (1) The Gas and Electricity Markets Authority may by regulations make provision about the procedure to be followed in relation to the grant of a smart meter communication licence. (2) Regulations under subsection (1) may provide that the procedure is to consist of either (but not both) of the following— (a) a determination by the Authority, on a competitive basis, of the person to whom a licence is to be granted; (b) the selection by the Authority, on a non-competitive basis, of the person to whom a licence is to be granted. (3) Regulations under subsection (1) may make provision by reference to a determination by the Authority or to the opinion of the Authority as to any matter. (4) The approval of the Secretary of State is required for the making of regulations under subsection (1). (5) In this section and in sections 91B to 91D— - “the Authority” means the Gas and Electricity Markets Authority; - “smart meter communication licence” means a licence under section 7AB of the Gas Act 1986 or a licence under section 6(1)(f) of the Electricity Act 1989. (91B) (1) Regulations under section 91A(1)— (a) must make provision so as to ensure that a smart meter communication licence must not be granted to a person unless the Authority is satisfied that the person would not, if granted the licence, have a financial or other interest likely to prejudice the discharge of their functions as the licence holder; (b) may make provision about the granting of a licence to a person formed by the Authority. (2) Any sums received by the Authority under regulations under section 91A(1) are to be paid into the Consolidated Fund. (3) Regulations made in reliance on section 91A(2)(a) may— (a) provide for the publication of a proposal to grant a smart meter communication licence; (b) provide for the inclusion in such a proposal of an invitation to apply for such a licence; (c) impose conditions in relation to the making of an application for a licence; (d) impose restrictions in relation to persons who may apply for a licence; (e) impose requirements as to the period within which applications must be made; (f) make provision for regulating the manner in which applications are to be considered or determined; (g) confer on the Authority functions in connection with tender exercises. (4) Regulations in reliance on section 91A(2)(a) may also include provision— (a) enabling the Authority to require payments to be made, in the form and manner prescribed, in respect of costs incurred or likely to be incurred by the Authority for the purposes of a tender exercise; (b) about the effect on a person’s participation in a tender exercise of a failure to comply with a requirement imposed by virtue of paragraph (a); (c) about the circumstances in which the tender exercise is to stop as a result of such a failure. (5) In this section— - “prescribed” means prescribed in or determined under regulations under section 91A(1); - “tender exercise” means the procedure set out in regulations made in reliance on section 91A(2)(a) for determining to whom a particular smart meter communication licence is to be granted. (91C) (1) The Authority may modify— (a) a condition of a particular relevant licence; (b) the standard conditions incorporated in relevant licences of a particular type; (c) a document maintained in accordance with the conditions of a relevant licence, or an agreement that gives effect to a document so maintained. (2) The Authority may exercise the power in subsection (1) only if the Authority considers it necessary or expedient to do so for the purposes of, or in preparation for, the grant of a smart meter communication licence. (3) The power conferred by subsection (1)— (a) may be exercised to make different provision for different purposes or different areas; (b) may be exercised generally, only in relation to specified cases or subject to exceptions (including provision for a case to be excepted only so long as specified conditions are satisfied); (c) includes a power to make incidental, supplementary, consequential or transitional modifications. (4) Provision included in a licence in reliance on subsection (1)— (a) need not relate to the activities authorised by the licence; (b) in the case of a licence for the purposes of section 5 of the Gas Act 1986, may do any of the things authorised by section 7B(5) of that Act (which apply to the Authority’s power with respect to licence conditions under section 7B(4)(a)); (c) in the case of a licence for the purposes of section 4 of the Electricity Act 1989, may do any of the things authorised by section 7(2) to (4) of that Act (which apply to the Authority’s power with respect to licence conditions under section 7(1)(a)). (5) A modification under subsection (1) of part of a standard condition of a licence does not prevent any other part of the condition from continuing to be regarded as a standard condition for the purposes of Part 1 of the Gas Act 1986 or Part 1 of the Electricity Act 1989. (6) Where the Authority makes modifications under subsection (1) of the standard conditions of a licence of any type, the Authority must— (a) make (as nearly as may be) the same modifications of those standard conditions for the purposes of their incorporation in licences of that type granted after that time, and (b) publish the modifications. (7) In this section— - “relevant licence” means a licence for the purposes of section 5 of the Gas Act 1986 or section 4 of the Electricity Act 1989 (prohibitions on unlicensed activities); - “specified” means specified in the modification. (91D) (1) Before making a modification under section 91C, the Authority must consult— (a) the holder of any licence being modified, (b) the Secretary of State, and (c) such other persons as the Authority considers appropriate. (2) Subsection (1) may be satisfied by consultation undertaken before the passing of the Data (Use and Access) Act 2025. (3) If, after carrying out the consultation, the Authority decides to make the modification, it must publish a notice about the decision which— (a) states that the Authority has decided to make the modification; (b) sets out the modification and its effect; (c) specifies the date from which the modification has effect; (d) states how the Authority has taken account of any representations made during the consultation; (e) states the reason for any differences between the modification consulted on and the proposed modification. (4) The notice must be published in such manner as the Authority considers appropriate for bringing it to the attention of those likely to be affected by the making of the modification.

4

In section 104 (subordinate legislation)—

, and (c) regulations made by the Gas and Electricity Markets Authority under section 91A.

Part 2 — Amendments of other legislation

Gas Act 1986

5

Electricity Act 1989

6

Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012

7

The Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012 (S.I. 2012/2414) are revoked.

Customer data and business data

Power to make provision in connection with customer data

Customer data: supplementary

Power to make provision in connection with business data

Business data: supplementary

Decision-makers

Interface bodies

Enforcement of regulations under this Part

Restrictions on powers of investigation etc

Financial penalties

Fees

Levy

Financial assistance

The FCA and financial services interfaces

The FCA and financial services interfaces: supplementary

The FCA and financial services interfaces: penalties and levies

The FCA and co-ordination with other regulators

Liability in damages

Duty to review regulations

Restrictions on processing and data protection

Regulations under this Part: supplementary

Regulations under this Part: Parliamentary procedure and consultation

Related subordinate legislation

Repeal of provisions relating to supply of customer data

Index of defined terms for this Part

Introductory

DVS trust framework

Supplementary codes

Withdrawal of a supplementary code

Review of DVS trust framework and supplementary codes

DVS register

Registration in the DVS register

Power to refuse registration in the DVS register

Registration of additional services

Supplementary notes

Addition of services to supplementary notes

Applications for registration, supplementary notes, etc

Fees for applications for registration, supplementary notes, etc

Duty to remove person from the DVS register

Power to remove person from the DVS register

Duty to remove services from the DVS register

Duty to remove supplementary notes from the DVS register

Duty to remove services from supplementary notes

Power of public authority to disclose information to registered person

Information disclosed by the Revenue and Customs

Information disclosed by the Welsh Revenue Authority

Information disclosed by Revenue Scotland

Code of practice about the disclosure of information

Trust mark for use by registered persons

Power of Secretary of State to require information

Arrangements for third party to exercise functions

Report on the operation of this Part

Index of defined terms for this Part

Powers relating to verification of identity or status

National Underground Asset Register: England and Wales

Information in relation to apparatus: England and Wales

National Underground Asset Register: Northern Ireland

Information in relation to apparatus: Northern Ireland

Pre-commencement consultation

Form in which registers of births and deaths are to be kept

Provision of equipment and facilities by local authorities

Requirements to sign register

Treatment of existing registers and records

Minor and consequential amendments

The 2018 Act and the UK GDPR

Meaning of research and statistical purposes

Consent to processing for the purposes of scientific research

Consent to law enforcement processing

Lawfulness of processing

The purpose limitation

Processing in reliance on relevant international law

Elected representatives responding to requests

Processing of special categories of personal data

Fees and reasons for responses to data subjects’ requests about law enforcement processing

