Legislation – Data Protection Act 2018
Changes to legislation:
Data Protection Act 2018, PART 3 is up to date with all changes known to be in force on or before 07 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Changes and effects yet to be applied to Part 3:
- s. 26(2)(f)(ai) omitted by 2025 c. 18 Sch. 10 para. 9
- s. 44(1)(da) inserted by 2025 c. 18 Sch. 10 para. 10(2)(a)
- s. 44(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 10(3)(a)
- s. 45(2)(ea) inserted by 2025 c. 18 Sch. 10 para. 11(2)(a)
- s. 45(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 11(3)(a)
- s. 45A(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 12
- s. 48(1)(b)(iia) inserted by 2025 c. 18 Sch. 10 para. 13(2)(a)
- s. 48(4)(ba) inserted by 2025 c. 18 Sch. 10 para. 13(3)(a)
- s. 149(5A) inserted by 2025 c. 18 Sch. 10 para. 16(3)
- s. 157(4A) inserted by 2025 c. 18 Sch. 10 para. 18
- s. 187(2)(za) inserted by 2025 c. 18 Sch. 10 para. 21(3)(a)
- Sch. 3 para. 8(1)(y) added by 2022 c. 18 (N.I.) Sch. 3 para. 78(3)
Changes and effects yet to be applied to the whole Act associated Parts and Chapters:
Whole provisions yet to be inserted into this Act (including any effects on those provisions):
- s. 26(2)(f)(ai) omitted by 2025 c. 18 Sch. 10 para. 9
- s. 44(1)(da) inserted by 2025 c. 18 Sch. 10 para. 10(2)(a)
- s. 44(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 10(3)(a)
- s. 45(2)(ea) inserted by 2025 c. 18 Sch. 10 para. 11(2)(a)
- s. 45(5)(ca) inserted by 2025 c. 18 Sch. 10 para. 11(3)(a)
- s. 45A(2)(ca) inserted by 2025 c. 18 Sch. 10 para. 12
- s. 48(1)(b)(iia) inserted by 2025 c. 18 Sch. 10 para. 13(2)(a)
- s. 48(4)(ba) inserted by 2025 c. 18 Sch. 10 para. 13(3)(a)
- s. 149(5A) inserted by 2025 c. 18 Sch. 10 para. 16(3)
- s. 157(4A) inserted by 2025 c. 18 Sch. 10 para. 18
- s. 187(2)(za) inserted by 2025 c. 18 Sch. 10 para. 21(3)(a)
- Sch. 3 para. 8(1)(y) added by 2022 c. 18 (N.I.) Sch. 3 para. 78(3)
PART 3Law enforcement processing
CHAPTER 1Scope and definitions
Scope
29Processing to which this Part applies
(1)
This Part applies to—
(a)
the processing by a competent authority of personal data wholly or partly by automated means, and
(b)
the processing by a competent authority otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.
F1(1A)
This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).
(2)
Any reference in this Part to the processing of personal data is to processing to which this Part applies.
(3)
For the meaning of “competent authority”, see section 30.
Definitions
30Meaning of “competent authority”
(1)
In this Part, “competent authority” means—
(a)
a person specified or described in Schedule 7, and
(b)
any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.
(2)
But an intelligence service is not a competent authority within the meaning of this Part.
(3)
The Secretary of State may by regulations amend Schedule 7—
(a)
so as to add or remove a person or description of person;
(b)
so as to reflect any change in the name of a person specified in the Schedule.
(4)
Regulations under subsection (3) which make provision of the kind described in subsection (3)(a) may also make consequential amendments of section 73(4)(b).
(5)
Regulations under subsection (3) which make provision of the kind described in subsection (3)(a), or which make provision of that kind and of the kind described in subsection (3)(b), are subject to the affirmative resolution procedure.
(6)
Regulations under subsection (3) which make provision only of the kind described in subsection (3)(b) are subject to the negative resolution procedure.
(7)
In this section—
“intelligence service” means—
(a)
the Security Service;
(b)
the Secret Intelligence Service;
(c)
the Government Communications Headquarters;
“statutory function” means a function under or by virtue of an enactment.
31“The law enforcement purposes”
For the purposes of this Part, “the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
32Meaning of “controller” and “processor”
(1)
In this Part, “controller” means the competent authority which, alone or jointly with others—
(a)
determines the purposes and means of the processing of personal data, or
(b)
is the controller by virtue of subsection (2).
(2)
Where personal data is processed only—
(a)
for purposes for which it is required by an enactment to be processed, and
(b)
by means by which it is required by an enactment to be processed,
the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.
(3)
In this Part, “processor” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).
33Other definitions
(1)
This section defines certain other expressions used in this Part.
(2)
“Employee”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.
(3)
“Personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(4)
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
(5)
“Recipient”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.
(6)
“Restriction of processing” means the marking of stored personal data with the aim of limiting its processing for the future.
F2(6A)
“Sensitive processing” has the meaning given in section 35(8).
(7)
“Third country” means a country or territory F3outside the United Kingdom.
(8)
Sections 3 and 205 include definitions of other expressions used in this Part.
CHAPTER 2Principles
34Overview and general duty of controller
(1)
This Chapter sets out the six data protection principles as follows—
(a)
section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
(b)
section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
(c)
section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
(d)
section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
(e)
section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
(f)
section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
(2)
In addition—
(a)
each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
(b)
sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.
(3)
The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.
35The first data protection principle
(1)
The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
(2)
The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—
(a)
the data subject has given consent to the processing for that purpose, or
(b)
the processing is necessary for the performance of a task carried out for that purpose by a competent authority.
(3)
In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
(4)
The first case is where—
(a)
the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and
(b)
at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(5)
The second case is where—
(a)
the processing is strictly necessary for the law enforcement purpose,
(b)
the processing meets at least one of the conditions in Schedule 8, and
(c)
at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(6)
The Secretary of State may by regulations amend Schedule 8—
(a)
by adding conditions;
(b)
by F4varying or omitting conditions added by regulations under paragraph (a).
(7)
Regulations under subsection (6) are subject to the affirmative resolution procedure.
(8)
In this F5Part, “sensitive processing” means—
(a)
the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b)
the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c)
the processing of data concerning health;
(d)
the processing of data concerning an individual’s sex life or sexual orientation.
36The second data protection principle
(1)
The second data protection principle is that—
(a)
the law enforcement purpose for which personal data is collected F6(whether from the data subject or otherwise) must be specified, explicit and legitimate, and
(2)
Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
(3)
Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that—
(a)
the controller is authorised by law to process the data for the other purpose, and
(b)
the processing is necessary and proportionate to that other purpose.
