Legislation – Data Protection Act 2018

New Search

Introduction

PART 1
Preliminary

1 Overview

2 Protection of personal data

3 Terms relating to the processing of personal data

PART 2
General processing

CHAPTER 1 Scope and definitions

4 Processing to which this Part applies

5 Article 57(3) of the UK GDPR (performance of Commissioner’s tasks…

CHAPTER 2 The UK GDPR

Meaning of certain terms used in the UK GDPR

6 Meaning of “controller”

7 Meaning of “public authority” and “public body”

Lawfulness of processing

8 Lawfulness of processing: public interest etc

9 Child’s consent in relation to information society services

Relevant international law

9A Processing in reliance on relevant international law

Special categories of personal data

10 Special categories of personal data and criminal convictions etc data

11 Special categories of personal data etc: supplementary

Rights of the data subject

12 Limits on fees that may be charged by controllers

13 Obligations of credit reference agencies

14 Automated decision-making authorised by law: safeguards

Exemptions etc

15 Exemptions etc

16 Power to make further exemptions etc by regulations

Certification

17 Accreditation of certification providers

17A Transfers based on adequacy regulations

17B Transfers based on adequacy regulations: review etc

17C Standard data protection clauses

18 Transfers of personal data to third countries etc : public interest

19 Processing for archiving, research and statistical purposes: safeguards

Minor definition

20 Meaning of “court”

CHAPTER 3 Exemptions for manual unstructured processing and for national security and defence purposes

Definitions

21 Definitions

22 Application of the GDPR to processing to which this Chapter applies

23 Power to make provision in consequence of regulations related to the GDPR

Exemptions etc

24 Manual unstructured data held by FOI public authorities

25 Manual unstructured data used in longstanding historical research

26 National security and defence exemption

27 National security: certificate

28 National security and defence: modifications to Articles 9 and 32 of the UK GDPR

PART 3
Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

29 Processing to which this Part applies

Definitions

30 Meaning of “competent authority”

31 “The law enforcement purposes”