Time limits for responding to data subjects’ requests

Information to be provided to data subjects

Searches in response to data subjects’ requests

Data subjects’ rights to information: legal professional privilege exemption

Automated decision-making

Data protection by design: children’s higher protection matters

Logging of law enforcement processing

General processing and codes of conduct

Law enforcement processing and codes of conduct

Transfers of personal data to third countries and international organisations

Safeguards for processing for research etc purposes

Section 86: consequential provision

National security exemption

Joint processing by intelligence services and competent authorities

Joint processing: consequential amendments

Duties of the Commissioner in carrying out functions

Codes of practice for the processing of personal data

Codes of practice: panels and impact assessments

Manifestly unfounded or excessive requests to the Commissioner

Analysis of performance

Notices from the Commissioner

Power of the Commissioner to require documents

Power of the Commissioner to require a report

Assessment notices: removal of OFSTED restriction

Interview notices

Penalty notices

Annual report on regulatory action

Complaints by data subjects

Court procedure in connection with subject access requests

Consequential amendments to the EITSET Regulations

Protection of prohibitions, restrictions and data subject’s rights

Regulations under the UK GDPR

Further minor provision about data protection

The PEC Regulations

Interpretation of the PEC Regulations

Duty to notify the Commissioner of personal data breach: time periods

Storing information in the terminal equipment of a subscriber or user

Emergency alerts: interpretation of time periods

Use of electronic mail for direct marketing by charities

Commissioner’s enforcement powers

Codes of conduct

The Information Commission

Abolition of the office of Information Commissioner

Transfer of functions to the Information Commission

Transfer of property etc to the Information Commission

Information standards for health and adult social care in England

Grant of smart meter communication licences

Disclosure of information to improve public service delivery to undertakings

Retention of information by providers of internet services in connection with death of child

Information for research about online safety matters

Retention of biometric data and recordable offences

Retention of pseudonymised biometric data

Retention of biometric data from INTERPOL

The eIDAS Regulation

Recognition of EU conformity assessment bodies

Removal of recognition of EU standards etc

Recognition of overseas trust products

Co-operation between supervisory authority and overseas authorities

Time periods: the eIDAS Regulation and the EITSET Regulations

Economic impact assessment

Report on the use of copyright works in the development of AI systems

Progress statement

Creating, or requesting the creation of, purported intimate image of adult

Power to make consequential amendments

Regulations

Extent

Commencement

Transitional, transitory and saving provision

Short title

In the New Roads and Street Works Act 1991, after Schedule 5 insert—

In the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)), after Schedule 2 insert—

Registration Service Act 1953

Public Records Act 1958

Social Security Administration Act 1992

Education Act 1996

Adoption and Children Act 2002

Gender Recognition Act 2004

Presumption of Death Act 2013

In the UK GDPR, at the end insert—

In the UK GDPR, after Annex 1 (inserted by Schedule 4 to this Act) insert—

The UK GDPR

The 2018 Act

Introduction

Introduction

Overview and interpretation

General principles for transfer

Transfers approved by regulations

Transfers approved by regulations: monitoring

Transfers subject to appropriate safeguards

Transfers based on special circumstances

Transfers to particular recipients

Subsequent transfers

The UK GDPR

The 2018 Act

The UK GDPR: transfers approved by regulations

The UK GDPR: transfers subject to appropriate safeguards

The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

The UK GDPR: transfers necessary for important reasons of public interest

The UK GDPR: restrictions on transfers of personal data to third countries and international organisations

Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations

Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards

The UK GDPR

The 2018 Act

The UK GDPR

The 2018 Act

Victims and Prisoners Act 2024

In the PEC Regulations, before Schedule 1 insert—

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

Schedule 12A to the Data Protection Act 2018

Transitional provision: first chair

Transitional provision: consultation about non-executive members

Transitional provision: consultation about interim chief executive

Gas Act 1986

Electricity Act 1989

Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012

Editorial notes

[^key-00c54ffaec8bc8f6c098028e19081000]: Sch. 15 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-015594f0a81a5209c8305f8ab05a21e4]: S. 3 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-01dda67d9f6f2ef9ff115617a130104e]: S. 25 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-024d5fbcb53dd74c669c532a9a90962d]: S. 90 in force at 17.11.2025 by S.I. 2025/996, reg. 2(2)(b)

[^key-02e4e1bb2b0ac48c09b34e9f873981a2]: Sch. 10 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-0444dc61138bbcf220832d4c6ad823a0]: S. 71 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-05b05c8aab6682238b91af72d380acb0]: Sch. 11 para. 4 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-05ec704a7f759d3ee97e6fc2444efaae]: Sch. 16 para. 3 in force at Royal Assent, see s. 142(2)(c)

[^key-05eea05ba082e43cd291e120cf2271be]: S. 64 not in force at Royal Assent, see s. 142(1)

[^key-05fd9478bc95c93dade7506423c36bff]: Sch. 11 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-064a4bf4949c34c2f8bd8f09a64128d9]: Sch. 9 para. 11 not in force at Royal Assent, see s. 142(1)

[^key-082947224b2ca5b123f4915514103ed2]: Sch. 10 para. 19 not in force at Royal Assent, see s. 142(1)

[^key-085167e69d5197fe69499fae9ab4ff71]: Sch. 3 para. 24 not in force at Royal Assent, see s. 142(1)

[^key-089c8c40b1361f3b8caed2e9de2c08db]: Sch. 10 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-0910d7d97bbd7fe1e2de670bf2c97d3b]: Sch. 10 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-0a0f9931d8efae3988e858006b097241]: Sch. 11 para. 30 not in force at Royal Assent, see s. 142(1)

[^key-0b03a32f547d5a299588e25b53c328af]: S. 130 not in force at Royal Assent, see s. 142(1)

[^key-0d5c818ab23862c074af26e3961be5ca]: Sch. 15 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-0d932d9c531fa9ce9138d6786a4eebcb]: Sch. 9 para. 18 not in force at Royal Assent, see s. 142(1)

[^key-0e5c282e37707675a3697024bb7dec22]: S. 36 not in force at Royal Assent, see s. 142(1)

[^key-0e813a3a3fc7318315ebf8773148bb5e]: S. 134 in force at 20.8.2025 by S.I. 2025/904, reg. 2(u)

[^key-0eb9bdaf8ecde16917dd561439ae37b1]: Sch. 9 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-0f3851f71c942e010be7d3bfbe793687]: S. 128 in force at Royal Assent, see s. 142(2)(f)

[^key-0fade0d522f32b275f3a4c9177cf7087]: Sch. 11 para. 16 not in force at Royal Assent, see s. 142(1)

[^key-0fc52fc8fa1d20f96fc461300ec626b1]: S. 125 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-103676c6528c0968de8a453afb5e3284]: S. 89 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-1081d9bbc2776794fae2e9ee8d1ff3c6]: Sch. 3 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-108a345b610e519b1f5495313cf60b5b]: S. 65 not in force at Royal Assent, see s. 142(1)

[^key-108a569f013e7f58376b162faa224170]: S. 62 not in force at Royal Assent, see s. 142(1)

[^key-11d6c1ddc793147d5402bc311cd29392]: Sch. 7 para. 10 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-11f4ab50da9d0311d5a9a09163bb914d]: S. 53 not in force at Royal Assent, see s. 142(1)

[^key-11feb22eab651ada68d53541af29a224]: Sch. 8 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-1201015e9f9a1f7f7f583ec314497e13]: Sch. 3 para. 11 not in force at Royal Assent, see s. 142(1)

[^key-123c7c544b324095cf12bdb32cee72da]: Sch. 9 para. 28 not in force at Royal Assent, see s. 142(1)