(4)
Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.
37The third data protection principle
The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
38The fourth data protection principle
(1)
The fourth data protection principle is that—
(a)
personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and
(b)
every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
(2)
In processing personal data for any of the law enforcement purposes, personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments.
(3)
In processing personal data for any of the law enforcement purposes, a clear distinction must, where relevant and as far as possible, be made between personal data relating to different categories of data subject, such as—
(a)
persons suspected of having committed or being about to commit a criminal offence;
(b)
persons convicted of a criminal offence;
(c)
persons who are or may be victims of a criminal offence;
(d)
witnesses or other persons with information about offences.
(4)
All reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.
(5)
For that purpose—
(a)
the quality of personal data must be verified before it is transmitted or made available,
(b)
in all transmissions of personal data, the necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of the data and the extent to which it is up to date must be included, and
(c)
if, after personal data has been transmitted, it emerges that the data was incorrect or that the transmission was unlawful, the recipient must be notified without delay.
39The fifth data protection principle
(1)
The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.
(2)
Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.
40The sixth data protection principle
The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
41Safeguards: archiving
(1)
This section applies in relation to the processing of personal data for a law enforcement purpose where the processing is F9carried out—
(a)
for archiving purposes in the public interest,
(b)
for scientific or historical research purposes, or
(c)
for statistical purposes.
(2)
The processing is not permitted if—
(a)
it is carried out for the purposes of, or in connection with, measures or decisions with respect to a particular data subject, or
(b)
it is likely to cause substantial damage or substantial distress to a data subject.
42Safeguards: sensitive processing
(1)
This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).
(2)
The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—
(a)
explains the controller’s procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and
(b)
explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.
(3)
Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—
(a)
retain the appropriate policy document,
(b)
review and (if appropriate) update it from time to time, and
(c)
make it available to the Commissioner, on request, without charge.
(4)
The record maintained by the controller under section 61(1) and, where the sensitive processing is carried out by a processor on behalf of the controller, the record maintained by the processor under section 61(3) must include the following information—
(a)
whether the sensitive processing is carried out in reliance on the consent of the data subject or, if not, which condition in Schedule 8 is relied on,
(b)
how the processing satisfies section 35 (lawfulness of processing), and
(c)
whether the personal data is retained and erased in accordance with the policies described in subsection (2)(b) and, if it is not, the reasons for not following those policies.
(5)
In this section, “relevant period”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—
(a)
begins when the controller starts to carry out the sensitive processing in reliance on the data subject’s consent or (as the case may be) in reliance on that condition, and
(b)
ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.
F1042AFurther provision about sensitive processing
(1)
The Secretary of State may by regulations—
(a)
make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,
(b)
make provision so that added processing is not sensitive processing for the purposes of this Part,
(c)
make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and
(d)
make provision varying such a condition as it relates to added processing.
(2)
In subsection (1)—
“added processing” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);
“protected condition in Schedule 8” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).
(3)
Regulations under this section may amend this Part and sections 205 and 206.
(4)
Regulations under this section are subject to the affirmative resolution procedure.
CHAPTER 3Rights of the data subject
Overview and scope
43Overview and scope
(1)
This Chapter—
(a)
imposes general duties on the controller to make information available (see F11sections 44 and 45A);
(b)
confers a right of access by the data subject (see F12sections 45 and 45A);
(c)
confers rights on the data subject with respect to the rectification of personal data and the erasure of personal data or the restriction of its processing (see sections 46 to 48);
(d)
regulates automated decision-making (see F13sections 50A to 50D);
(e)
makes supplementary provision (see sections 51 to 54).
(2)
This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.
(3)
But sections 44 to 48 do not apply in relation to the processing of relevant personal data in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty.
(4)
In subsection (3), “relevant personal data” means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.
(5)
In this Chapter, “the controller”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.
F14Data subject’s rights to information
44F15… Controller’s general duties
(1)
The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)—
(a)
the identity and the contact details of the controller;
(b)
where applicable, the contact details of the data protection officer (see sections 69 to 71);
(c)
the purposes for which the controller processes personal data;
(d)
the existence of the rights of data subjects to request from the controller—
(i)
access to personal data (see section 45),
(ii)
rectification of personal data (see section 46), and
(iii)
erasure of personal data or the restriction of its processing (see section 47);
(e)
the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.
(2)
The controller must also, in specific cases for the purpose of enabling the exercise of a data subject’s rights under this Part, give the data subject the following—
(a)
information about the legal basis for the processing;
(b)
information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;
(c)
where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);
(d)
such further information as is necessary to enable the exercise of the data subject’s rights under this Part.
(3)
An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.
(4)
The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (2) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)
avoid obstructing an official or legal inquiry, investigation or procedure;
(b)
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)
protect public security;
F16(d)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(e)
protect the rights and freedoms of others.
(5)
Where the provision of information to a data subject under subsection (2) is restricted F17under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay—
(a)
that the provision of information has been restricted,
(b)
of the reasons for the restriction,
(c)
of the data subject’s right to make a request to the Commissioner under section 51,
(d)
of the data subject’s right to lodge a complaint with the Commissioner, and
(e)
of the data subject’s right to apply to a court under section 167.
(6)
Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.
(7)
The controller must—
(a)
record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (2) F18in reliance on subsection (4), and
(b)
if requested to do so by the Commissioner, make the record available to the Commissioner.
F19…
45Right of access by the data subject
(1)
A data subject is entitled to obtain from the controller—
(a)
confirmation as to whether or not personal data concerning him or her is being processed, and
(b)
where that is the case, access to the personal data and the information set out in subsection (2).
(2)
That information is—
(a)
the purposes of and legal basis for the processing;
(b)
the categories of personal data concerned;
(c)
the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);
(d)
the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;
(e)
the existence of the data subject’s rights to request from the controller—
(i)
rectification of personal data (see section 46), and
(ii)
erasure of personal data or the restriction of its processing (see section 47);
(f)
the existence of the data subject’s right to lodge a complaint with the Commissioner and the contact details of the Commissioner;
(g)
communication of the personal data undergoing processing and of any available information as to its origin.
F20(2A)
Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.
(3)
Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing —
(a)
without undue delay, and
(b)
in any event, before the end of the applicable time period (as to which see section 54).
(4)
The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)
avoid obstructing an official or legal inquiry, investigation or procedure;
(b)
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)
protect public security;
F21(d)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(e)
protect the rights and freedoms of others.