32 Meaning of “controller” and “processor”

33 Other definitions

CHAPTER 2 Principles

34 Overview and general duty of controller

35 The first data protection principle

36 The second data protection principle

37 The third data protection principle

38 The fourth data protection principle

39 The fifth data protection principle

40 The sixth data protection principle

41 Safeguards: archiving

42 Safeguards: sensitive processing

42A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview and scope

43 Overview and scope

Data subject’s rights to information

44 … Controller’s general duties

45 Right of access by the data subject

45A Exemption from sections 44 and 45: legal professional privilege

Data subject’s rights to rectification or erasure etc

46 Right to rectification

47 Right to erasure or restriction of processing

48 Rights under section 46 or 47: supplementary

Automated individual decision-making

49 Right not to be subject to automated decision-making

50 Automated decision-making authorised by law: safeguards

50A Automated processing and significant decisions

50B Restrictions on automated decision-making based on sensitive processing

50C Safeguards for automated decision-making

50D Further provision about automated decision-making

Supplementary

51 Exercise of rights through the Commissioner

52 Form of provision of information etc

53 Manifestly unfounded or excessive requests by the data subject

54 Meaning of “applicable time period”

CHAPTER 4 Controller and processor

Overview and scope

55 Overview and scope

General obligations

56 General obligations of the controller

57 Data protection by design and default

58 Joint controllers

59 Processors

60 Processing under the authority of the controller or processor

61 Records of processing activities

62 Logging

63 Co-operation with the Commissioner

64 Data protection impact assessment

65 Prior consultation with the Commissioner

Obligations relating to security

66 Security of processing

Obligations relating to personal data breaches

67 Notification of a personal data breach to the Commissioner

68 Communication of a personal data breach to the data subject

Data protection officers

69 Designation of a data protection officer

70 Position of data protection officer

71 Tasks of data protection officer

Codes of conduct

71A Codes of conduct

CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

72 Overview and interpretation

General principles for transfers

73 General principles for transfers of personal data

74 Transfers on the basis of an adequacy decision

74A Transfers based on adequacy regulations

74AA Transfers approved by regulations

74AB The data protection test

74B Transfers approved by regulations: monitoring

75 Transfers subject to appropriate safeguards

76 Transfers based on special circumstances

Additional conditions

77 Additional conditions for transfers in reliance on section 73(4)(b)

Subsequent transfers

78 Subsequent transfers

CHAPTER 6 Supplementary

78A National security exemption

79 National security: certificate

80 Special processing restrictions

81 Reporting of infringements

PART 4
Intelligence services processing

CHAPTER 1 Scope and definitions

Scope

82 Processing to which this Part applies

82A Designation of processing by a qualifying competent authority

82B Duration of designation notice

82C Review and withdrawal of designation notice

82D Records of designation notices

82E Appeal against designation notice

Definitions

83 Meaning of “controller” and “processor”

84 Other definitions

CHAPTER 2 Principles

Overview

85 Overview

The data protection principles

86 The first data protection principle

87 The second data protection principle

88 The third data protection principle

89 The fourth data protection principle

90 The fifth data protection principle

91 The sixth data protection principle

91A Further provision about sensitive processing

CHAPTER 3 Rights of the data subject

Overview

92 Overview

Rights

93 Right to information

94 Right of access

95 Right of access: supplementary

96 Right not to be subject to automated decision-making

97 Right to intervene in automated decision-making

98 Right to information about decision-making

99 Right to object to processing

100 Rights to rectification and erasure

CHAPTER 4 Controller and processor

Overview

101 Overview

General obligations

102 General obligations of the controller

103 Data protection by design

104 Joint controllers

105 Processors

106 Processing under the authority of the controller or processor

Obligations relating to security

107 Security of processing

Obligations relating to personal data breaches

108 Communication of a personal data breach

CHAPTER 5 Transfers of personal data outside the United Kingdom

109 Transfers of personal data outside the United Kingdom

CHAPTER 6 Exemptions

110 National security

111 National security: certificate

112 Other exemptions

113 Power to make further exemptions

PART 5
The Information Commissioner

114 The Information Commissioner

114A The Information Commission

115 General functions under the UK GDPR and safeguards

116 Other general functions

117 Competence in relation to courts etc

118 Co-operation between parties to the Data Protection Convention

119 Inspection of personal data in accordance with international obligations

119A Standard clauses for transfers to third countries etc

120 Further international role

120A Principal objective

120B Duties in relation to functions under the data protection legislation

120C Strategy

120D Duty to consult other regulators

121 Data-sharing code

122 Direct marketing code

123 Age-appropriate design code

124 Data protection and journalism code

124A Other codes of practice

124B Panels to consider codes of practice

124C Impact assessments for codes of practice

125 Approval of codes prepared under sections 121 to 124A

126 Publication and review of codes issued under section 125(4)

127 Effect of codes issued under section 125(4)

128 Other codes of practice

129 Consensual audits

130 Records of national security certificates

131 Disclosure of information to the Commissioner

132 Confidentiality of information

133 Guidance about privileged communications

134 Fees for services

135 Manifestly unfounded or excessive requests by data subjects etc

136 Guidance about fees

