Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, SCHEDULE 2 is up to date with all changes known to be in force on or before 04 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

SCHEDULES

SCHEDULE 2Exemptions etc from the F1UK GDPR

Section 15

PART 1Adaptations and restrictions F2as described in Articles 6(3) and 23(1)

F3UK GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

1

In this Part of this Schedule, “the listed GDPR provisions” means—

(a)

the following provisions of the F4UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F4UK GDPR)—

(i)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(ii)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(iii)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(iv)

Article 16 (right to rectification);

(v)

Article 17(1) and (2) (right to erasure);

(vi)

Article 18(1) (restriction of processing);

(vii)

Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)

Article 20(1) and (2) (right to data portability);

(ix)

Article 21(1) (objections to processing);

(x)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (i) to (ix); and

(b)

the following provisions of the F5UK GDPR (the application of which may be adapted by virtue of Article 6(3) of the F5UK GDPR)—

(i)

Article 5(1)(a) (lawful, fair and transparent processing), other than the lawfulness requirements set out in Article 6;

F6(ii)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Crime and taxation: general

2

(1)

The listed GDPR provisions and Article 34(1) and (4) of the F7UK GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes—

(a)

the prevention F8, investigation or detection of crime,

(b)

the apprehension or prosecution of offenders, or

(c)

the assessment or collection of a tax or duty or an imposition of a similar nature,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c).

(2)

Sub-paragraph (3) applies where—

(a)

personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and

(b)

another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions.

(3)

Controller 2 is exempt from the obligations in the following provisions of the F9UK GDPR

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and

(d)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c),

to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1).

Crime and taxation: risk assessment systems

3

(1)

The F10UK GDPR provisions listed in sub-paragraph (3) do not apply to personal data which consists of a classification applied to the data subject as part of a risk assessment system falling within sub-paragraph (2) to the extent that the application of those provisions would prevent the system from operating effectively.

(2)

A risk assessment system falls within this sub-paragraph if—

(a)

it is operated by a government department, a local authority or another authority administering housing benefit, and

(b)

it is operated for the purposes of—

(i)

the assessment or collection of a tax or duty or an imposition of a similar nature, or

(ii)

the prevention F11, investigation or detection of crime or apprehension or prosecution of offenders, where the offence concerned involves the unlawful use of public money or an unlawful claim for payment out of public money.

(3)

The F12UK GDPR provisions referred to in sub-paragraph (1) are the following provisions of the F12UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F12UK GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a) to (c).

Immigration

4

(1)

The F13relevant UK GDPR provisions do not apply to personal data processed F14by the Secretary of State for any of the following purposes—

(a)

the maintenance of effective immigration control, or

(b)

the investigation or detection of activities that would undermine the maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) and (b).

F15F16(1A)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F17(1B)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(1C)

Paragraphs 4A and 4B make provision about F18… safeguards in connection with the exemption in F19sub-paragraph (1).

(2)

F20In sub-paragraph (1) and paragraph 4A, the “relevant UK GDPR provisions are the following provisions of the F21UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F21UK GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)

Article 17(1) and (2) (right to erasure);

(e)

Article 18(1) (restriction of processing);

(f)

Article 21(1) (objections to processing);

(g)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (f).

(That is, the listed GDPR provisions other than Article 16 (right to rectification), Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing) and Article 20(1) and (2) (right to data portability) and, subject to sub-paragraph (2)(g) of this paragraph, the provisions of Article 5 listed in paragraph 1(b).)

F22(3)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F23(4)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

F24Immigration: safeguards: immigration exemption decisions

4A.

(1)

A decision under paragraph 4(1) as to whether, and the extent to which, the application of the relevant UK GDPR provisions would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) (referred to in this paragraph as “an immigration exemption decision”) must be made in accordance with this paragraph.

(2)

An immigration exemption decision must be made—

(a)

on a case by case basis,

(b)

separately in respect of each of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) which relates to the data subject, and

(c)

afresh on each occasion on which the Secretary of State considers disapplying or restricting the application of any of the relevant UK GDPR provisions mentioned in paragraph 4(2)(a) to (f) in relation to the data subject.

