Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

Transfers of personal data to third countries etc

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers based on adequacy regulations: review etc

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, CHAPTER 4 is up to date with all changes known to be in force on or before 11 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

PART 3Law enforcement processing

CHAPTER 4Controller and processor

Overview and scope

55Overview and scope

(1)

This Chapter—

(a)

sets out the general obligations of controllers and processors (see sections 56 to 65);

(b)

sets out specific obligations of controllers and processors with respect to security (see section 66);

(c)

sets out specific obligations of controllers and processors with respect to personal data breaches (see sections 67 and 68);

(d)

makes provision for the designation, position and tasks of data protection officers (see sections 69 to 71);

F1(e)

makes provision about codes of conduct (see section 71A).

(2)

This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.

(3)

Where a controller is required by any provision of this Chapter to implement appropriate technical and organisational measures, the controller must (in deciding what measures are appropriate) take into account—

(a)

the latest developments in technology,

(b)

the cost of implementation,

(c)

the nature, scope, context and purposes of processing, and

(d)

the risks for the rights and freedoms of individuals arising from the processing.

General obligations

56General obligations of the controller

(1)

Each controller must implement appropriate technical and organisational measures to ensure, and to be able to demonstrate, that the processing of personal data complies with the requirements of this Part.

(2)

Where proportionate in relation to the processing, the measures implemented to comply with the duty under subsection (1) must include appropriate data protection policies.

(3)

The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary.

F2(4)

Adherence to a code of conduct approved under section 71A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.

57Data protection by design and default

(1)

Each controller must implement appropriate technical and organisational measures which are designed—

(a)

to implement the data protection principles in an effective manner, and

(b)

to integrate into the processing itself the safeguards necessary for that purpose.

(2)

The duty under subsection (1) applies both at the time of the determination of the means of processing the data and at the time of the processing itself.

(3)

Each controller must implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

(4)

The duty under subsection (3) applies to—

(a)

the amount of personal data collected,

(b)

the extent of its processing,

(c)

the period of its storage, and

(d)

its accessibility.

(5)

In particular, the measures implemented to comply with the duty under subsection (3) must ensure that, by default, personal data is not made accessible to an indefinite number of people without an individual’s intervention.

58Joint controllers

(1)

Where two or more competent authorities jointly determine the purposes and means of processing personal data, they are joint controllers for the purposes of this Part.

(2)

Joint controllers must, in a transparent manner, determine their respective responsibilities for compliance with this Part by means of an arrangement between them, except to the extent that those responsibilities are determined under or by virtue of an enactment.

(3)

The arrangement must designate the controller which is to be the contact point for data subjects.

59Processors

(1)

This section applies to the use by a controller of a processor to carry out processing of personal data on behalf of the controller.

(2)

The controller may use only a processor who provides guarantees to implement appropriate technical and organisational measures that are sufficient to secure that the processing will—

(a)

meet the requirements of this Part, and

(b)

ensure the protection of the rights of the data subject.

(3)

The processor used by the controller may not engage another processor (“a sub-processor”) without the prior written authorisation of the controller, which may be specific or general.

(4)

Where the controller gives a general written authorisation to a processor, the processor must inform the controller if the processor proposes to add to the number of sub-processors engaged by it or to replace any of them (so that the controller has the opportunity to object to the proposal).

(5)

The processing by the processor must be governed by a contract in writing between the controller and the processor setting out the following—

(a)

the subject-matter and duration of the processing;

(b)

the nature and purpose of the processing;

(c)

the type of personal data and categories of data subjects involved;

(d)

the obligations and rights of the controller and processor.

(6)

The contract must, in particular, provide that the processor must—

(a)

act only on instructions from the controller,

(b)

ensure that the persons authorised to process personal data are subject to an appropriate duty of confidentiality,

(c)

assist the controller by any appropriate means to ensure compliance with the rights of the data subject under this Part,

(d)

at the end of the provision of services by the processor to the controller—

(i)

either delete or return to the controller (at the choice of the controller) the personal data to which the services relate, and

(ii)

delete copies of the personal data unless subject to a legal obligation to store the copies,

(e)

make available to the controller all information necessary to demonstrate compliance with this section, and

(f)

comply with the requirements of this section for engaging sub-processors.