(5)
Where the rights of a data subject under subsection (1) are restricted F22under subsection (4), wholly or partly, the controller must inform the data subject in writing without undue delay F23and in any event before the end of the applicable time period (as to which see section 54)—
(a)
that the rights of the data subject have been restricted,
(b)
of the reasons for the restriction,
(c)
of the data subject’s right to make a request to the Commissioner under section 51,
(d)
of the data subject’s right to lodge a complaint with the Commissioner, and
(e)
of the data subject’s right to apply to a court under section 167.
(6)
Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
(7)
The controller must—
(a)
record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1) F24in reliance on subsection (4), and
(b)
if requested to do so by the Commissioner, make the record available to the Commissioner.
F2545AExemption from sections 44 and 45: legal professional privilege
(1)
Sections 44(2) and 45(1) do not require the controller to give the data subject—
(a)
information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or
(b)
information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser.
(2)
A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of—
(a)
the decision to rely on the exemption,
(b)
the reason for the decision,
(c)
the data subject’s right to make a request to the Commissioner under section 51,
(d)
the data subject’s right to lodge a complaint with the Commissioner under section 165, and
(e)
the data subject’s right to apply to a court under section 167.
(3)
Subsection (2)(a) and (b) do not apply to the extent that complying with them would—
(a)
undermine a claim described in subsection (1)(a), or
(b)
conflict with a duty described in subsection (1)(b).
(4)
The controller must—
(a)
record the reason for a decision to rely on the exemption in subsection (1), and
(b)
if requested to do so by the Commissioner, make the record available to the Commissioner.
(5)
The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).
Data subject’s rights to rectification or erasure etc
46Right to rectification
(1)
The controller must, if so requested by a data subject, rectify without undue delay inaccurate personal data relating to the data subject.
(2)
Where personal data is inaccurate because it is incomplete, the controller must, if so requested by a data subject, complete it.
(3)
The duty under subsection (2) may, in appropriate cases, be fulfilled by the provision of a supplementary statement.
(4)
Where the controller would be required to rectify personal data under this section but the personal data must be maintained for the purposes of evidence, the controller must (instead of rectifying the personal data) restrict its processing.
47Right to erasure or restriction of processing
(1)
The controller must erase personal data without undue delay where—
(a)
the processing of the personal data would infringe section 35, 36(1) to (3), 37, 38(1), 39(1), 40, 41 or 42, or
(b)
the controller has a legal obligation to erase the data.
(2)
Where the controller would be required to erase personal data under subsection (1) but the personal data must be maintained for the purposes of evidence, the controller must (instead of erasing the personal data) restrict its processing.
(3)
Where a data subject contests the accuracy of personal data (whether in making a request under this section or section 46 or in any other way), but it is not possible to ascertain whether it is accurate or not, the controller must restrict its processing.
(4)
A data subject may request the controller to erase personal data or to restrict its processing (but the duties of the controller under this section apply whether or not such a request is made).
48Rights under section 46 or 47: supplementary
(1)
Where a data subject requests the rectification or erasure of personal data or the restriction of its processing, the controller must inform the data subject in writing—
(a)
whether the request has been granted, and
(b)
if it has been refused—
(i)
of the reasons for the refusal,
(ii)
of the data subject’s right to make a request to the Commissioner under section 51,
(iii)
of the data subject’s right to lodge a complaint with the Commissioner, and
(iv)
of the data subject’s right to apply to a court under section 167.
(2)
The controller must comply with the duty under subsection (1)—
(a)
without undue delay, and
(b)
in any event, before the end of the applicable time period (see section 54).
(3)
The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1)(b)(i) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)
avoid obstructing an official or legal inquiry, investigation or procedure;
(b)
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)
protect public security;
F26(d)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(e)
protect the rights and freedoms of others.
(4)
Where the rights of a data subject under subsection F27(1)(b)(i) are restricted F28under subsection (3), wholly or partly, the controller must inform the data subject in writing without undue delay—
(a)
that the rights of the data subject have been restricted,
(b)
of the reasons for the restriction,
(c)
of the data subject’s right to lodge a complaint with the Commissioner, and
(d)
of the data subject’s right to apply to a court under section 167.
(5)
Subsection (4)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.
(6)
The controller must—
(a)
record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (1)(b)(i) F29in reliance on subsection (3), and
(b)
if requested to do so by the Commissioner, make the record available to the Commissioner.
(7)
Where the controller rectifies personal data, it must notify the competent authority (if any) from which the inaccurate personal data originated.
F30(8)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(9)
Where the controller rectifies, erases or restricts the processing of personal data which has been disclosed by the controller—
(a)
the controller must notify the recipients, and
(b)
the recipients must similarly rectify, erase or restrict the processing of the personal data (so far as they retain responsibility for it).
(10)
Where processing is restricted in accordance with section 47(3), the controller must inform the data subject before lifting the restriction.
Automated individual decision-making
F3149Right not to be subject to automated decision-making
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3150Automated decision-making authorised by law: safeguards
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F3150AAutomated processing and significant decisions
(1)
For the purposes of sections 50B and 50C—
(a)
a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and
(b)
a decision is a significant decision, in relation to a data subject, if—
(i)
it produces an adverse legal effect for the data subject, or
(ii)
it has a similarly significant adverse effect for the data subject.
(2)
When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling.
50BRestrictions on automated decision-making based on sensitive processing
(1)
A significant decision based entirely or partly on sensitive processing may not be taken based solely on automated processing, unless one of the following conditions is met.
(2)
The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent.
(3)
The second condition is that the decision is required or authorised by law.
50CSafeguards for automated decision-making
(1)
Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is—
(a)
based entirely or partly on personal data, and
(b)
based solely on automated processing,
the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).
(2)
The safeguards must consist of or include measures which—
(a)
provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject;
(b)
enable the data subject to make representations about such decisions;
(c)
enable the data subject to obtain human intervention on the part of the controller in relation to such decisions;
(d)
enable the data subject to contest such decisions.
(3)
Subsections (1) and (2) do not apply in relation to a significant decision if—
(a)
exemption from those provisions is required for a reason listed in subsection (4),
(b)
the controller reconsiders the decision as soon as reasonably practicable, and
(c)
there is meaningful human involvement in the reconsideration of the decision.
(4)
Those reasons are—
(a)
to avoid obstructing an official or legal inquiry, investigation or procedure;
(b)
to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)
to protect public security;
(d)
to safeguard national security;
(e)
to protect the rights and freedoms of others.
(5)
When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling.