(3)

When making an immigration exemption decision, the Secretary of State must take into account all the circumstances of the case, including at least the following—

(a)

any potential vulnerability of the data subject that is relevant to the decision,

(b)

all the rights and freedoms of the data subject including the data subject’s Convention rights, and

(c)

any relevant duties or obligations of the United Kingdom, the Secretary of State or any other person, including—

(i)

the United Kingdom’s obligations under the Refugee Convention and the Trafficking Convention,

(ii)

any duty under section 55 of the Borders, Citizenship and Immigration Act 2009 (duty regarding the welfare of children), and

(iii)

the need to ensure compliance with the UK GDPR.

(4)

A decision that the application of a particular relevant UK GDPR provision mentioned in paragraph 4(2)(a) to (f) (or that provision in combination with the provision mentioned in paragraph 4(2)(g), so far as it applies) would be likely to prejudice any of the matters mentioned in paragraph 4(1)(a) and (b) may be made only if—

(a)

the application of that provision or those provisions would give rise to a substantial risk of prejudice to any of the matters mentioned in paragraph 4(1)(a) and (b),

(b)

that risk outweighs the risk of prejudice to the interests of the data subject concerned that would arise if the exemption in paragraph 4(1) were to apply in relation to that provision or those provisions, and

(c)

the application of the exemption in relation to that provision or those provisions is necessary and proportionate to the risks in the particular case.

(5)

In this paragraph—

Convention rights” has the same meaning as in the Human Rights Act 1998 (see section 1(1) of that Act);

the Refugee Convention” means the Convention relating to the Status of Refugees, done at Geneva on 28 July 1951, and its Protocol;

the Trafficking Convention” means the Council of Europe Convention on Action against Trafficking in Human Beings, done at Warsaw on 16 May 2005.

F24Immigration: safeguard: record of decision that exemption applies

4B.

(1)

Where the Secretary of State makes a decision mentioned in paragraph 4A(4), the Secretary of State must keep a record of it and the reasons for it.

(2)

Where sub-paragraph (1) applies, the Secretary of State must also inform the data subject of the decision unless, in the particular circumstances of the case, the Secretary of State considers that doing so may be prejudicial to any of the matters mentioned in paragraph 4(1)(a) and (b).

PART 2Restrictions F25as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34

F26UK GDPR provisions to be restricted: “the listed GDPR provisions”

6

In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the F27UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F27UK GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)

Article 16 (right to rectification);

(e)

Article 17(1) and (2) (right to erasure);

(f)

Article 18(1) (restriction of processing);

(g)

Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(h)

Article 20(1) and (2) (right to data portability);

(i)

Article 21(1) (objections to processing);

(j)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (i).

Functions designed to protect the public etc

7

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

(a)

is designed as described in column 1 of the Table, and

(b)

meets the condition relating to the function specified in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE

Description of function design

Condition

1. The function is designed to protect members of the public against—

  1. (a)

    financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness or incompetence of, persons concerned in the provision of banking, insurance, investment or other financial services or in the management of bodies corporate, or

  2. (b)

    financial loss due to the conduct of discharged or undischarged bankrupts.

The function is—

  1. (a)

    conferred on a person by an enactment,

  2. (b)

    a function of the Crown, a Minister of the Crown or a government department, or

  3. (c)

    of a public nature, and is exercised in the public interest.

2. The function is designed to protect members of the public against—

  1. (a)

    dishonesty, malpractice or other seriously improper conduct, or

  2. (b)

    unfitness or incompetence.

The function is—

  1. (a)

    conferred on a person by an enactment,

  2. (b)

    a function of the Crown, a Minister of the Crown or a government department, or

  3. (c)

    of a public nature, and is exercised in the public interest.

3. The function is designed—

  1. (a)

    to protect charities or community interest companies against misconduct or mismanagement (whether by trustees, directors or other persons) in their administration,

  2. (b)

    to protect the property of charities or community interest companies from loss or misapplication, or

  3. (c)

    to recover the property of charities or community interest companies.

The function is—

  1. (a)

    conferred on a person by an enactment,

  2. (b)

    a function of the Crown, a Minister of the Crown or a government department, or

  3. (c)

    of a public nature, and is exercised in the public interest.