(7)

The terms included in the contract in accordance with subsection (6)(a) must provide that the processor may transfer personal data to a third country or international organisation only if instructed by the controller to make the particular transfer.

F3(7A)

Adherence to a code of conduct approved under section 71A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).

(8)

If a processor determines, in breach of this Part, the purposes and means of processing, the processor is to be treated for the purposes of this Part as a controller in respect of that processing.

60Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or processor, who has access to personal data may not process the data except—

(a)

on instructions from the controller, or

(b)

to comply with a legal obligation.

61Records of processing activities

(1)

Each controller must maintain a record of all categories of processing activities for which the controller is responsible.

(2)

The controller’s record must contain the following information—

(a)

the name and contact details of the controller;

(b)

where applicable, the name and contact details of the joint controller;

(c)

where applicable, the name and contact details of the data protection officer;

(d)

the purposes of the processing;

(e)

the categories of recipients to whom personal data has been or will be disclosed (including recipients in third countries or international organisations);

(f)

a description of the categories of—

(i)

data subject, and

(ii)

personal data;

(g)

where applicable, details of the use of profiling;

(h)

where applicable, the categories of transfers of personal data to a third country or an international organisation;

(i)

an indication of the legal basis for the processing operations, including transfers, for which the personal data is intended;

(j)

where possible, the envisaged time limits for erasure of the different categories of personal data;

(k)

where possible, a general description of the technical and organisational security measures referred to in section 66.

(3)

Each processor must maintain a record of all categories of processing activities carried out on behalf of a controller.

(4)

The processor’s record must contain the following information—

(a)

the name and contact details of the processor and of any other processors engaged by the processor in accordance with section 59(3);

(b)

the name and contact details of the controller on behalf of which the processor is acting;

(c)

where applicable, the name and contact details of the data protection officer;

(d)

the categories of processing carried out on behalf of the controller;

(e)

where applicable, details of transfers of personal data to a third country or an international organisation where explicitly instructed to do so by the controller, including the identification of that third country or international organisation;

(f)

where possible, a general description of the technical and organisational security measures referred to in section 66.

(5)

The controller and the processor must make the records kept under this section available to the Commissioner on request.

62Logging

(1)

A controller (or, where personal data is processed on behalf of the controller by a processor, the processor) must keep logs for at least the following processing operations in automated processing systems—

(a)

collection;

(b)

alteration;

(c)

consultation;

(d)

disclosure (including transfers);

(e)

combination;

(f)

erasure.

(2)

The logs of consultation must make it possible to establish—

(a)

the justification for, and date and time of, the consultation, and

(b)

so far as possible, the identity of the person who consulted the data.

(3)

The logs of disclosure must make it possible to establish—

(a)

the justification for, and date and time of, the disclosure, and

(b)

so far as possible—

(i)

the identity of the person who disclosed the data, and

(ii)

the identity of the recipients of the data.

(4)

The logs kept under subsection (1) may be used only for one or more of the following purposes—

(a)

to verify the lawfulness of processing;

(b)

to assist with self-monitoring by the controller or (as the case may be) the processor, including the conduct of internal disciplinary proceedings;

(c)

to ensure the integrity and security of personal data;

(d)

the purposes of criminal proceedings.

(5)

The controller or (as the case may be) the processor must make the logs available to the Commissioner on request.

63Co-operation with the Commissioner

Each controller and each processor must co-operate, on request, with the Commissioner in the performance of the Commissioner’s tasks.

64Data protection impact assessment

(1)

Where a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must, prior to the processing, carry out a data protection impact assessment.

(2)

A data protection impact assessment is an assessment of the impact of the envisaged processing operations on the protection of personal data.

(3)

A data protection impact assessment must include the following—

(a)

a general description of the envisaged processing operations;

(b)

an assessment of the risks to the rights and freedoms of data subjects;

(c)

the measures envisaged to address those risks;

(d)

safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Part, taking into account the rights and legitimate interests of the data subjects and other persons concerned.

(4)

In deciding whether a type of processing is likely to result in a high risk to the rights and freedoms of individuals, the controller must take into account the nature, scope, context and purposes of the processing.