50DFurther provision about automated decision-making
(1)
The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations.
(2)
The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject.
(3)
Regulations under subsection (1) or (2) may amend section 50A.
(4)
The Secretary of State may by regulations make the following types of provision about the safeguards required under section 50C(1)—
(a)
provision requiring the safeguards to include measures in addition to those described in section 50C(2),
(b)
provision imposing requirements which supplement what section 50C(2) requires the safeguards to consist of or include (including, for example, provision about how and when things described in section 50C(2) must be done or be capable of being done), and
(c)
provision about measures which are not to be taken to satisfy one or more of paragraphs (a) to (d) of section 50C(2).
(5)
Regulations under this section are subject to the affirmative resolution procedure.
Supplementary
51Exercise of rights through the Commissioner
(1)
This section applies where a controller—
(a)
restricts under section 44(4) the information provided to the data subject under section 44(2) (duty of the controller to give the data subject additional information),
(b)
restricts under section 45(4) the data subject’s rights under section 45(1) (right of access),
F32(ba)
relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege), or
(c)
refuses a request by the data subject for rectification under section 46 or for erasure or restriction of processing under section 47.
(2)
The data subject may—
(a)
where subsection (1)(a) or (b) applies, request the Commissioner to check that the restriction imposed by the controller was lawful;
F33(aa)
where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;
(b)
where subsection (1)(c) applies, request the Commissioner to check that the refusal of the data subject’s request was lawful.
(3)
The Commissioner must take such steps as appear to the Commissioner to be appropriate to respond to a request under subsection (2) (which may include the exercise of any of the powers conferred by sections 142 and 146).
(4)
After taking those steps, the Commissioner must inform the data subject—
(a)
where subsection (1)(a) or (b) applies, whether the Commissioner is satisfied that the restriction imposed by the controller was lawful;
F34(aa)
where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;
(b)
where subsection (1)(c) applies, whether the Commissioner is satisfied that the controller’s refusal of the data subject’s request was lawful.
(5)
The Commissioner must also inform the data subject of the data subject’s right to apply to a court under section 167.
(6)
Where the Commissioner is not satisfied as mentioned in subsection (4)(a) F35, (aa) or (b), the Commissioner may also inform the data subject of any further steps that the Commissioner is considering taking under Part 6 .
52Form of provision of information etc
(1)
The controller must take reasonable steps to ensure that any information that is required by F36or under this Chapter to be provided to the data subject is provided in a concise, intelligible and easily accessible form, using clear and plain language.
(2)
Subject to subsection (3), the information may be provided in any form, including electronic form.
(3)
Where information is provided in response to a request F37made by the data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D, the controller must provide the information in the same form as the request where it is practicable to do so.
(4)
Where the controller has reasonable doubts about the identity of an individual making a request F38under or by virtue of any of sections 45, 46, 47, 50C or 50D, the controller may—
(a)
request the provision of additional information to enable the controller to confirm the identity, and
(b)
delay dealing with the request until the identity is confirmed.
(5)
Subject to section 53, any information that is required by F39or under this Chapter to be provided to the data subject must be provided free of charge.
(6)
The controller must facilitate the exercise of the rights of the data subject F40arising under or by virtue of sections 45 to 50D.
53Manifestly unfounded or excessive requests by the data subject
(1)
Where a request F41made by a data subject under or by virtue of any of sections 45, 46, 47, 50C or 50D is manifestly unfounded or excessive, the controller may—
(a)
charge a reasonable fee for dealing with the request, or
(b)
refuse to act on the request.
(2)
An example of a request that may be excessive is one that merely repeats the substance of previous requests.
(3)
In any proceedings where there is an issue as to whether a request F42described in subsection (1) is manifestly unfounded or excessive, it is for the controller to show that it is.
(4)
The Secretary of State may by regulations specify limits on the fees that a controller may charge in accordance with subsection (1)(a).
F43(4A)
The Secretary of State may by regulations—
(a)
require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and
(b)
specify what the guidance must include.
(5)
Regulations under F44this section are subject to the negative resolution procedure.
F45(6)
If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of—
(a)
the reasons for not doing so, and
(b)
the data subject’s right to lodge a complaint with the Commissioner.
(7)
The controller must comply with subsection (6)—
(a)
without undue delay, and
(b)
in any event, before the end of the applicable time period (as to which see section 54).
54Meaning of “applicable time period”
(1)
(2)
(3)
“The relevant time” means the latest of the following—
(a)
when the controller receives the request in question;
(b)
when the controller receives the information (if any) requested in connection with a request under section 52(4);
(c)
when the fee (if any) charged in connection with the request under section 53 is paid.
F50(3A)
The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of—
(a)
the complexity of requests made by the data subject, or
(b)
the number of such requests.
(3B)
A notice under subsection (3A) must—
(a)
be given before the end of the period of one month beginning with the relevant time, and
(b)
state the reasons for the delay.
(3C)
Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates—
(a)
the controller may ask the data subject to provide the further information, and
(b)
the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards—
(i)
the applicable time period, or
(ii)
the period described in subsection (3B)(a).
(3D)
An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.
F51(4)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F51(5)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F51(6)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CHAPTER 4Controller and processor
Overview and scope
55Overview and scope
(1)
This Chapter—
(a)
sets out the general obligations of controllers and processors (see sections 56 to 65);
(b)
sets out specific obligations of controllers and processors with respect to security (see section 66);
(c)
sets out specific obligations of controllers and processors with respect to personal data breaches (see sections 67 and 68);
(d)
makes provision for the designation, position and tasks of data protection officers (see sections 69 to 71);
F52(e)
makes provision about codes of conduct (see section 71A).
(2)
This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.
(3)
Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account—
(a)
the latest developments in technology,
(b)
the cost of implementation,
(c)
the nature, scope, context and purposes of processing, and
(d)
the risks for the rights and freedoms of individuals arising from the processing.
General obligations
56General obligations of the controller
(1)
Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.
(2)
Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.
(3)
The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.
F53(4)
Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.
57Data protection by design and default
(1)
Each controller must implement appropriate technical and organisational measures which are designed—
(a)
to implement the data protection principles in an effective manner, and
(b)
to integrate into the processing itself the safeguards necessary for that purpose.
(2)
The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.
(3)
Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.
(4)
The duty under subsection (3) applies to—
(a)
the amount of personal data collected,
(b)
the extent of its processing,
(c)
the period of its storage, and
(d)
its accessibility.
(5)
In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual’s intervention.
58Joint controllers
(1)
Where two or more competent authorities jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.