4. The function is designed—

  1. (a)

    to secure the health, safety and welfare of persons at work, or

  2. (b)

    to protect persons other than those at work against risk to health or safety arising out of or in connection with the action of persons at work.

The function is—

  1. (a)

    conferred on a person by an enactment,

  2. (b)

    a function of the Crown, a Minister of the Crown or a government department, or

  3. (c)

    of a public nature, and is exercised in the public interest.

5. The function is designed to protect members of the public against—

  1. (a)

    maladministration by public bodies,

  2. (b)

    failures in services provided by public bodies, or

  3. (c)

    a failure of a public body to provide a service which it is a function of the body to provide.

The function is conferred by any enactment on—

  1. (a)

    the Parliamentary Commissioner for Administration,

  2. (b)

    the Commissioner for Local Administration in England,

  3. (c)

    the Health Service Commissioner for England,

  4. (d)

    the Public Services Ombudsman for Wales,

  5. (e)

    the Northern Ireland Public Services Ombudsman,

  6. (f)

    the Prison Ombudsman for Northern Ireland, or

  7. (g)

    the Scottish Public Services Ombudsman.

6. The function is designed—

  1. (a)

    to protect members of the public against conduct which may adversely affect their interests by persons carrying on a business,

  2. (b)

    to regulate agreements or conduct which have as their object or effect the prevention, restriction or distortion of competition in connection with any commercial activity, or

  3. (c)

    to regulate conduct on the part of one or more undertakings which amounts to the abuse of a dominant position in a market.

The function is conferred on the Competition and Markets Authority by an enactment.

Audit functions

8

(1)

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function listed in sub-paragraph (2) to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2)

The functions are any function that is conferred by an enactment on—

(a)

the Comptroller and Auditor General;

(b)

the Auditor General for Scotland;

(c)

the Auditor General for Wales;

(d)

the Comptroller and Auditor General for Northern Ireland.

Functions of the Bank of England

9

(1)

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a relevant function of the Bank of England to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

(2)

Relevant function of the Bank of England” means—

(a)

a function discharged by the Bank acting in its capacity as a monetary authority (as defined in section 244(2)(c) and (2A) of the Banking Act 2009);

(b)

a public function of the Bank within the meaning of section 349 of the Financial Services and Markets Act 2000;

(c)

a function conferred on the Prudential Regulation Authority by or under the Financial Services and Markets Act 2000 or by another enactment.

Regulatory functions of certain other persons

11

The listed GDPR provisions do not apply to personal data processed for the purposes of discharging a function that—

(a)

is a function of a person described in column 1 of the Table, and

(b)

is conferred on that person as described in column 2 of the Table,

to the extent that the application of those provisions would be likely to prejudice the proper discharge of the function.

TABLE

Person on whom function is conferred

How function is conferred

1. The Commissioner.

By or under—

  1. (a)

    the data protection legislation;

  2. (b)

    the Freedom of Information Act 2000;

  3. (c)

    section 244 of the Investigatory Powers Act 2016;

  4. (d)

    the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426);

  5. (e)

    the Environmental Information Regulations 2004 (S.I. 2004/3391);

  6. (f)

    the INSPIRE Regulations 2009 (S.I. 2009/3157);

  7. (g)

    Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC;

  8. (h)

    the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/1415);

  9. (i)

    the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696).

2. The Scottish Information Commissioner.

By or under—

  1. (a)

    the Freedom of Information (Scotland) Act 2002 (asp 13);

  2. (b)

    the Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520);

  3. (c)

    the INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440).

3. The Pensions Ombudsman.

By or under Part 10 of the Pension Schemes Act 1993 or any corresponding legislation having equivalent effect in Northern Ireland.

4. The Board of the Pension Protection Fund.

By or under sections 206 to 208 of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.

5. The Ombudsman for the Board of the Pension Protection Fund.

By or under any of sections 209 to 218 or 286(1) of the Pensions Act 2004 or any corresponding legislation having equivalent effect in Northern Ireland.

6. The Pensions Regulator.

By an enactment.

7. The Financial Conduct Authority.

By or under the Financial Services and Markets Act 2000 or by another enactment.

8. The Financial Ombudsman.

By or under Part 16 of the Financial Services and Markets Act 2000.