65Prior consultation with the Commissioner

(1)

This section applies where a controller intends to create a filing system and process personal data forming part of it.

(2)

The controller must consult the Commissioner prior to the processing if a data protection impact assessment prepared under section 64 indicates that the processing of the data would result in a high risk to the rights and freedoms of individuals (in the absence of measures to mitigate the risk).

(3)

Where the controller is required to consult the Commissioner under subsection (2), the controller must give the Commissioner—

(a)

the data protection impact assessment prepared under section 64, and

(b)

any other information requested by the Commissioner to enable the Commissioner to make an assessment of the compliance of the processing with the requirements of this Part.

(4)

Where the Commissioner is of the opinion that the intended processing referred to in subsection (1) would infringe any provision of this Part, the Commissioner must provide written advice to the controller and, where the controller is using a processor, to the processor.

(5)

The written advice must be provided before the end of the period of 6 weeks beginning with receipt of the request for consultation by the controller or the processor.

(6)

The Commissioner may extend the period of 6 weeks by a further period of 1 month, taking into account the complexity of the intended processing.

(7)

If the Commissioner extends the period of 6 weeks, the Commissioner must—

(a)

inform the controller and, where applicable, the processor of any such extension before the end of the period of 1 month beginning with receipt of the request for consultation, and

(b)

provide reasons for the delay.

Obligations relating to security

66Security of processing

(1)

Each controller and each processor must implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks arising from the processing of personal data.

(2)

In the case of automated processing, each controller and each processor must, following an evaluation of the risks, implement measures designed to—

(a)

prevent unauthorised processing or unauthorised interference with the systems used in connection with it,

(b)

ensure that it is possible to establish the precise details of any processing that takes place,

(c)

ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d)

ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

F4(3)

Adherence to a code of conduct approved under section 71A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).

Obligations relating to personal data breaches

67Notification of a personal data breach to the Commissioner

(1)

If a controller becomes aware of a personal data breach in relation to personal data for which the controller is responsible, the controller must notify the breach to the Commissioner—

(a)

without undue delay, and

(b)

where feasible, not later than 72 hours after becoming aware of it.

(2)

Subsection (1) does not apply if the personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

(3)

Where the notification to the Commissioner is not made within 72 hours, the notification must be accompanied by reasons for the delay.

(4)

Subject to subsection (5), the notification must include—

(a)

a description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(b)

the name and contact details of the data protection officer or other contact point from whom more information can be obtained;

(c)

a description of the likely consequences of the personal data breach;

(d)

a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(5)

Where and to the extent that it is not possible to provide all the information mentioned in subsection (4) at the same time, the information may be provided in phases without undue further delay.

(6)

The controller must record the following information in relation to a personal data breach—

(a)

the facts relating to the breach,

(b)

its effects, and

(c)

the remedial action taken.

(7)

The information mentioned in subsection (6) must be recorded in such a way as to enable the Commissioner to verify compliance with this section.

F5(8)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(9)

If a processor becomes aware of a personal data breach (in relation to personal data processed by the processor), the processor must notify the controller without undue delay.

68Communication of a personal data breach to the data subject

(1)

Where a personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must inform the data subject of the breach without undue delay.

(2)

The information given to the data subject must include the following—

(a)

a description of the nature of the breach;

(b)

the name and contact details of the data protection officer or other contact point from whom more information can be obtained;

(c)

a description of the likely consequences of the personal data breach;

(d)

a description of the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

(3)

The duty under subsection (1) does not apply where—

(a)

the controller has implemented appropriate technological and organisational protection measures which were applied to the personal data affected by the breach,

(b)

the controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects referred to in subsection (1) is no longer likely to materialise, or

(c)

it would involve a disproportionate effort.

(4)

An example of a case which may fall within subsection (3)(a) is where measures that render personal data unintelligible to any person not authorised to access the data have been applied, such as encryption.

(5)

In a case falling within subsection (3)(c) (but not within subsection (3)(a) or (b)), the information mentioned in subsection (2) must be made available to the data subject in another equally effective way, for example, by means of a public communication.