[^key-12c1c4af498ef817e44b8e0af62f7e09]: S. 4 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-1420d1a38bb4aecc8d5fb5c60e801625]: Sch. 9 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-1607233150e027bb3ef90809584d23a5]: Sch. 7 para. 9 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-18697cc514d493bf5e666c97f3fb1ec3]: Sch. 14 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-1907227f39a3de88a7d7a579e809a127]: Sch. 10 para. 15 not in force at Royal Assent, see s. 142(1)

[^key-19774ed2ea592a5fdeb73c455e64f3ce]: Sch. 3 para. 23 not in force at Royal Assent, see s. 142(1)

[^key-198519e4db8a5d5db463d5cf1016fab2]: S. 55 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2

[^key-19eedac5989e030312e6dd22c77a756c]: S. 124 in force at 30.9.2025 in so far as not already in force by S.I. 2025/982, reg. 2

[^key-1a20ac2d78c55a7513828de9a448698e]: S. 107 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(l)

[^key-1a58cdccad4bd3cbf2f8e449eb60a343]: Sch. 15 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-1b3cdc00c33d6991ed7e74156d44008c]: S. 73 not in force at Royal Assent, see s. 142(1)

[^key-1b99d275e57f36f2cd5b93814ebace01]: Sch. 7 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-1c1f1228b0721842169abb6d57e4c466]: Sch. 10 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-1cf8f4682f0c7fa795b8ffcdc046a283]: Sch. 11 para. 27 not in force at Royal Assent, see s. 142(1)

[^key-1d24e3244bd6a85a9774cf7b71dd9504]: S. 33 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-1e854d113049f86aaf68cc82ca5b64c4]: S. 80 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-1eba37711afdc7d46b046cf15ed09da8]: Sch. 11 para. 23 not in force at Royal Assent, see s. 142(1)

[^key-1ee8ded1c593c65baddd82ec18b63db9]: Sch. 8 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-211c3e3d4d218a4916fcd9a7e66e38a1]: S. 57 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-222fc9a984603a5d0751ab9fd81ddbc9]: S. 125 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(s)

[^key-22a862d7082d091ebdf7b5dcdaf63b04]: S. 107 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-22c6c15c72dd8e45ace8b0575ee5316e]: S. 23 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-2300034b3dd9308c143e850990179790]: Sch. 11 para. 20 not in force at Royal Assent, see s. 142(1)

[^key-232301fea4cf4f0001f4f47556fee6e8]: S. 95 not in force at Royal Assent, see s. 142(1)

[^key-23c7b3f661512b2d06802fff4baf8057]: Sch. 6 para. 12 not in force at Royal Assent, see s. 142(1)

[^key-246cda4ec3b44f450865bd89a711d806]: S. 11 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-258a25aed8cd16ad086c84606dacc2a1]: S. 46 not in force at Royal Assent, see s. 142(1)

[^key-25bf1ae21281dbe43a647f5b3c53bdf3]: S. 8 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-275f68a1c470bfbc264195732d355a4e]: S. 90 not in force at Royal Assent, see s. 142(1)

[^key-291bce3e90c6cee94e3e0228863373e1]: Sch. 8 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-2a04508281cdb816838dd31c53d81a8a]: S. 75 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-2a5770a71e2be27932c20c785cf3f79f]: S. 12 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-2c040a59de5e4de8d961c3e86c4ef35f]: Sch. 8 para. 4 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-2ca64090340b3f4d4ef52e3f19683f03]: S. 21 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-2ca6cdee35588c135b69abcf93bb3452]: S. 106 not in force at Royal Assent, see s. 142(1)

[^key-2d786acc7080670b1fc8858b85df5981]: Sch. 6 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-2f3d1dbf5e6f51aeefa7a32da1fe269e]: S. 39 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2

[^key-2f475952b2ccefd0ca3e200b74b9f7f6]: S. 132 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-2fca8d8636f5bb038b203b0bbd2a3d69]: S. 35 not in force at Royal Assent, see s. 142(1)

[^key-2fdd6a2429ed1935f95fbcca1bd18677]: S. 35 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-311caecdd54debadc051ba0f64975243]: S. 94 not in force at Royal Assent, see s. 142(1)

[^key-312b22b0594396c34a6000396b348da6]: S. 93 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-31f797fc49479fc257494809ab4942ad]: S. 51 not in force at Royal Assent, see s. 142(1)

[^key-330a5ce128c912472db92bb5243df08b]: Sch. 11 para. 11 not in force at Royal Assent, see s. 142(1)

[^key-333b1f21cd1da57b4da6441a72a7cced]: Sch. 6 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-33c0bdce00b9df19cc99a2ae0e2a4a65]: S. 38 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-33dd396326df03a412d07869b3adb0fd]: S. 41 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-34659b6933562c6f1afd2a6dfbf111cd]: Sch. 11 para. 27 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-350063a8667012f8b1a321c080057b3b]: S. 1 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-350cc432c7fd97d9bb212c88bf0e5a5c]: S. 39 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-3519622e06b6a91519ee47bf7a3db720]: S. 101 not in force at Royal Assent, see s. 142(1)

[^key-351a270a57ffa9b28da1cbf03d42d268]: S. 79 in force at 5.9.2025 by S.I. 2025/996, reg. 2(1)(a) (with reg. 3)

[^key-36d7028bfc8e0aee76a1c1c9f42748ed]: S. 1 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-373a6b4614e6a50cf5f332ad9c4e904c]: Sch. 16 para. 4 in force at Royal Assent, see s. 142(2)(c)

[^key-378f308b98bc8e7fd61985c05fa7bd65]: Sch. 9 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-383ac868e7f31ffc785f8d7cf01e5e87]: Sch. 14 para. 4 in force at 20.8.2025 by S.I. 2025/904, reg. 2(z)

[^key-388f299aae8c9dcf19736d00ecb98738]: S. 33 not in force at Royal Assent, see s. 142(1)

[^key-3922361eb12fd4300f3951e3b1b12c96]: Sch. 16 para. 6 not in force at Royal Assent, see s. 142(4)

[^key-394ea6d7bd9ced7cb2d2bd88b23dc572]: Sch. 11 para. 12 not in force at Royal Assent, see s. 142(1)

[^key-3a442dbbfddc723461bab5fe3dd9f940]: S. 2 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-3b0523a32893cd9c2be6f93add591560]: Sch. 3 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-3ba1e10cd0e39d751f5671fa23a12365]: Sch. 3 para. 22 not in force at Royal Assent, see s. 142(1)

[^key-3be20c61a816866af0a4e254062122cd]: Sch. 11 para. 7 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-3c29638c99b7109c735d6b9d75a5ef9c]: S. 10 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-3c52865447137639654245d6b6328cfc]: Sch. 11 para. 10 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-3f58f5cddb5c9120c990c458e32a02a4]: S. 108 in force at 20.8.2025 by S.I. 2025/904, reg. 2(m)

[^key-408b42100e91223bda990e31981507a6]: Sch. 10 para. 13 not in force at Royal Assent, see s. 142(1)

[^key-41ce62137846b0ba3049b6503527e316]: Sch. 1 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-42708e1431dde7ee3eaa8d4a3e0c70b2]: S. 88 not in force at Royal Assent, see s. 142(1)

[^key-427960d74b39f13a4370c39050aa55e5]: S. 58 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-434161d7ce8fe25a00f163f6c38e40cf]: S. 49 not in force at Royal Assent, see s. 142(1)

[^key-43839d07039c07c5c50528ee8183286d]: S. 51 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-43a10f7ea4db70cdf64b76aeadb030e9]: Sch. 9 para. 17 not in force at Royal Assent, see s. 142(1)

[^key-43f8dbdd40ef16f11578a8c6dd7b6b83]: S. 105 not in force at Royal Assent, see s. 142(1)