9. The investigator of complaints against the financial regulators.

By or under Part 6 of the Financial Services Act 2012.

F29. . .

F29. . .

11. The monitoring officer of a relevant authority.

By or under the Local Government and Housing Act 1989.

12. The monitoring officer of a relevant Welsh authority.

By or under the Local Government Act 2000.

13. The Public Services Ombudsman for Wales.

By or under the Local Government Act 2000.

14. The Charity Commission.

By or under—

  1. (a)

    the Charities Act 1992;

  2. (b)

    the Charities Act 2006;

  3. (c)

    the Charities Act 2011.

12

In the Table in paragraph 11—

F30

F30

the “Financial Ombudsman” means the scheme operator within the meaning of Part 16 of the Financial Services and Markets Act 2000 (see section 225 of that Act);

the “investigator of complaints against the financial regulators” means the person appointed under section 84(1)(b) of the Financial Services Act 2012;

relevant authority” has the same meaning as in section 5 of the Local Government and Housing Act 1989, and “monitoring officer”, in relation to such an authority, means a person designated as such under that section;

relevant Welsh authority” has the same meaning as “relevant authority” in section 49(6) of the Local Government Act 2000, and “monitoring officer”, in relation to such an authority, has the same meaning as in Part 3 of that Act.

Parliamentary privilege

13

The listed GDPR provisions and Article 34(1) and (4) of the F31UK GDPR (communication of personal data breach to the data subject) do not apply to personal data where this is required for the purpose of avoiding an infringement of the privileges of either House of Parliament.

Judicial appointments, judicial independence and judicial proceedings

14

(1)

The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for judicial office or the office of Queen’s Counsel.

(2)

The listed GDPR provisions do not apply to personal data processed by—

(a)

an individual acting in a judicial capacity, or

(b)

a court or tribunal acting in its judicial capacity.

(3)

As regards personal data not falling within sub-paragraph (1) or (2), the listed GDPR provisions do not apply to the extent that the application of those provisions would be likely to prejudice judicial independence or judicial proceedings.

Crown honours, dignities and appointments

15

(1)

The listed GDPR provisions do not apply to personal data processed for the purposes of the conferring by the Crown of any honour or dignity.

(2)

The listed GDPR provisions do not apply to personal data processed for the purposes of assessing a person’s suitability for any of the following offices—

(a)

archbishops and diocesan and suffragan bishops in the Church of England;

(b)

deans of cathedrals of the Church of England;

(c)

deans and canons of the two Royal Peculiars;

(d)

the First and Second Church Estates Commissioners;

(e)

lord-lieutenants;

(f)

Masters of Trinity College and Churchill College, Cambridge;

(g)

the Provost of Eton;

(h)

the Poet Laureate;

(i)

the Astronomer Royal.

(3)

The Secretary of State may by regulations amend the list in sub-paragraph (2) to—

(a)

remove an office, or

(b)

add an office to which appointments are made by Her Majesty.

(4)

Regulations under sub-paragraph (3) are subject to the affirmative resolution procedure.

Annotations:
Commencement Information

I15Sch. 2 para. 15 in force at Royal Assent for specified purposes, see s. 212(2)(f)

PART 3Restriction F32for the protection of rights of others

Protection of the rights of others: general

16

(1)

Article 15(1) to (3) of the F33UK GDPR (confirmation of processing, access to data and safeguards for third country transfers), and Article 5 of the F33UK GDPR so far as its provisions correspond to the rights and obligations provided for in Article 15(1) to (3), do not oblige a controller to disclose information to the data subject to the extent that doing so would involve disclosing information relating to another individual who can be identified from the information.

(2)

Sub-paragraph (1) does not remove the controller’s obligation where—

(a)

the other individual has consented to the disclosure of the information to the data subject, or

(b)

it is reasonable to disclose the information to the data subject without the consent of the other individual.

(3)

In determining whether it is reasonable to disclose the information without consent, the controller must have regard to all the relevant circumstances, including—

(a)

the type of information that would be disclosed,

(b)

any duty of confidentiality owed to the other individual,

(c)

any steps taken by the controller with a view to seeking the consent of the other individual,

(d)

whether the other individual is capable of giving consent, and

(e)

any express refusal of consent by the other individual.