(2)
Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.
(3)
The arrangement must designate the controller which is to be the contact point for data subjects.
59Processors
(1)
This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.
(2)
The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will—
(a)
meet the requirements of this Part, and
(b)
ensure the protection of the rights of the data subject.
(3)
The processor used by the controller may not engage another processor (“a sub-processor”) without the prior written authorisation of the controller, which may be specific or general.
(4)
Where the controller gives a general written authorisation to a processor, the processor must inform the controller if the processor proposes to add to the number of sub-processors engaged by it or to replace any of them (so that the controller has the opportunity to object to the proposal).
(5)
The processing by the processor must be governed by a contract in writing between the controller and the processor setting out the following—
(a)
the subject-matter and duration of the processing;
(b)
the nature and purpose of the processing;
(c)
the type of personal data and categories of data subjects involved;
(d)
the obligations and rights of the controller and processor.
(6)
The contract must, in particular, provide that the processor must—
(a)
act only on instructions from the controller,
(b)
ensure that the persons authorised to process personal data are subject to an appropriate duty of confidentiality,
(c)
assist the controller by any appropriate means to ensure compliance with the rights of the data subject under this Part,
(d)
at the end of the provision of services by the processor to the controller—
(i)
either delete or return to the controller (at the choice of the controller) the personal data to which the services relate, and
(ii)
delete copies of the personal data unless subject to a legal obligation to store the copies,
(e)
make available to the controller all information necessary to demonstrate compliance with this section, and
(f)
comply with the requirements of this section for engaging sub-processors.
(7)
The terms included in the contract in accordance with subsection (6)(a) must provide that the processor may transfer personal data to a third country or international organisation only if instructed by the controller to make the particular transfer.
F54(7A)
Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).
(8)
If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.
60Processing under the authority of the controller or processor
A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—
(a)
on instructions from the controller, or
(b)
to comply with a legal obligation.
61Records of processing activities
(1)
Each controller must maintain a record of all categories of processing activities for which the controller is responsible.
(2)
The controller’s record must contain the following information—
(a)
the name and contact details of the controller;
(b)
where applicable, the name and contact details of the joint controller;
(c)
where applicable, the name and contact details of the data protection officer;
(d)
the purposes of the processing;
(e)
the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);
(f)
a description of the categories of—
(i)
data subject, and
(ii)
personal data;
(g)
where applicable, details of the use of profiling;
(h)
where applicable, the categories of transfers of personal data to a third country or an international organisation;
(i)
an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;
(j)
where possible, the envisaged time limits for erasure of the different categories of personal data;
(k)
where possible, a general description of the technical and organisational security measures referred to in section 66.
(3)
Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.
(4)
The processor’s record must contain the following information—
(a)
the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);
(b)
the name and contact details of the controller on behalf of which the processor is acting;
(c)
where applicable, the name and contact details of the data protection officer;
(d)
the categories of processing carried out on behalf of the controller;
(e)
where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;
(f)
where possible, a general description of the technical and organisational security measures referred to in section 66.
(5)
The controller and the processor must make the records kept under this section available to the Commissioner on request.
62Logging
(1)
A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—
(a)
collection;
(b)
alteration;
(c)
consultation;
(d)
disclosure (including transfers);
(e)
combination;
(f)
erasure.
(2)
The logs of consultation must make it possible to establish—
(a)
the justification for, and date and time of, the consultation, and
(b)
so far as possible, the identity of the person who consulted the data.
(3)
The logs of disclosure must make it possible to establish—
(a)
the justification for, and date and time of, the disclosure, and
(b)
so far as possible—
(i)
the identity of the person who disclosed the data, and
(ii)
the identity of the recipients of the data.
(4)
The logs kept under subsection (1) may be used only for one or more of the following purposes—
(a)
to verify the lawfulness of processing;
(b)
to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;
(c)
to ensure the integrity and security of personal data;
(d)
the purposes of criminal proceedings.
(5)
The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.
63Co-operation with the Commissioner
Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner’s tasks.
64Data protection impact assessment
(1)
Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.
(2)
A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.
(3)
A data protection impact assessment must include the following—
(a)
a general description of the envisaged processing operations;
(b)
an assessment of the risks to the rights and freedoms of data subjects;
(c)
the measures envisaged to address those risks;
(d)
safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.
(4)
In deciding whether a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.
65Prior consultation with the Commissioner
(1)
This section applies where a controller intends to create a filing system and process personal data forming part of it.
(2)
The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).
(3)
Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—
(a)
the data protection impact assessment prepared under section 64, and
(b)
any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.
(4)
Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.
(5)
The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.
(6)
The Commissioner may extend the period of 6 weeks by a further period of 1 month, taking into account the complexity of the intended processing.
(7)
If the Commissioner extends the period of 6 weeks, the Commissioner must—
(a)
inform the controller and, where applicable, the processor of any such extension before the end of the period of 1 month beginning with receipt of the request for consultation, and
(b)
provide reasons for the delay.
Obligations relating to security
66Security of processing
(1)
Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.
(2)
In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—
(a)
prevent unauthorised processing or unauthorised interference with the systems used in connection with it,
(b)
ensure that it is possible to establish the precise details of any processing that takes place,
(c)
ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and
(d)
ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.
F55(3)
Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).
Obligations relating to personal data breaches
67Notification of a personal data breach to the Commissioner
(1)
If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—
(a)
without undue delay, and
(b)
where feasible, not later than 72 hours after becoming aware of it.
(2)
Subsection (1) does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.
(3)
Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.
(4)
Subject to subsection (5), the notification must include—
(a)
a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b)
the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
(c)
a description of the likely consequences of the personal data breach;
(d)
a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(5)
Where and to the extent that it is not possible to provide all the information mentioned in subsection (4) at the same time, the information may be provided in phases without undue further delay.
(6)
The controller must record the following information in relation to a personal data breach—
(a)
the facts relating to the breach,
(b)
its effects, and
(c)
the remedial action taken.
(7)
The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section.
F56(8)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(9)
If a processor becomes aware of a personal data breach (in relation to personal data processed by the processor), the processor must notify the controller without undue delay.
68Communication of a personal data breach to the data subject
(1)
Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay.
(2)
The information given to the data subject must include the following—
(a)
a description of the nature of the breach;
(b)
the name and contact details of the data protection officer or other contact point from whom more information can be obtained;
(c)
a description of the likely consequences of the personal data breach;
(d)
a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
(3)
The duty under subsection (1) does not apply where—
(a)
the controller has implemented appropriate technological and organisational protection measures which were applied to the personal data affected by the breach,
(b)
the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subsection (1) is no longer likely to materialise, or
(c)
it would involve a disproportionate effort.