[^key-4436a2f4a86d2d9d4df6a00a6df79ca8]: Sch. 9 para. 21 not in force at Royal Assent, see s. 142(1)

[^key-44a6bcc91b3e72e1065b23e6880fcdff]: Sch. 9 para. 23 not in force at Royal Assent, see s. 142(1)

[^key-44b0c201dd231c438c2eb58291ed0ff8]: Sch. 11 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-44bf92bafaab315e29054de481b54a1e]: S. 40 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-46c0e2564faf92d9beee84a56fd23202]: S. 135 not in force at Royal Assent, see s. 142(1)

[^key-46c122ac7c708126f90c0d82332f0509]: S. 102 in force at 20.8.2025 by S.I. 2025/904, reg. 2(i)

[^key-47074f7a0c54f65376fac43ba762e2a8]: Sch. 10 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-4716e100d03c91baef8130e24287b377]: Sch. 3 para. 27 not in force at Royal Assent, see s. 142(1)

[^key-47b1c00c2bdf6d6c40119fa45b9a22b5]: S. 18 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-484a46a3e8d0767057a33ed689c0bb5e]: S. 40 not in force at Royal Assent, see s. 142(1)

[^key-49486096afa680f7dcebb8122a901630]: Sch. 16 para. 2 in force at Royal Assent, see s. 142(2)(c)

[^key-4950e6df2ecb4aaf62b2b2eb9d9466e8]: S. 72(7) in force at 20.8.2025 for specified purposes by S.I. 2025/904, reg. 2(b)

[^key-49737951b1e412ac2be2185cce81a54e]: Sch. 9 para. 22 not in force at Royal Assent, see s. 142(1)

[^key-497390032157a44f84493f272265bdc2]: Sch. 3 para. 20 not in force at Royal Assent, see s. 142(1)

[^key-49754cd90f60869bb12a4473a213606a]: Sch. 11 para. 19 not in force at Royal Assent, see s. 142(1)

[^key-49a5eaca435bbfe059b79b4905862c70]: S. 7 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-4b35a2f1ed17509de49b05cf26b52936]: Sch. 6 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-4b6312169f4e96fa02d546fd15a50dfd]: S. 67 not in force at Royal Assent, see s. 142(1)

[^key-4bc81ccea0baecb58eb8f3e8fc62ee64]: Sch. 11 para. 18 not in force at Royal Assent, see s. 142(1)

[^key-4d8294d8484220e8496acc513f73f090]: S. 87 not in force at Royal Assent, see s. 142(1)

[^key-4dddd4b13cfd8c96deea5be8471dc093]: Sch. 10 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-4e03685f63f9e2b9ba2753d198dc82e2]: Sch. 14 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-4e4ed9ce42cb315d1e0f626685011750]: S. 72(1)(2)(4)-(6)(8) in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(b)

[^key-4ec5b0b651d1a6d5412ce6117e7c9803]: Sch. 14 para. 2 in force at 20.8.2025 by S.I. 2025/904, reg. 2(z)

[^key-4f97425bfd974750c81f3ca2acb46c15]: Sch. 15 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-4fbe1dcc212b65a6c404c5efe7c16f30]: Sch. 11 para. 15 not in force at Royal Assent, see s. 142(1)

[^key-50ffb1a3579043e19c552cf176811d3d]: S. 106 in force at 20.8.2025 by S.I. 2025/904, reg. 2(k)

[^key-51330fd81ab125f308bff51233d967f9]: Sch. 3 para. 12 not in force at Royal Assent, see s. 142(1)

[^key-5269ac813c9b98f1aaedf25736d517c7]: Sch. 11 para. 24 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-52a39f65a485c66ad65bc267a9753564]: S. 20 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-52cfbb4f5d228ec4214c1e7a33f64d80]: S. 104 not in force at Royal Assent, see s. 142(1)

[^key-5342f0bc0225116bad33830a5c1a0943]: Sch. 15 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-5525a8f84c9b7ff622637f432b8b7a7c]: Sch. 9 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-55cf36ee7ae340f2b04ee669a9444e83]: Sch. 11 para. 8 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-5628f691fec87c25de6c892125dd7f71]: Sch. 11 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-566db9be706a67145e66e1f3006bbcc5]: Sch. 10 para. 12 not in force at Royal Assent, see s. 142(1)

[^key-56d8eaf44d200b7015c41f8afe525b13]: S. 50 not in force at Royal Assent, see s. 142(1)

[^key-571f970f9b4cc3e65f185e57530d2dd9]: Sch. 9 para. 19 not in force at Royal Assent, see s. 142(1)

[^key-596e3893b93e544a88c70ecbea4127a4]: Sch. 11 para. 22 not in force at Royal Assent, see s. 142(1)

[^key-59b451ddfff7bb764175c4714f7392ab]: S. 17 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-59cdd052f89a169b278598ce6c59aeda]: Sch. 2 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-59d8f2723813dfdb784ca5f39caeba42]: S. 111 in force at 20.8.2025 by S.I. 2025/904, reg. 2(p)

[^key-59dba4ac22ba76a938fd5387b5aa326a]: Sch. 9 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-5be79df951f084492e2238339815b608]: S. 34 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-5c2cb20121f91bc07db6c072dc770ebf]: S. 8 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-5c481f7a6695811594bb9d7d7b3325ce]: S. 111 not in force at Royal Assent, see s. 142(1)

[^key-5c82f1517d9de7812af9e63ed1595cdc]: S. 74 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(c)

[^key-5ca13550d56b1577fecf4fb39ec4357f]: S. 84 not in force at Royal Assent, see s. 142(1)

[^key-5ce5af7ca8047407064b765af5dff5de]: S. 100 not in force at Royal Assent, see s. 142(1)

[^key-5dafe7f6870e1de780eaef8142d3c790]: S. 15 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-5dddea88d7f859e282b859a08ea5d7c2]: S. 140 in force at Royal Assent, see s. 142(2)(g)

[^key-5eb6386997aa3d2ecac6c7d5627275d3]: Sch. 11 para. 18 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-5ebf0a586fa40f89ed44224fba4dc44d]: Sch. 16 para. 1 in force at Royal Assent, see s. 142(2)(c)

[^key-5ec5e75fb0b1fa07e6a3be85a82c692e]: Sch. 3 para. 16 not in force at Royal Assent, see s. 142(1)

[^key-5f86d12ab0342c9d5a2de8f440aa2f57]: Sch. 14 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-5fc8b63f543a16a1a333a0a3060fe41c]: S. 110(1)(2)(c)(4)(5) in force at 20.8.2025 by S.I. 2025/904, reg. 2(o)

[^key-5fd738ac6198a32094047bf2e8e7b01f]: S. 21 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-60042f872f4165db2875625c302eef17]: S. 25 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-602b3e031898016cf0230bfe445356ae]: S. 98 not in force at Royal Assent, see s. 142(1)

[^key-615654bf6d2314391aaeadafdfc325b3]: S. 92 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-61e200308c27eff83ee53224243ca452]: Sch. 15 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-61ef260cfc63f04ee4a910f40000f309]: Sch. 3 para. 13 not in force at Royal Assent, see s. 142(1)

[^key-61fc32c2094c1847c3e0e416fa4def86]: Sch. 6 para. 13 not in force at Royal Assent, see s. 142(1)

[^key-62a2c04ff95d9e94c57ce2c45990a56d]: S. 13 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-6322d04917a0051d92186526c700e0ca]: S. 55 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-63a14e2be78bbe039cd85d79758f7ecd]: S. 69 in force at 19.8.2025, see s. 142(3)(a)

[^key-642ba73862519fd792dffa5b33f48759]: Sch. 11 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-64b5bd143707a9f90255eac13a45d523]: S. 127 in force at Royal Assent, see s. 142(2)(e)