(4)

For the purposes of this paragraph—

(a)

information relating to another individual” includes information identifying the other individual as the source of information;

(b)

an individual can be identified from information to be provided to a data subject by a controller if the individual can be identified from—

(i)

that information, or

(ii)

that information and any other information that the controller reasonably believes the data subject is likely to possess or obtain.

Assumption of reasonableness for health workers, social workers and education workers

17

(1)

For the purposes of paragraph 16(2)(b), it is to be considered reasonable for a controller to disclose information to a data subject without the consent of the other individual where—

(a)

the health data test is met,

(b)

the social work data test is met, or

(c)

the education data test is met.

(2)

The health data test is met if—

(a)

the information in question is contained in a health record, and

(b)

the other individual is a health professional who has compiled or contributed to the health record or who, in his or her capacity as a health professional, has been involved in the diagnosis, care or treatment of the data subject.

(3)

The social work data test is met if—

(a)

the other individual is—

(i)

a children’s court officer,

(ii)

a person who is or has been employed by a person or body referred to in paragraph 8 of Schedule 3 in connection with functions exercised in relation to the information, or

(iii)

a person who has provided for reward a service that is similar to a service provided in the exercise of any relevant social services functions, and

(b)

the information relates to the other individual in an official capacity or the other individual supplied the information—

(i)

in an official capacity, or

(ii)

in a case within paragraph (a)(iii), in connection with providing the service mentioned in paragraph (a)(iii).

(4)

The education data test is met if—

(a)

the other individual is an education-related worker, or

(b)

the other individual is employed by an education authority (within the meaning of the Education (Scotland) Act 1980) in pursuance of its functions relating to education and—

(i)

the information relates to the other individual in his or her capacity as such an employee, or

(ii)

the other individual supplied the information in his or her capacity as such an employee.

(5)

In this paragraph—

children’s court officer” means a person referred to in paragraph 8(1)(q), (r), (s), (t) or (u) of Schedule 3;

education-related worker” means a person referred to in paragraph 14(4)(a) or (b) or 16(4)(a), (b) or (c) of Schedule 3 (educational records);

relevant social services functions” means functions specified in paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.

PART 4Restrictions F34as described in Article 23(1): restrictions of rules in Articles 13 to 15

F35UK GDPR provisions to be restricted: “the listed GDPR provisions”

18

In this Part of this Schedule, “the listed GDPR provisions” means the following provisions of the F36UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F36UK GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (c).

Self incrimination

20

(1)

A person need not comply with the listed GDPR provisions to the extent that compliance would, by revealing evidence of the commission of an offence, expose the person to proceedings for that offence.

(2)

The reference to an offence in sub-paragraph (1) does not include an offence under—

(a)

this Act,

(b)

section 5 of the Perjury Act 1911 (false statements made otherwise than on oath),

(c)

section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath), or

(d)

Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements).

(3)

Information disclosed by any person in compliance with Article 15 of the F37UK GDPR is not admissible against the person in proceedings for an offence under this Act.

Corporate finance

21

(1)

The listed GDPR provisions do not apply to personal data processed for the purposes of or in connection with a corporate finance service provided by a relevant person to the extent that either Condition A or Condition B is met.

(2)

Condition A is that the application of the listed GDPR provisions would be likely to affect the price of an instrument.

(3)

Condition B is that—

(a)

the relevant person reasonably believes that the application of the listed GDPR provisions to the personal data in question could affect a decision of a person—

(i)

whether to deal in, subscribe for or issue an instrument, or

(ii)

whether to act in a way likely to have an effect on a business activity (such as an effect on the industrial strategy of a person, the capital structure of an undertaking or the legal or beneficial ownership of a business or asset), and

(b)

the application of the listed GDPR provisions to that personal data would have a prejudicial effect on the orderly functioning of financial markets or the efficient allocation of capital within the economy.