(4)
An example of a case which may fall within subsection (3)(a) is where measures that render personal data unintelligible to any person not authorised to access the data have been applied, such as encryption.
(5)
In a case falling within subsection (3)(c) (but not within subsection (3)(a) or (b)), the information mentioned in subsection (2) must be made available to the data subject in another equally effective way, for example, by means of a public communication.
(6)
Where the controller has not informed the data subject of the breach the Commissioner, on being notified under section 67 and after considering the likelihood of the breach resulting in a high risk, may—
(a)
require the controller to notify the data subject of the breach, or
(b)
decide that the controller is not required to do so because any of paragraphs (a) to (c) of subsection (3) applies.
(7)
The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—
(a)
avoid obstructing an official or legal inquiry, investigation or procedure;
(b)
avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;
(c)
protect public security;
F57(d)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(e)
protect the rights and freedoms of others.
(8)
Subsection (6) does not apply where the controller’s decision not to inform the data subject of the breach was made in reliance on subsection (7).
(9)
The duties in section 52(1) and (2) apply in relation to information that the controller is required to provide to the data subject under this section as they apply in relation to information that the controller is required to provide to the data subject under Chapter 3 .
Data protection officers
69Designation of a data protection officer
(1)
The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.
(2)
When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—
(a)
the proposed officer’s expert knowledge of data protection law and practice, and
(b)
the ability of the proposed officer to perform the tasks mentioned in section 71.
(3)
The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.
(4)
The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.
70Position of data protection officer
(1)
The controller must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
(2)
The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to—
(a)
perform the tasks mentioned in section 71, and
(b)
maintain his or her expert knowledge of data protection law and practice.
(3)
The controller—
(a)
must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71;
(b)
must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests;
(c)
must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71.
(4)
A data subject may contact the data protection officer with regard to all issues relating to—
(a)
the processing of that data subject’s personal data, or
(b)
the exercise of that data subject’s rights under this Part.
(5)
The data protection officer, in the performance of this role, must report to the highest management level of the controller.
71Tasks of data protection officer
(1)
The controller must entrust the data protection officer with at least the following tasks—
(a)
informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person’s obligations under this Part,
(b)
providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,
(c)
co-operating with the Commissioner,
(d)
acting as the contact point for the Commissioner on issues relating to processing, including in relation to the consultation mentioned in section 65, and consulting with the Commissioner, where appropriate, in relation to any other matter,
(e)
monitoring compliance with policies of the controller in relation to the protection of personal data, and
(f)
monitoring compliance by the controller with this Part.
(2)
In relation to the policies mentioned in subsection (1)(e), the data protection officer’s tasks include—
(a)
assigning responsibilities under those policies,
(b)
raising awareness of those policies,
(c)
training staff involved in processing operations, and
(d)
conducting audits required under those policies.
(3)
In performing the tasks set out in subsections (1) and (2), the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.
F58Codes of conduct
71ACodes of conduct
(1)
The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.
(2)
Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.
(3)
For the purposes of this section—
(a)
“public body” means a body or other person whose functions are, or include, functions of a public nature, and
(b)
a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).
(4)
A code of conduct described in subsection (1) may, for example, make provision with regard to—
(a)
lawful and fair processing;
(b)
the collection of personal data;
(c)
the information provided to the public and to data subjects;
(d)
the exercise of the rights of data subjects;
(e)
the measures and procedures referred to in sections 56, 57 and 62;
(f)
the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;
(g)
the transfer of personal data to third countries or international organisations;
(h)
out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.
(5)
The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.
(6)
Where an expert public body does so, the Commissioner must—
(a)
provide the body with an opinion on whether the code correctly reflects the requirements of this Part,
(b)
decide whether to approve the code, and
(c)
if the code is approved, register and publish the code.
(7)
Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.
CHAPTER 5Transfers of personal data to third countries etc
Overview and interpretation
72Overview and interpretation
(1)
This Chapter deals with the transfer of personal data to third countries or international organisations, as follows—
(a)
sections 73 to 76 set out the general conditions that apply;
(b)
(c)
section 78 makes special provision about subsequent transfers of personal data.
(2)
In this Chapter, “relevant authority”, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority.
General principles for transfers
73General principles for transfers of personal data
F61A1
This section applies in relation to a transfer of personal data to a third country or international organisation for a law enforcement purpose.
(1)
F62The controller in relation to the transfer must secure that the transfer takes place only if—
(a)
the three conditions set out in subsections (2) to (4) are met, F63…
(b)
in a case where the personal data was originally transmitted or otherwise made available to the controller or another competent authority by a member State F64…, that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State F65, and—
(c)
the transfer is carried out in accordance with the other provisions of this Part.
(2)
Condition 1 is that the transfer is necessary for any of the law enforcement purposes.
F66(3)
Condition 2 is that the transfer—
(a)
is approved by regulations under section 74AA that are in force at the time of the transfer,
(b)
is made subject to appropriate safeguards (see section 75), or
(c)
is based on special circumstances (see section 76).
(4)
Condition 3 is that—
(a)
the intended recipient is a relevant authority in a third country or an international organisation that is a relevant international organisation,
F67(aa)
the intended recipient is a person in a third country who—
(i)
is not a person described in paragraph (a), but
(ii)
is a processor whose processing, on behalf of the controller, of the personal data transferred is governed by, or authorised in accordance with, a contract with the controller that complies with section 59, or
(b)
in a case where the controller is a competent authority specified in any of paragraphs 5 to 17, 21, 24 to 28, 34 to 51, 54 and 56 of Schedule 7—
(i)
the intended recipient is a person in a third country F68who is not a person described in paragraph (a) or (aa), and
(ii)
the additional conditions in section 77 are met.
(5)
Authorisation is not required as mentioned in subsection (1)(b) if—
(a)
the transfer is necessary for the prevention of an immediate and serious threat F69to the public security, national security or essential interests of a third country or the United Kingdom, and
(b)
the authorisation cannot be obtained in good time.
(6)
Where a transfer is made without the authorisation mentioned in subsection (1)(b), the authority in the member State which would have been responsible for deciding whether to authorise the transfer must be informed without delay.
(7)
In this section, “relevant international organisation” means an international organisation that carries out functions for any of the law enforcement purposes.
F7074Transfers on the basis of an adequacy decision
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F7174ATransfers based on adequacy regulations
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F7274AATransfers approved by regulations
(1)
For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to—
(a)
a third country, or
(b)
an international organisation.