[^key-651106dba136385d1aa054d46ad81f61]: Sch. 9 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-6540ef14f0f9a75603053edcbd8f831f]: S. 20 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-66dea301e99f1864956a7ea262d154c2]: Sch. 16 para. 7 not in force at Royal Assent, see s. 142(4)

[^key-68cb04392ae6b208883c169cb954886e]: Sch. 13 not in force at Royal Assent, see s. 142(1)

[^key-6946d31bf92a5127997bc034288e4dfa]: Sch. 11 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-699f05fe19260748d445fa755895c980]: Sch. 11 para. 3 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-69f96a1d7b833947c377630b897efdb4]: S. 141 in force at Royal Assent, see s. 142(2)(g)

[^key-6af15f01a7bbd7d1f40d424b31197a46]: S. 41 not in force at Royal Assent, see s. 142(1)

[^key-6c2d6e74818e44ae1869fe4f0e66ca86]: S. 78 in force at Royal Assent, see s. 142(2)(b)

[^key-6dcbdf915826cf40b1cc3f95c78a7fba]: Sch. 9 para. 13 not in force at Royal Assent, see s. 142(1)

[^key-6ddd11b09f706f898f7cb9f0467e1290]: Sch. 15 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-6e3f641845bb01fc5e785efadc5093ca]: S. 52 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-6f4b26e281d2e2dae31e4c1909d529ac]: Sch. 6 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-701ce0c189a7277517ce31a30fb430f6]: Sch. 7 para. 8 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-703bae07e66305e71a0beffee0f43f08]: S. 137 in force at 20.8.2025 by S.I. 2025/904, reg. 2(x)

[^key-706565a74df048b12c39eb42dda49cf6]: S. 85 not in force at Royal Assent, see s. 142(1)

[^key-7108dca8124834995ad99da6e44fc529]: S. 109 not in force at Royal Assent, see s. 142(1)

[^key-7118e8db7074b0a20cecd5b49f57f972]: S. 59 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-71cd9a9e8268adc1fdec392905c96730]: Sch. 11 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-731b783651ac18b24c293073a57dea73]: Sch. 9 para. 30 not in force at Royal Assent, see s. 142(1)

[^key-733de8a99368dfe1b6fb07a72fee369f]: Sch. 8 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-734d0c5df3afcc6d678e0b9ace503521]: S. 26 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-736c7e7f6d77d5624cf0c557027071d2]: Sch. 3 para. 19 not in force at Royal Assent, see s. 142(1)

[^key-73873a4f57f905481d30303c4e5d1328]: S. 31 not in force at Royal Assent, see s. 142(1)

[^key-744a9ea0b58b58e122acd58d7f380c33]: Sch. 11 para. 1 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-75b0b0cc2ae8edfa81c5ffa5a794a79f]: S. 91 in force at 20.8.2025 by S.I. 2025/904, reg. 2(e)

[^key-766cbd2c48bfec4938c89b7949bdc6cf]: S. 120 not in force at Royal Assent, see s. 142(1)

[^key-767f5463af3a42e6acf625f6bb85065b]: Sch. 9 para. 32 not in force at Royal Assent, see s. 142(1)

[^key-76db00fdcee52f16a182e85f28ddce01]: S. 135 in force at 20.8.2025 by S.I. 2025/904, reg. 2(v)

[^key-77213ce281bead3a87ea5dc7a7bc62f5]: S. 68 not in force at Royal Assent, see s. 142(1)

[^key-77bfe746aaf1ced4a7adc3cf598f3b4e]: S. 14 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-782e6008503a8b666452fe13d3888231]: S. 31 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-78c1a789ad74a42b53a2ca650471a9ed]: Sch. 4 not in force at Royal Assent, see s. 142(1)

[^key-792e43a7ff6034d3fd2947b92fc14429]: S. 144 in force at Royal Assent, see s. 142(2)(g)

[^key-793d6f1d616b7c298cdb92ef6df6d8f6]: Sch. 9 para. 15 not in force at Royal Assent, see s. 142(1)

[^key-79506e562617066ecf18cf0a31346fda]: S. 119 not in force at Royal Assent, see s. 142(1)

[^key-79ab0ea69236754bfd588cee64f2b0e5]: S. 126 in force at Royal Assent, see s. 142(2)(d)

[^key-7a050a8d605e2fd77419bde1d6063309]: Sch. 16 para. 5 not in force at Royal Assent, see s. 142(4)

[^key-7a3c44b5d590fbda931f1180f0f40054]: S. 66 in force at Royal Assent, see s. 142(2)(a)

[^key-7adb831b56981c7749fe0892607de822]: Sch. 11 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-7c86efd544c4a19bb9ce164962f4c486]: Sch. 3 para. 14 not in force at Royal Assent, see s. 142(1)

[^key-7d5ed75ad20a17725fe24048e424bc40]: Sch. 9 para. 25 not in force at Royal Assent, see s. 142(1)

[^key-7de774ca525637048099703b30532c4d]: Sch. 14 para. 1 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-7f1de8625e149b6d5017f0b05131c744]: S. 15 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-811e1d5474274919ce3013f008e51284]: Sch. 11 para. 2 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-82049da6e998e9b037cfbffd9811b984]: S. 19 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-826e0ca8826898788b99ad65531376d3]: Sch. 11 para. 24 not in force at Royal Assent, see s. 142(1)

[^key-832785b3f9f0adc9aff72687198477f1]: S. 47 not in force at Royal Assent, see s. 142(1)

[^key-839f9453acf5200f06271beb8dd8eba1]: S. 86 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-848e019bada2a78c7d3b51f57aa5378c]: Sch. 10 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-85aab3f874e3f3e24330fa1f7a37c747]: Sch. 14 para. 3 in force at 20.8.2025 by S.I. 2025/904, reg. 2(z)

[^key-86db3a4d593b0b25477fe689d8867867]: S. 26 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-890f511a40709e23ba8f71c7c4187654]: S. 24 in force at 20.8.2025 by S.I. 2025/904, reg. 2(a)

[^key-89cc2abf89dbf11552b637b9a50b7ac7]: S. 92 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(f)

[^key-8b304fdee5681d28af32d02d879869ea]: Sch. 11 para. 26 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-8b39d2f3165d68e7c10c952c0aa44ea2]: Sch. 3 para. 28 not in force at Royal Assent, see s. 142(1)

[^key-8bb5a02e9ba0febabcb6cf72fa2aaf5c]: S. 12 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-8bbc14a4ec617b1694507dad6b2149a3]: Sch. 11 para. 28 not in force at Royal Assent, see s. 142(1)

[^key-8beb2404e45f1a375c3ace9d6331b4db]: S. 131 not in force at Royal Assent, see s. 142(1)

[^key-8c6749d8821471fcda7de4e902275515]: Sch. 12 not in force at Royal Assent, see s. 142(1)

[^key-8ca923965f74153054fd48b16df157f2]: S. 76 not in force at Royal Assent, see s. 142(1)

[^key-8d5363ffb8e01f638df50490788b5588]: S. 29 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-8ea8a604f9104d5cac22cfa7c89a57ef]: S. 139 in force at Royal Assent, see s. 142(2)(g)

[^key-8f1d990bcb38e340e681f0341085ea6f]: Sch. 9 para. 24 not in force at Royal Assent, see s. 142(1)

[^key-8f77b1b37f96d858dcf7d7db6f40d85d]: Sch. 11 para. 13 not in force at Royal Assent, see s. 142(1)

[^key-8f9860cc5be90e84d78d6c4b03910bef]: S. 117 not in force at Royal Assent, see s. 142(1)