(4)

In this paragraph—

corporate finance service” means a service consisting in—

(a)

underwriting in respect of issues of, or the placing of issues of, any instrument,

(b)

services relating to such underwriting, or

(c)

advice to undertakings on capital structure, industrial strategy and related matters and advice and service relating to mergers and the purchase of undertakings;

instrument” means an instrument listed in section C of Annex 1 to Directive 2004/39/EC of the European Parliament and of the Council of 21 April 2004 on markets in financial instruments, and references to an instrument include an instrument not yet in existence but which is to be or may be created;

price” includes value;

relevant person” means—

(a)

a person who, by reason of a permission under Part 4A of the Financial Services and Markets Act 2000, is able to carry on a corporate finance service without contravening the general prohibition;

(b)

an EEA firm of the kind mentioned in paragraph 5(a) or (b) of Schedule 3 to that Act which has qualified for authorisation under paragraph 12 of that Schedule, and may lawfully carry on a corporate finance service;

(c)

a person who is exempt from the general prohibition in respect of any corporate finance service—

  1. (i)

    as a result of an exemption order made under section 38(1) of that Act, or

  2. (ii)

    by reason of section 39(1) of that Act (appointed representatives);

(d)

a person, not falling within paragraph (a), (b) or (c), who may lawfully carry on a corporate finance service without contravening the general prohibition;

(e)

a person who, in the course of employment, provides to their employer a service falling within paragraph (b) or (c) of the definition of “corporate finance service”;

(f)

a partner who provides to other partners in the partnership a service falling within either of those paragraphs.

(5)

In the definition of “relevant person” in sub-paragraph (4), references to “the general prohibition” are to the general prohibition within the meaning of section 19 of the Financial Services and Markets Act 2000.

Management forecasts

22

The listed GDPR provisions do not apply to personal data processed for the purposes of management forecasting or management planning in relation to a business or other activity to the extent that the application of those provisions would be likely to prejudice the conduct of the business or activity concerned.

Negotiations

23

The listed GDPR provisions do not apply to personal data that consists of records of the intentions of the controller in relation to any negotiations with the data subject to the extent that the application of those provisions would be likely to prejudice those negotiations.

Confidential references

24

The listed GDPR provisions do not apply to personal data consisting of a reference given (or to be given) in confidence for the purposes of—

(a)

the education, training or employment (or prospective education, training or employment) of the data subject,

(b)

the placement (or prospective placement) of the data subject as a volunteer,

(c)

the appointment (or prospective appointment) of the data subject to any office, or

(d)

the provision (or prospective provision) by the data subject of any service.

Exam scripts and exam marks

25

(1)

The listed GDPR provisions do not apply to personal data consisting of information recorded by candidates during an exam.

(2)

Where personal data consists of marks or other information processed by a controller—

(a)

for the purposes of determining the results of an exam, or

(b)

in consequence of the determination of the results of an exam,

the duty in Article 12(3) or (4) of the F38UK GDPR for the controller to provide information requested by the data subject within a certain time period, as it applies to Article 15 of the F38UK GDPR (confirmation of processing, access to data and safeguards for third country transfers), is modified as set out in sub-paragraph (3).

(3)

Where a question arises as to whether the controller is obliged by Article 15 of the F39UK GDPR to disclose personal data, and the question arises before the day on which the exam results are announced, the controller must provide the information mentioned in Article 12(3) or (4)—

(a)

before the end of the period of 5 months beginning when the question arises, or

(b)

if earlier, before the end of the period of 40 days beginning with the announcement of the results.

(4)

In this paragraph, “exam” means an academic, professional or other examination used for determining the knowledge, intelligence, skill or ability of a candidate and may include an exam consisting of an assessment of the candidate’s performance while undertaking work or any other activity.

(5)

For the purposes of this paragraph, the results of an exam are treated as announced when they are first published or, if not published, first communicated to the candidate.

PART 5Exemptions etcF40… for reasons of freedom of expression and information

Journalistic, academic, artistic and literary purposes

26

(1)

In this paragraph, “the special purposes” means one or more of the following—

(a)

the purposes of journalism;

(b)

academic purposes;

(c)

artistic purposes;

(d)

literary purposes.

(2)

Sub-paragraph (3) applies to the processing of personal data carried out for the special purposes if—

(a)

the processing is being carried out with a view to the publication by a person of journalistic, academic, artistic or literary material, and

(b)

the controller reasonably believes that the publication of the material would be in the public interest.