(2)
The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB).
(3)
In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom.
(4)
Regulations under this section may, among other things—
(a)
make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation;
(b)
approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations;
(c)
identify a transfer of personal data by any means, including by reference to—
(i)
a sector or geographic area within a third country,
(ii)
the controller or processor,
(iii)
the recipient of the personal data,
(iv)
the personal data transferred,
(v)
the means by which the transfer is made, or
(vi)
relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time;
(d)
confer a discretion on a person.
(5)
Regulations under this section are subject to the negative resolution procedure.
74ABThe data protection test
(1)
For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under—
(a)
this Part, and
(b)
Parts 5 to 7, so far as relevant to law enforcement processing.
(2)
In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things—
(a)
respect for the rule of law and for human rights in the country or by the organisation,
(b)
the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation,
(c)
arrangements for judicial or non-judicial redress for data subjects in connection with such processing,
(d)
rules about the transfer of personal data from the country or by the organisation to other countries or international organisations,
(e)
relevant international obligations of the country or organisation, and
(f)
the constitution, traditions and culture of the country or organisation.
(3)
In subsections (1) and (2)—
(a)
the references to the protection provided for data subjects are to that protection taken as a whole,
(b)
the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and
(c)
the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2).
(4)
When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))—
(a)
the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and
(b)
the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.
F7374BF74Transfers approved by regulations: monitoring
F75(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F75(2)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(3)
The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations F76giving approval under section 74AA or to amend or revoke such regulations.
(4)
F77Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under section 74AA, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
(5)
Where regulations under F78section 74AA are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to F79improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation.
(6)
The Secretary of State must publish—
(a)
(7)
In the case of F86regulations under section 74AA which approve only certain transfers to a third country or international organisation that are specified or described in the regulations F87(in accordance with section 74AA(4)(b))—
F88(a)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
(b)
the lists published under subsection (6) must specify or describe the relevant transfers.
75Transfers F89subject to appropriate safeguards
F90(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F91(1A)
A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if—
(a)
an appropriate legal instrument binds the intended recipient of the data (see subsection (4)), or
(b)
the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5)).
(2)
The controller must inform the Commissioner about the categories of data transfers that take place in reliance on F92subsection (1A)(b) but not in reliance on section 73(4)(aa) (transfer to processor).
(3)
Where a transfer of data takes place in reliance on F93this section but not in reliance on section 73(4)(aa) (transfer to processor)—
(a)
the transfer must be documented,
(b)
the documentation must be provided to the Commissioner on request, and
(c)
the documentation must include, in particular—
(i)
the date and time of the transfer,
(ii)
the name of and any other pertinent information about the recipient,
(iii)
the justification for the transfer, and
(iv)
a description of the personal data transferred.
F94(4)
For the purposes of this section, a legal instrument is “appropriate”, in relation to a transfer of personal data, if—
(a)
the instrument is intended to be relied on in connection with the transfer or that type of transfer,
(b)
at least one competent authority is a party to the instrument, and
(c)
each competent authority that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)).
(5)
For the purposes of this section, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under—
(a)
this Part, and
(b)
Parts 5 to 7, so far as they relate to processing by a competent authority for any of the law enforcement purposes.
(6)
For the purposes of subsections (1A)(b) and (4)(c), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred.
(7)
In this section, references to the protection provided for the data subject are to that protection taken as a whole.
F95(8)
For provision about standard data protection clauses which the Commissioner considers are capable of securing that the data protection test in this section is met, see section 119A.
76Transfers F96based on special circumstances
F97A1
A transfer of personal data to a third country or international organisation is based on special circumstances where—
(a)
it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate safeguards), and
(b)
it is necessary for a special purpose.
(1)
F98A transfer of personal data is necessary for a special purpose if it is necessary—
(a)
to protect the vital interests of the data subject or another person,
(b)
to safeguard the legitimate interests of the data subject,
(c)
(d)
F102in particular circumstances, for any of the law enforcement purposes, or
(e)
F103in particular circumstances, for a legal purpose.
(2)
F104But a transfer of personal data is not necessary for a special purpose by virtue of subsection (1)(d) or (e) if the controller determines that fundamental rights and freedoms of the data subject override the public interest in the transfer.
F105(2A)
In accordance with the third data protection principle, the amount of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.
(3)
Where a transfer of data takes place in reliance on F106this section—
(a)
the transfer must be documented,
(b)
the documentation must be provided to the Commissioner on request, and
(c)
the documentation must include, in particular—
(i)
the date and time of the transfer,
(ii)
the name of and any other pertinent information about the recipient,
(iii)
the justification for the transfer, and
(iv)
a description of the personal data transferred.
(4)
For the purposes of this section, a transfer is necessary for a legal purpose if—
(a)
it is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) relating to any of the law enforcement purposes,
(b)
it is necessary for the purpose of obtaining legal advice in relation to any of the law enforcement purposes, or
(c)
it is otherwise necessary for the purposes of establishing, exercising or defending legal rights in relation to any of the law enforcement purposes.
F107Additional conditions
77F108Additional conditions for transfers in reliance on section 73(4)(b)
(1)
The additional conditions referred to in section 73(4)(b)(ii) are the following four conditions.
(2)
Condition 1 is that the transfer is strictly necessary in a specific case for the performance of a task of the transferring controller as provided by law for any of the law enforcement purposes.
(3)
Condition 2 is that the transferring controller has determined that there are no fundamental rights and freedoms of the data subject concerned that override the public interest necessitating the transfer.
(4)
Condition 3 is that the transferring controller considers that the transfer of the personal data to a relevant authority in the third country would be ineffective or inappropriate (for example, where the transfer could not be made in sufficient time to enable its purpose to be fulfilled).
(5)
Condition 4 is that the transferring controller informs the intended recipient of the specific purpose or purposes for which the personal data may, so far as necessary, be processed.
(6)
Where personal data is transferred to a person in a third country F109in reliance on section 73(4)(b), the transferring controller must inform a relevant authority in that third country without undue delay of the transfer, unless this would be ineffective or inappropriate.
(7)
The transferring controller must—
(a)
document any transfer to a recipient in a third country F110that takes place in reliance on section 73(4)(b), and
(b)
inform the Commissioner about the transfer.
(8)
This section does not affect the operation of any international agreement in force between F111the United Kingdom and third countries in the field of judicial co-operation in criminal matters and police co-operation.