[^key-8fb0415a00bdafc653bf2539ee96813e]: S. 19 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-908c8b806bbb2da969886c101a170f95]: S. 84 in force at 20.8.2025 by S.I. 2025/904, reg. 2(d)

[^key-910bb7f14ad478ee967fb5e8933d4f89]: Sch. 9 para. 33 not in force at Royal Assent, see s. 142(1)

[^key-918bfe0aabd059440a5cb0ade2ca6a63]: S. 103 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-919a781c7af84c6c04206d1245bd0adf]: Sch. 11 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-91c1830a9efadaa889e472c2dfdb056d]: S. 142 in force at Royal Assent, see s. 142(2)(g)

[^key-9394ef4c032653ea02d0f1022a10b447]: Sch. 11 para. 26 not in force at Royal Assent, see s. 142(1)

[^key-93e30511003faf2e0dfcace2ba790b51]: Sch. 3 para. 9 not in force at Royal Assent, see s. 142(1)

[^key-93ed441b513cfbf6fa4e0a2f0477a735]: S. 27 not in force at Royal Assent, see s. 142(1)

[^key-94233fd27925546de3333838bc6ebab6]: S. 104 in force at 20.8.2025 by S.I. 2025/904, reg. 2(j)

[^key-94eb112788fea8e77c439090267b3ec0]: S. 13 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-95bd8242ac06e94577f394970de2f666]: S. 5 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-95dd2500406006f105959004eac1d5af]: Sch. 11 para. 12 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-9624d4e866bc49f86e2669c5fb431436]: S. 138 not in force at Royal Assent, see s. 142(1)

[^key-9711544c02a84845651018cebef61d30]: Sch. 10 para. 20 not in force at Royal Assent, see s. 142(1)

[^key-972c43fdd8774f897b2126f4de29c36b]: Sch. 10 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-975ac4a8e05ef5edb3af203784c880a7]: S. 54 not in force at Royal Assent, see s. 142(1)

[^key-97aa062c370c884acad87a643cc9d314]: Sch. 8 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-97b15f4f926e9dd3fe1c4e4d132babb8]: S. 133 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-97e5e6f9c7cfb63dacae4c5916b66f16]: Sch. 11 para. 17 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-9bd393302503f2e82388f7790cc70735]: Sch. 9 para. 29 not in force at Royal Assent, see s. 142(1)

[^key-9beb3d79b29d4b3bfc3bfd73ee551b76]: Sch. 10 para. 18 not in force at Royal Assent, see s. 142(1)

[^key-9bf709cf1b4d4790bb91c44d6a1f4b32]: S. 136 not in force at Royal Assent, see s. 142(1)

[^key-9c9aad11a210c684bb3f37730a0922bf]: S. 53 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-9c9d5c35b3f4cd9d80044b80e83963d7]: S. 6 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-9e8da22e95c12fba38f1da2061dc79e0]: Sch. 11 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-9effbc5d3f2f06523f398d17e37980e3]: S. 5 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-9faa29c0a8aee3f4a6260d73a42b69b8]: Sch. 7 para. 4 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-9fef2c58aee79f39835c0c57a8454fad]: S. 11 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-9ffcd79febe09ea51c642c46e98ada0b]: S. 108 not in force at Royal Assent, see s. 142(1)

[^key-a076feb997215ebc83c1d6bcb8271b3a]: S. 4 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-a1139eaad68ca6fb8ead8ec8609b73b6]: Sch. 3 para. 17 not in force at Royal Assent, see s. 142(1)

[^key-a1b2da85ef358c3396eaf2dfb6790e8c]: Sch. 11 para. 9 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-a30bb4ee61978375c1a4088294d6a225]: S. 97 in force at 19.8.2025, see s. 142(3)(d)

[^key-a3f9badef220a6dabff7bb6dc0603908]: Sch. 6 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-a488dce014b5fcc4430c999b1fb52d6a]: Sch. 11 para. 19 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-a4de78d4fd1998cb0c02daa3564a726d]: Sch. 3 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-a4e7871e95a809cd365904f76c94d53e]: Sch. 11 para. 32 not in force at Royal Assent, see s. 142(1)

[^key-a5b50d45df48d277763eea3d2bc92c5f]: S. 110 not in force at Royal Assent, see s. 142(1)

[^key-a5f36ec61ee6692a3f3dfc0fce17340a]: S. 7 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-a6121b29b8412c6c67a2414b9fd9f18b]: Sch. 11 para. 6 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-a6c122a5210cbf54fd4954e66da51e79]: S. 9 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-a6e80df4ef7ca719010a3ceb87c63f11]: Sch. 11 para. 14 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-a6ff38d2541fdf0acf31db867e8dc059]: Sch. 9 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-a8bbb1a980e699d687f248160b1bc9bd]: Sch. 11 para. 11 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-aae8e862af384256b4a39b211dec96b9]: Sch. 10 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-ab28217668eed69726862f8fe2ff7bbe]: S. 44 not in force at Royal Assent, see s. 142(1)

[^key-abbefb87495425149e6e0640d7373750]: S. 3 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-acc2a2f077fb5f33653443d2d3e66b46]: S. 16 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-ad6b657682c873adff9aa8bda62ab87d]: S. 118 not in force at Royal Assent, see s. 142(1)

[^key-ad74651ac21e76f6e8588da1550cde30]: Sch. 9 para. 14 not in force at Royal Assent, see s. 142(1)

[^key-ae22a687652e408315c4b3c041889e8e]: S. 43 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-ae2ef304d4e6cae9f977b0a39aa0e972]: Sch. 11 para. 13 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-aecdd27e69ffac5f8ea0104b3cb27af4]: Sch. 9 para. 31 not in force at Royal Assent, see s. 142(1)

[^key-af6a299003f1a043f762b3beefa003d5]: Sch. 10 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-af73c402fe18c9855a77d12b95cb97c5]: Sch. 3 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-b003703ac7eac13299c77ba48ca91678]: S. 14 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-b051c3a4adadf16623fe68559ab21b14]: S. 95 in force at 20.8.2025 by S.I. 2025/904, reg. 2(h)

[^key-b0a23bc35044d8e199cb04392ff4da62]: S. 22 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-b0d10b077971bbec523a760dcf60b5f2]: S. 50 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-b0e1058caf77662d75668567e572d93f]: S. 123 not in force at Royal Assent, see s. 142(1)

[^key-b28d7cfffa0f58dc6e89bf6763ce8516]: S. 32 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-b38706657c75f06f1c32740d61977a2e]: Sch. 10 para. 16 not in force at Royal Assent, see s. 142(1)

[^key-b3d90bf339f5e1729368f6034891aba2]: Sch. 7 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-b58696af2b838b8c39a051dc53065ac7]: S. 34 not in force at Royal Assent, see s. 142(1)

[^key-b5eac1ed1c811bcac219e5589c31e820]: S. 30 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-b65addc598837b116f94c3e3261708aa]: S. 136 in force at 20.8.2025 by S.I. 2025/904, reg. 2(w)

[^key-b6c07c3c1de49ee6d91d6c1db8563f6f]: S. 81 not in force at Royal Assent, see s. 142(1)

[^key-b7de4349e24056c3cad5136733d64f82]: S. 9 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-b85bb128b9a61712c79cc08972719db5]: S. 56 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-b8810e763e664c91612e5c77033abf74]: Sch. 3 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-b888329e5edd109714f1056752401f03]: S. 42 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-ba2b95a831f8c2d67c6ba1c32df61366]: S. 16 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-ba67d115fc93e409627456173ec62cc7]: Sch. 11 para. 21 not in force at Royal Assent, see s. 142(1)

[^key-ba9c2569f49724b451af695b52129d1f]: Sch. 5 not in force at Royal Assent, see s. 142(1)

[^key-bb4e0973d4e19867da49aef5fc11b2b7]: S. 83 not in force at Royal Assent, see s. 142(1)