(3)

The listed GDPR provisions do not apply to the extent that the controller reasonably believes that the application of those provisions would be incompatible with the special purposes.

(4)

In determining whether publication would be in the public interest the controller must take into account the special importance of the public interest in the freedom of expression and information.

(5)

In determining whether it is reasonable to believe that publication would be in the public interest, the controller must have regard to any of the codes of practice or guidelines listed in sub-paragraph (6) that is relevant to the publication in question.

(6)

The codes of practice and guidelines are—

(a)

BBC Editorial Guidelines;

(b)

Ofcom Broadcasting Code;

(c)

Editors’ Code of Practice.

(7)

The Secretary of State may by regulations amend the list in sub-paragraph (6).

(8)

Regulations under sub-paragraph (7) are subject to the affirmative resolution procedure.

(9)

For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the F41UK GDPR (which may be exempted or derogated from by virtue of Article 85(2) of the F41UK GDPR)—

(a)

in Chapter II of the F42UK GDPR (principles)—

(i)

Article 5(1)(a) to (e)
(principles relating to processing);

(ii)

Article 6 (lawfulness);

(iii)

Article 7 (conditions for consent);

(iv)

Article 8(1) and (2)
(child’s consent);

(v)

Article 9 (processing of special categories of data);

(vi)

Article 10 (data relating to criminal convictions etc);

(vii)

Article 11(2)
(processing not requiring identification);

(b)

in Chapter III of the F43UK GDPR (rights of the data subject)—

(i)

Article 13(1) to (3)
(personal data collected from data subject: information to be provided);

(ii)

Article 14(1) to (4)
(personal data collected other than from data subject: information to be provided);

(iii)

Article 15(1) to (3)
(confirmation of processing, access to data and safeguards for third country transfers);

(iv)

Article 16 (right to rectification);

(v)

Article 17(1) and (2)
(right to erasure);

(vi)

Article 18(1)(a), (b) and (d)
(restriction of processing);

(vii)

Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(viii)

Article 20(1) and (2)
(right to data portability);

(ix)

Article 21(1)
(objections to processing);

(c)

in Chapter IV of the F44UK GDPR (controller and processor)—

(i)

Article 34(1) and (4)
(communication of personal data breach to the data subject);

(ii)

Article 36 (requirement for controller to consult Commissioner prior to high risk processing);

(d)

in Chapter V of the F45UK GDPR (transfers of data to third countries etc), Article F4644A (general principles for transfers);

F47(e)

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PART 6Derogations etcF48… for research, statistics and archiving

Research and statistics

27

(1)

The listed GDPR provisions do not apply to personal data processed for—

(a)

scientific or historical research purposes, or

(b)

statistical purposes,

to the extent that the application of those provisions would prevent or seriously impair the achievement of the purposes in question.

This is subject to F49sub-paragraphs (3) and (4).

(2)

For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the F50UK GDPR

(a)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)

Article 16 (right to rectification);

(c)

Article 18(1) (restriction of processing);

(d)

Article 21(1) (objections to processing).

(3)

The exemption in sub-paragraph (1) is available only where—

(a)

the personal data is processed in accordance with F51Article 84B of the UK GDPR, and

(b)

as regards the disapplication of Article 15(1) to (3), the results of the research or any resulting statistics are not made available in a form which identifies a data subject.

F52(4)

Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.

Archiving in the public interest

28

(1)

The listed GDPR provisions do not apply to personal data processed for archiving purposes in the public interest to the extent that the application of those provisions would prevent or seriously impair the achievement of those purposes.

This is subject to F53sub-paragraphs (3) and (4).

(2)

For the purposes of this paragraph, the listed GDPR provisions are the following provisions of the F54UK GDPR

(a)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(b)

Article 16 (right to rectification);

(c)

Article 18(1) (restriction of processing);

(d)

Article 19 (notification obligation regarding rectification or erasure of personal data or restriction of processing);

(e)

Article 20(1) (right to data portability);

(f)

Article 21(1) (objections to processing).

(3)

The exemption in sub-paragraph (1) is available only where the personal data is processed in accordance with F55Article 84B of the UK GDPR.

F56(4)

Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.