Subsequent transfers
78Subsequent transfers
F112A1
Subsections (1) to (6) apply where a transfer to which section 73 applies takes place otherwise than in reliance on section 73(4)(aa) (transfer to processor).
(1)
(a)
(b)
that—
(i)
the personal data is not to be so transferred without such authorisation except where subsection (1A) applies, and
(ii)
where a transfer is made without such authorisation, the UK authoriser must be informed without delay.
F117(1A)
This subsection applies if—
(a)
the transfer is necessary for the prevention of an immediate and serious threat to the public security or national security of a third country or the United Kingdom, and
(b)
authorisation from the UK authoriser cannot be obtained in good time.
(2)
(3)
In deciding whether to give the authorisation, the F120UK authoriser must take into account (among any other relevant factors)—
(a)
the seriousness of the circumstances leading to the request for authorisation,
(b)
the purpose for which the personal data was originally transferred, and
(c)
the standards for the protection of personal data that apply in the third country or international organisation to which the personal data would be transferred.
(4)
In a case where the personal data was originally transmitted or otherwise made available to the transferring controller or another competent authority by a member State F121…, F122the UK authoriser may not give an authorisation for the purposes of a condition described in subsection (1) unless that member State, or any person based in that member State which is a competent authority for the purposes of the Law Enforcement Directive, has authorised the transfer in accordance with the law of the member State.
(5)
Authorisation is not required as mentioned in subsection (4) if—
(a)
the transfer is necessary for the prevention of an immediate and serious threat F123to the public security, national security or essential interests of a third country or the United Kingdom, and
(b)
the authorisation cannot be obtained in good time.
(6)
Where a transfer is made F124in a case described in subsection (4) without the authorisation mentioned in F125that subsection (whether made with or without authorisation from the UK authoriser), the UK authoriser must, without delay, inform, the authority in the member State which would have been responsible for deciding whether to authorise the transfer F126….
F127(7)
Where a transfer takes place in reliance on section 73(4)(aa) (transfer to processor), the transferring controller must make it a condition of the transfer that the data is only to be further transferred to a third country or international organisation where—
(a)
the terms of any relevant contract entered into, or authorisation given, by the transferring controller in accordance with section 59 are complied with, and
(b)
the further transfer satisfies the requirements in section 73(1).
CHAPTER 6Supplementary
F12878ANational security exemption
(1)
A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security.
(2)
The provisions are—
(a)
Chapter 2 of this Part (principles), except for the provisions listed in subsection (3);
(b)
Chapter 3 of this Part (rights of the data subject);
(c)
in Chapter 4 of this Part—
(i)
section 67 (notification of personal data breach to the Commissioner);
(ii)
section 68 (communication of personal data breach to the data subject);
(d)
Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4);
(e)
in Part 5—
(i)
section 119 (inspection in accordance with international obligations);
F129(ia)
section 119A (standard clauses for transfers to third countries);
(ii)
in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2;
(f)
in Part 6—
(i)
sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection);
(ii)
sections 170 to 173 (offences relating to personal data);
(g)
in Part 7, section 187 (representation of data subjects).
(3)
The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are—
(a)
section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful;
(b)
section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing);
(c)
section 42 (safeguards: sensitive processing);
(d)
Schedule 8 (conditions for sensitive processing).
(4)
The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are—
(a)
the following provisions of section 73—
(i)
subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose);
(ii)
subsections (1)(b), (5) and (6) (conditions for transfer of personal data originally made available by a member State);
(b)
section 78 (subsequent transfers).
79National security: certificate
F130(1)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F130(2)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F130(3)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F131(3A)
Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.
(4)
A certificate issued under F132subsection (3A)—
(a)
may identify the personal data to which it applies by means of a general description, and
(b)
may be expressed to have prospective effect.
(5)
Any person directly affected by the issuing of a certificate under F133subsection (3A) may appeal to the Tribunal against the certificate.
(6)
If, on an appeal under subsection (5), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing the certificate, the Tribunal may —
(a)
allow the appeal, and
(b)
quash the certificate.
(7)
Where in any proceedings under or by virtue of this Act, it is claimed by a controller that F134a certificate under subsection (3A) which identifies the personal data to which it applies by means of a general description applies to any personal data, any other party to the proceedings may appeal to the Tribunal on the ground that F135the certificate does not apply to the personal data in question.
(8)
(9)
On an appeal under subsection (7), the Tribunal may determine that the certificate does not so apply.
(10)
A document purporting to be a certificate under F138subsection (3A) is to be—
(a)
received in evidence, and
(b)
deemed to be such a certificate unless the contrary is proved.
(11)
A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under F139subsection (3A) is—
(a)
in any legal proceedings, evidence of that certificate, and
(b)
in any legal proceedings in Scotland, sufficient evidence of that certificate.
(12)
The power conferred by F140subsection (3A) on a Minister of the Crown is exercisable only by—
(a)
a Minister who is a member of the Cabinet, or
(b)
the Attorney General or the Advocate General for Scotland.
F141(13)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
80Special processing restrictions
(1)
Subsections (3) and (4) apply where, for a law enforcement purpose, a controller transmits or otherwise makes available personal data to F142a non-UK recipient.
(2)
In this section—
F143…
“F144non-UK recipient” means—
(a)
a recipient in a third country, or
(b)
an international organisation.
(3)
The controller must consider whether, if the personal data had instead been transmitted or otherwise made available within the United Kingdom to another competent authority, processing of the data by the other competent authority would have been subject to any restrictions by virtue of any enactment or rule of law.
(4)
Where that would be the case, the controller must inform F145the non-UK recipient that the data is transmitted or otherwise made available subject to compliance by that person with the same restrictions (which must be set out in the information given to that person).
F146(5)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F146(6)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
F146(7)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
81Reporting of infringements
(1)
Each controller must implement effective mechanisms to encourage the reporting of an infringement of this Part.
(2)
The mechanisms implemented under subsection (1) must provide that an infringement may be reported to any of the following persons—
(a)
the controller;
(b)
the Commissioner.
(3)
The mechanisms implemented under subsection (1) must include—
(a)
raising awareness of the protections provided by Part 4A of the Employment Rights Act 1996 and Part 5A of the Employment Rights (Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and
(b)
such other protections for a person who reports an infringement of this Part as the controller considers appropriate.
(4)
A person who reports an infringement of this Part does not breach—
(a)
an obligation of confidence owed by the person, or
(b)
any other restriction on the disclosure of information (however imposed).
(5)
Subsection (4) does not apply if or to the extent that the report includes a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(6)
Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (5) has effect as if it included a reference to that Part.