[^key-bb55d8f68bb49d0729bb33411576be7d]: S. 10 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-bba9f432581e6d569c6d76e76b5703ca]: Sch. 10 para. 14 not in force at Royal Assent, see s. 142(1)

[^key-bbd59fde700edda9b3dc7c0150769889]: Sch. 9 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-bbf39574f26fede1f6e07c1feae3f475]: Sch. 6 para. 16 not in force at Royal Assent, see s. 142(1)

[^key-bc52b69a904b4e948b6c502073be4ea8]: Sch. 11 para. 17 not in force at Royal Assent, see s. 142(1)

[^key-bcb07169e6dcb8c53cda97571309dde3]: Sch. 6 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-bcfeadfb5407f9fd0926f754850162c0]: S. 17 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-bd615d460916e7e1f89b9f79b3acc66b]: S. 79 not in force at Royal Assent, see s. 142(1)

[^key-bda584b010b0415764ba1d53713baee1]: Sch. 9 para. 26 not in force at Royal Assent, see s. 142(1)

[^key-bdefd775c6b688fbeb9c080bf88591fb]: S. 137 not in force at Royal Assent, see s. 142(1)

[^key-be615653ba7dafcec4b433d08c27f3b8]: Sch. 8 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-c039161ae886e5782accc1567bb07050]: S. 88 in force at 5.9.2025 by S.I. 2025/996, reg. 2(1)(b) (with reg. 4)

[^key-c0e88edeed8ccd82259e40721e65ae94]: S. 74 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-c18e800a9c8eec7b4686aed0d622a6b0]: Sch. 9 para. 20 not in force at Royal Assent, see s. 142(1)

[^key-c20e150c57b52cd34d3a969685f97fc5]: S. 48 not in force at Royal Assent, see s. 142(1)

[^key-c274c60ec5afca3561cf4abd89b570e4]: S. 124 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-c2f91697740ff98c36d02e301f8a2fa4]: Sch. 3 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-c37b4bf96cc140a9b653bfdc51441fc6]: S. 38 not in force at Royal Assent, see s. 142(1)

[^key-c4a223254219c196725ee7a08394d686]: Sch. 3 para. 25 not in force at Royal Assent, see s. 142(1)

[^key-c588feeab7d15a631db5dc777dd5cfde]: Sch. 10 para. 11 not in force at Royal Assent, see s. 142(1)

[^key-c599bd2ba7b18cf8269ac24bd01ded08]: S. 114 not in force at Royal Assent, see s. 142(1)

[^key-c5a5d661fe71240dc6aacfba04b75736]: S. 28 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-c5ee666a4b7cc513dcb904ddc3b6581f]: S. 22 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-c666c7d9dd8f344a8eece1d795588b6b]: S. 63 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-c69a90a1f83602e74528e3caa364614e]: Sch. 8 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-c956dbbe8519d7e2c7397a03fad0f2d3]: S. 60 not in force at Royal Assent, see s. 142(1)

[^key-c999b703d9547ce0f92162e27c84daef]: Sch. 3 para. 26 not in force at Royal Assent, see s. 142(1)

[^key-cafdf7fc4487094891469fc1b453bbeb]: S. 45 not in force at Royal Assent, see s. 142(1)

[^key-cc557a3e76a8791160a8651df913ce35]: Sch. 3 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-ccd1996dcd3f026f4c09c6a1acd2c751]: Sch. 15 para. 8 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-cd5b98712700b116834fe06106bca67b]: Sch. 11 para. 15 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-ce77dfe5af7230ae4c39b425afc51e70]: Sch. 6 para. 11 not in force at Royal Assent, see s. 142(1)

[^key-cfac575d7ad1a38e945c5834144446c0]: S. 96 in force at 19.8.2025, see s. 142(3)(c)

[^key-d0472b031253be5e747e390780af5a6d]: Sch. 14 para. 1 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(z) (with reg. 1(3))

[^key-d048ba5e52485b0d805eccf323ca670d]: S. 6 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-d2887f39acef71229374ec7439133c19]: Sch. 7 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-d33762f92ec97a365cde99aa50a06efc]: S. 49 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-d33c11d90ed44159c45c109d2ec82c99]: Sch. 11 para. 29 not in force at Royal Assent, see s. 142(1)

[^key-d49201c9560d2a005ad3b76b754a2a2b]: Sch. 10 para. 17 not in force at Royal Assent, see s. 142(1)

[^key-d502d3d02e65531eee981d296acac56c]: Sch. 9 para. 12 not in force at Royal Assent, see s. 142(1)

[^key-d549dd24aa2e28f32f0a1c8c580a2728]: Sch. 9 para. 16 not in force at Royal Assent, see s. 142(1)

[^key-d557bcf446f4d51be8349fb1e239ad26]: S. 89 in force at 17.11.2025 in so far as not already in force by S.I. 2025/996, reg. 2(2)(a)

[^key-d628ba7fd5d1b6f1aadde13bad602396]: Sch. 3 para. 15 not in force at Royal Assent, see s. 142(1)

[^key-d72696026f969e631220e93319301761]: S. 27 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-d77830d20fc0f3acb2cec197a69b9529]: Sch. 11 para. 16 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-d7e3f912c8be9331fabbca791eb45860]: S. 29 not in force at Royal Assent, see s. 142(1)

[^key-d7fd200770e326863d136566b5625227]: Sch. 7 para. 1 not in force at Royal Assent, see s. 142(1)

[^key-d82897211a02f3898c5a551b7d83849b]: Sch. 6 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-d99009c352ebb1e564cc64df19d43ecd]: S. 37 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-d99c711891ac79c0f262ca39e8faad7c]: S. 116 not in force at Royal Assent, see s. 142(1)

[^key-d9ac8f7c8ec9a9d6d13d28f839827012]: S. 28 not in force at Royal Assent, see s. 142(1)

[^key-d9ba62ed05a0c873e058cee1623c6f93]: S. 77 not in force at Royal Assent, see s. 142(1)

[^key-d9cb21345c8c42150f85e1c5fb8f27b3]: Sch. 11 para. 21 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-da68c610e6f1cbe949e863d4ed27e836]: S. 44 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-dba3c100309223f1fd7f42dd342257d7]: Sch. 9 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-dc8e46ae69b592d1ae9e68fab6963f2f]: S. 113 not in force at Royal Assent, see s. 142(1)

[^key-ddd15adf14f01622c5de357ae06f0e7d]: S. 42 not in force at Royal Assent, see s. 142(1)

[^key-dede191a8dd3d0534798e66ccd1fda70]: S. 129 in force at 20.8.2025 by S.I. 2025/904, reg. 2(t)

[^key-deeb594fc607c48af098a56dd677939e]: S. 72 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-df52a6ce296fb944ed01cd52e04ceb29]: S. 99 not in force at Royal Assent, see s. 142(1)

[^key-dff5978ee04adebd0e01dbbecb6ce560]: S. 61 not in force at Royal Assent, see s. 142(1)

[^key-e002bd37b4d64fb1d4558028bc3760ae]: S. 122 in force at Royal Assent for specified purposes, see s. 142(2)(c)(4)

[^key-e0399ff90bb02e92371fcd197d80474c]: Sch. 6 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-e11b738d7991afc0c48e49016ad6486b]: Sch. 11 para. 3 not in force at Royal Assent, see s. 142(1)

[^key-e2049cb4e58cd9fb89e77ac120c0d8c0]: S. 143 in force at Royal Assent, see s. 142(2)(g)

[^key-e25fbbce21f640e4020f23cc202ab893]: Sch. 9 para. 27 not in force at Royal Assent, see s. 142(1)