(6)

Where the controller has not informed the data subject of the breach the Commissioner, on being notified under section 67 and after considering the likelihood of the breach resulting in a high risk, may—

(a)

require the controller to notify the data subject of the breach, or

(b)

decide that the controller is not required to do so because any of paragraphs (a) to (c) of subsection (3) applies.

(7)

The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a)

avoid obstructing an official or legal inquiry, investigation or procedure;

(b)

avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c)

protect public security;

F6(d)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e)

protect the rights and freedoms of others.

(8)

Subsection (6) does not apply where the controller’s decision not to inform the data subject of the breach was made in reliance on subsection (7).

(9)

The duties in section 52(1) and (2) apply in relation to information that the controller is required to provide to the data subject under this section as they apply in relation to information that the controller is required to provide to the data subject under Chapter 3 .

Data protection officers

69Designation of a data protection officer

(1)

The controller must designate a data protection officer, unless the controller is a court, or other judicial authority, acting in its judicial capacity.

(2)

When designating a data protection officer, the controller must have regard to the professional qualities of the proposed officer, in particular—

(a)

the proposed officer’s expert knowledge of data protection law and practice, and

(b)

the ability of the proposed officer to perform the tasks mentioned in section 71.

(3)

The same person may be designated as a data protection officer by several controllers, taking account of their organisational structure and size.

(4)

The controller must publish the contact details of the data protection officer and communicate these to the Commissioner.

70Position of data protection officer

(1)

The controller must ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

(2)

The controller must provide the data protection officer with the necessary resources and access to personal data and processing operations to enable the data protection officer to—

(a)

perform the tasks mentioned in section 71, and

(b)

maintain his or her expert knowledge of data protection law and practice.

(3)

The controller—

(a)

must ensure that the data protection officer does not receive any instructions regarding the performance of the tasks mentioned in section 71;

(b)

must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests;

(c)

must not dismiss or penalise the data protection officer for performing the tasks mentioned in section 71.

(4)

A data subject may contact the data protection officer with regard to all issues relating to—

(a)

the processing of that data subject’s personal data, or

(b)

the exercise of that data subject’s rights under this Part.

(5)

The data protection officer, in the performance of this role, must report to the highest management level of the controller.

71Tasks of data protection officer

(1)

The controller must entrust the data protection officer with at least the following tasks—

(a)

informing and advising the controller, any processor engaged by the controller, and any employee of the controller who carries out processing of personal data, of that person’s obligations under this Part,

(b)

providing advice on the carrying out of a data protection impact assessment under section 64 and monitoring compliance with that section,

(c)

co-operating with the Commissioner,

(d)

acting as the contact point for the Commissioner on issues relating to processing, including in relation to the consultation mentioned in section 65, and consulting with the Commissioner, where appropriate, in relation to any other matter,

(e)

monitoring compliance with policies of the controller in relation to the protection of personal data, and

(f)

monitoring compliance by the controller with this Part.

(2)

In relation to the policies mentioned in subsection (1)(e), the data protection officer’s tasks include—

(a)

assigning responsibilities under those policies,

(b)

raising awareness of those policies,

(c)

training staff involved in processing operations, and

(d)

conducting audits required under those policies.

(3)

In performing the tasks set out in subsections (1) and (2), the data protection officer must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing.

F7Codes of conduct

71ACodes of conduct

(1)

The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part.

(2)

Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors.

(3)

For the purposes of this section—

(a)

public body” means a body or other person whose functions are, or include, functions of a public nature, and

(b)

a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1).

(4)

A code of conduct described in subsection (1) may, for example, make provision with regard to—

(a)

lawful and fair processing;

(b)

the collection of personal data;

(c)

the information provided to the public and to data subjects;

(d)

the exercise of the rights of data subjects;

(e)

the measures and procedures referred to in sections 56, 57 and 62;

(f)

the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects;

(g)

the transfer of personal data to third countries or international organisations;

(h)

out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing.

(5)

The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft.

(6)

Where an expert public body does so, the Commissioner must—

(a)

provide the body with an opinion on whether the code correctly reflects the requirements of this Part,

(b)

decide whether to approve the code, and

(c)

if the code is approved, register and publish the code.

(7)

Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.