Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Definitions

CHAPTER 2 The GDPR

Meaning of certain terms used in the GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Restrictions on data subject’s rights

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Accreditation of certification providers

17 Accreditation of certification providers

Transfers of personal data to third countries etc

18 Transfers of personal data to third countries etc

Specific processing situations

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Other general processing

Scope

21 Processing to which this Chapter applies

Application of the GDPR

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the applied GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Information: controller’s general duties

44 Information: controller’s general duties

Data subject’s right of access

45 Right of access by the data subject

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

75 Transfers on the basis of appropriate safeguards

76 Transfers on the basis of special circumstances

Transfers to particular recipients

77 Transfers of personal data to persons other than relevant authorities

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

115 General functions under the GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation and mutual assistance

119 Inspection of personal data in accordance with international obligations

120 Further international role

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

125 Approval of codes prepared under sections 121 to 124

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Data subject’s rights and other prohibitions and restrictions

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the GDPR

SCHEDULE 3 Exemptions etc from the GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

PART 3Law enforcement processing

CHAPTER 2Principles

34Overview and general duty of controller

(1)

This Chapter sets out the six data protection principles as follows—

(a)

section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);

(b)

section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);

(c)

section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);

(d)

section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);

(e)

section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);

(f)

section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).

(2)

In addition—

(a)

each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and

(b)

sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.

(3)

The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.

35The first data protection principle

(1)

The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.

(2)

The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—

(a)

the data subject has given consent to the processing for that purpose, or

(b)

the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

(3)

In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).

(4)

The first case is where—

(a)

the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and

(b)

at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

(5)

The second case is where—

(a)

the processing is strictly necessary for the law enforcement purpose,

(b)

the processing meets at least one of the conditions in Schedule 8, and

(c)

at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

(6)

The Secretary of State may by regulations amend Schedule 8—

(a)

by adding conditions;

(b)

by omitting conditions added by regulations under paragraph (a).

(7)

Regulations under subsection (6) are subject to the affirmative resolution procedure.

(8)

In this section, “sensitive processing” means—

(a)

the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b)

the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c)

the processing of data concerning health;

(d)

the processing of data concerning an individual’s sex life or sexual orientation.

36The second data protection principle

(1)

The second data protection principle is that—

(a)

the law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and

(b)

personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.

(2)

Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).

(3)

Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that—

(a)

the controller is authorised by law to process the data for the other purpose, and

(b)

the processing is necessary and proportionate to that other purpose.

(4)

Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.

37The third data protection principle

The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

38The fourth data protection principle

(1)

The fourth data protection principle is that—

(a)

personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and

(b)

every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

(2)

In processing personal data for any of the law enforcement purposes, personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments.

(3)

In processing personal data for any of the law enforcement purposes, a clear distinction must, where relevant and as far as possible, be made between personal data relating to different categories of data subject, such as—

(a)

persons suspected of having committed or being about to commit a criminal offence;

(b)

persons convicted of a criminal offence;

(c)

persons who are or may be victims of a criminal offence;

(d)

witnesses or other persons with information about offences.

(4)

All reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.

(5)

For that purpose—

(a)

the quality of personal data must be verified before it is transmitted or made available,

(b)

in all transmissions of personal data, the necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of the data and the extent to which it is up to date must be included, and

(c)

if, after personal data has been transmitted, it emerges that the data was incorrect or that the transmission was unlawful, the recipient must be notified without delay.

39The fifth data protection principle

(1)

The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.

(2)

Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

40The sixth data protection principle

The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

41Safeguards: archiving

(1)

This section applies in relation to the processing of personal data for a law enforcement purpose where the processing is necessary—

(a)

for archiving purposes in the public interest,

(b)

for scientific or historical research purposes, or

(c)

for statistical purposes.

(2)

The processing is not permitted if—

(a)

it is carried out for the purposes of, or in connection with, measures or decisions with respect to a particular data subject, or

(b)

it is likely to cause substantial damage or substantial distress to a data subject.

42Safeguards: sensitive processing

(1)

This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).

(2)

The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—

(a)

explains the controller’s procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and

(b)

explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.

(3)

Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—

(a)

retain the appropriate policy document,

(b)

review and (if appropriate) update it from time to time, and

(c)

make it available to the Commissioner, on request, without charge.

(4)

The record maintained by the controller under section 61(1) and, where the sensitive processing is carried out by a processor on behalf of the controller, the record maintained by the processor under section 61(3) must include the following information—

(a)

whether the sensitive processing is carried out in reliance on the consent of the data subject or, if not, which condition in Schedule 8 is relied on,

(b)

how the processing satisfies section 35 (lawfulness of processing), and

(c)

whether the personal data is retained and erased in accordance with the policies described in subsection (2)(b) and, if it is not, the reasons for not following those policies.

(5)

In this section, “relevant period”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—

(a)

begins when the controller starts to carry out the sensitive processing in reliance on the data subject’s consent or (as the case may be) in reliance on that condition, and

(b)

ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.