[^key-e27279a75e348384e6efdc12cf96297b]: Sch. 8 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-e2999885c7eca055a84d3f1216b514cf]: Sch. 11 para. 25 not in force at Royal Assent, see s. 142(1)

[^key-e2b3a57130a83b2c398a11d2aa743894]: Sch. 11 para. 20 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-e38128d7cb97ec00746732dc2d19d91e]: S. 134 not in force at Royal Assent, see s. 142(1)

[^key-e3f5766ff1a46cdc1769218a87c7bb16]: S. 23 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-e4643a180ecb8e45294ceb9bd2007309]: Sch. 7 para. 6 not in force at Royal Assent, see s. 142(1)

[^key-e550a48d4766a4cdba9afff5bb6f985e]: S. 121 not in force at Royal Assent, see s. 142(1)

[^key-e5ed64243db26d0c00330a58dc69ad11]: S. 36 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-e5fa7fb1a45e0b9c4cf2df4e4e557879]: Sch. 6 para. 14 not in force at Royal Assent, see s. 142(1)

[^key-e6bb2f7fc877f51e2f69e0ac605b64c2]: S. 117 (except s. 117(4)(a)) in force at 20.8.2025 by S.I. 2025/904, reg. 2(r)

[^key-e76ea8904448bd695d16c31860973bf9]: S. 30 not in force at Royal Assent, see s. 142(1)

[^key-e849fc7258c5d4b5b981b4b8b7a08192]: Sch. 11 para. 5 in force at 20.8.2025 by S.I. 2025/904, reg. 2(y)

[^key-e91d0946f380ddc31c57287a48f7fedc]: S. 43 not in force at Royal Assent, see s. 142(1)

[^key-e92f344a9cfa21b69edb7a2f6896e1ae]: Sch. 11 para. 14 not in force at Royal Assent, see s. 142(1)

[^key-e93f01cc8e3c6ab6171afb206abca9cb]: Sch. 9 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-eb3cad2e8114fe8c3d034bcf60ca664b]: S. 109 in force at 20.8.2025 by S.I. 2025/904, reg. 2(n)

[^key-eb4458c7fe9c3593e560878e45753fb9]: Sch. 10 para. 21 not in force at Royal Assent, see s. 142(1)

[^key-ed2757a89bb0016b4a3d9645f1877803]: S. 82 in force at 19.8.2025, see s. 142(3)(b)

[^key-ee163bff1d249a32337fb5720cec6079]: S. 129 not in force at Royal Assent, see s. 142(1)

[^key-ee698b5732f78cd36028c30cdfeb05b2]: Sch. 6 para. 8 not in force at Royal Assent, see s. 142(1)

[^key-ee6cafeb1e729c25382602f5c259aad2]: S. 70 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-f136ec595ef7448ebbca1ce355bea153]: Sch. 6 para. 4 not in force at Royal Assent, see s. 142(1)

[^key-f16b2bffb75bd5b3ee263db29b00a971]: Sch. 8 para. 7 not in force at Royal Assent, see s. 142(1)

[^key-f31c3e3ebbc3e08eac176238d8942812]: S. 32 not in force at Royal Assent, see s. 142(1)

[^key-f42f57e40ab6baf8dd505896a7032d90]: S. 52 in force at 1.12.2025 in so far as not already in force by S.I. 2025/1213, reg. 2

[^key-f4b5eae24dde6b9a79f700f32c6e1938]: S. 93 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(g)

[^key-f4c29bc9e99591ecc76ff9157200179b]: S. 54 in force at 1.12.2025 by S.I. 2025/1213, reg. 2

[^key-f5101ca8f8ccf071421df944e7456498]: Sch. 6 para. 15 not in force at Royal Assent, see s. 142(1)

[^key-f69f9200592507a0e095bcf440ff17bd]: Sch. 3 para. 10 not in force at Royal Assent, see s. 142(1)

[^key-f708fa9c9de8337def796a82b0669173]: S. 115 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-f890ab85c23b701077eb877d506ae913]: S. 102 not in force at Royal Assent, see s. 142(1)

[^key-f89207bb22f7c6deb8a6cd2138bf87e4]: S. 112 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-f893cb2ee13a72aabd6a76dd73f74348]: Sch. 3 para. 18 not in force at Royal Assent, see s. 142(1)

[^key-fa5fe942a395ad6b47a1bf4d2bd72bb2]: S. 91 not in force at Royal Assent, see s. 142(1)

[^key-fadb9dded1fd18a8254375b16d865a95]: S. 2 in force at 20.8.2025 in so far as not already in force by S.I. 2025/904, reg. 2(a)

[^key-fb4a78b8c4169afe3138e1e30c3cfda2]: Sch. 3 para. 5 not in force at Royal Assent, see s. 142(1)

[^key-fca16685b247fdd723d7f49b44dc636d]: Sch. 7 para. 2 not in force at Royal Assent, see s. 142(1)

[^key-fe77e31a2d8562fb4174049d8d668e8c]: S. 37 not in force at Royal Assent, see s. 142(1)

[^key-fe8ca8aa7bcdb47c92826502852b3c23]: S. 18 in force at Royal Assent for specified purposes, see s. 142(1)(2)(h)

[^key-ff08d42eca5f76bcaa7f93764ac0ff37]: Sch. 11 para. 31 not in force at Royal Assent, see s. 142(1)

[^key-ff9e1dbdd3b366baf4a350c58c249b40]: S. 113 in force at 20.8.2025 by S.I. 2025/904, reg. 2(q)

[^key-ffc7ce568d642b883bd208394bab1aa7]: Sch. 3 para. 21 not in force at Royal Assent, see s. 142(1)

[^M_I_376764c6-f382-4b38-ce03-9967f137a7b7]: S. 24 not in force at Royal Assent, see s. 142(1)

The 2018 Act

In the PEC Regulations, before Schedule 1 insert—

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

Schedule 12A to the Data Protection Act 2018

Transitional provision: first chair

Transitional provision: consultation about non-executive members

Transitional provision: consultation about interim chief executive

Gas Act 1986

Electricity Act 1989

Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012

Customer data and business data

Introductory

Powers relating to verification of identity or status

Information in relation to apparatus: England and Wales

Information in relation to apparatus: Northern Ireland

In the New Roads and Street Works Act 1991, after Schedule 5 insert—

In the Street Works (Northern Ireland) Order 1995 (S.I. 1995/3210 (N.I. 19)), after Schedule 2 insert—

Registration Service Act 1953

Public Records Act 1958

Social Security Administration Act 1992

Education Act 1996

Adoption and Children Act 2002

Gender Recognition Act 2004

Presumption of Death Act 2013

In the UK GDPR, at the end insert—

In the UK GDPR, after Annex 1 (inserted by Schedule 4 to this Act) insert—

The UK GDPR

The 2018 Act

Introduction

Introduction

Overview and interpretation

General principles for transfer

Transfers approved by regulations

Transfers approved by regulations: monitoring

Transfers subject to appropriate safeguards

Transfers based on special circumstances

Transfers to particular recipients

Subsequent transfers

The UK GDPR

The 2018 Act

The UK GDPR: transfers approved by regulations

The UK GDPR: transfers subject to appropriate safeguards

The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

The UK GDPR: transfers necessary for important reasons of public interest

The UK GDPR: restrictions on transfers of personal data to third countries and international organisations

Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations

Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards

The UK GDPR

The 2018 Act

The UK GDPR

In the PEC Regulations, before Schedule 1 insert—

This is the Schedule to be substituted for Schedule 1 to the PEC Regulations—

Schedule 12A to the Data Protection Act 2018

Transitional provision: first chair

Transitional provision: consultation about non-executive members

Transitional provision: consultation about interim chief executive

Gas Act 1986

Electricity Act 1989

Electricity and Gas (Competitive Tenders for Smart Meter Communication Licences) Regulations 2012