137 Charges payable to the Commissioner by controllers

138 Regulations under section 137: supplementary

139 Reporting to Parliament

139A Analysis of performance

140 Publication by the Commissioner

141 Notices from the Commissioner

PART 6
Enforcement

142 Information notices

143 Information notices: restrictions

144 False statements made in response to information notices

145 Information orders

146 Assessment notices

146A Assessment notices: approval of person to prepare report etc

147 Assessment notices: restrictions

148 Destroying or falsifying information and documents etc

148A Interview notices

148B Interview notices: restrictions

148C False statements made in response to interview notices

149 Enforcement notices

150 Enforcement notices: supplementary

151 Enforcement notices: rectification and erasure of personal data etc

152 Enforcement notices: restrictions

153 Enforcement notices: cancellation and variation

154 Powers of entry and inspection

155 Penalty notices

156 Penalty notices: restrictions

157 Maximum amount of penalty

158 Fixed penalties for non-compliance with charges regulations

159 Amount of penalties: supplementary

160 Guidance about regulatory action

161 Approval of first guidance about regulatory action

161A Annual report on regulatory action

162 Rights of appeal

163 Determination of appeals

164 Applications in respect of urgent notices

164A Complaints by data subjects to controllers

164B Controllers to notify the Commissioner of the number of complaints

165 Complaints by data subjects

166 Orders to progress complaints

167 Compliance orders

168 Compensation for contravention of the UK GDPR

169 Compensation for contravention of other data protection legislation

170 Unlawful obtaining etc of personal data

171 Re-identification of de-identified personal data

172 Re-identification: effectiveness testing conditions

173 Alteration etc of personal data to prevent disclosure to data subject

174 The special purposes

175 Provision of assistance in special purposes proceedings

176 Staying special purposes proceedings

177 Guidance about how to seek redress against media organisations

178 Review of processing of personal data for the purposes of journalism

179 Effectiveness of the media’s dispute resolution procedures

180 Jurisdiction

180A Procedure in connection with subject access requests

181 Interpretation of Part 6

PART 7
Supplementary and final provision

182 Regulations and consultation

183 Power to reflect changes to the Data Protection Convention

183A Protection of prohibitions and restrictions etc on processing: relevant enactments

183B Protection of prohibitions and restrictions etc on processing: other enactments

184 Prohibition of requirement to produce relevant records

185 Avoidance of certain contractual terms relating to health records

186 Protection of data subject’s rights

186A Protection of data subject’s rights: further provision

187 Representation of data subjects with their authority

188 Representation of data subjects with their authority: collective proceedings

189 Duty to review provision for representation of data subjects

190 Post-review powers to make provision about representation of data subjects

191 Framework for Data Processing by Government

192 Approval of the Framework

193 Publication and review of the Framework

194 Effect of the Framework

195 Reserve forces: data-sharing by HMRC

196 Penalties for offences

197 Prosecution

198 Liability of directors etc

199 Recordable offences

200 Guidance about PACE codes of practice

201 Disclosure of information to the Tribunal

202 Proceedings in the First-tier Tribunal: contempt

203 Tribunal Procedure Rules

204 Meaning of “health professional” and “social work professional”

205 General interpretation

206 Index of defined expressions

207 Territorial application of this Act

208 Children in Scotland

209 Application to the Crown

210 Application to Parliament

211 Minor and consequential provision

212 Commencement

213 Transitional provision

214 Extent

215 Short title

SCHEDULES

Schedule A1 Processing in reliance on relevant international law

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

SCHEDULE 2 Exemptions etc from the UK GDPR

SCHEDULE 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse data

SCHEDULE 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactment

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

SCHEDULE 6 The applied GDPR and the applied Chapter 2

SCHEDULE 7 Competent authorities

SCHEDULE 8 Conditions for sensitive processing under Part 3

SCHEDULE 9 Conditions for processing under Part 4

SCHEDULE 10 Conditions for sensitive processing under Part 4

SCHEDULE 11 Other exemptions under Part 4

SCHEDULE 12 The Information Commissioner

Schedule 12A The Information Commission

SCHEDULE 13 Other general functions of the Commissioner

SCHEDULE 14 Co-operation and mutual assistance

SCHEDULE 15 Powers of entry and inspection

SCHEDULE 16 Penalties

SCHEDULE 17 Review of processing of personal data for the purposes of journalism

SCHEDULE 18 Relevant records

SCHEDULE 19 Minor and consequential amendments

SCHEDULE 20 Transitional provision etc

SCHEDULE 21 Further transitional provision etc

Changes to legislation:

Data Protection Act 2018, SCHEDULE 3 is up to date with all changes known to be in force on or before 01 April 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations. Help about Changes to Legislation

Close

Changes to Legislation

Changes and effects yet to be applied by the editorial team are only applicable when viewing the latest version or prospective version of legislation. They are therefore not accessible when viewing legislation as at a specific point in time. To view the ‘Changes to Legislation’ information for this provision return to the latest version view using the options provided in the ‘What Version’ box above.

SCHEDULES

SCHEDULE 3Exemptions etc from the F1UK GDPR: health, social work, education and child abuse data

Section 15

PART 1F2UK GDPR provisions to be restricted

1

In this Schedule “the listed GDPR provisions” means the following provisions of the F3UK GDPR (the rights and obligations in which may be restricted by virtue of Article 23(1) of the F3UK GDPR)—

(a)

Article 13(1) to (3) (personal data collected from data subject: information to be provided);

(b)

Article 14(1) to (4) (personal data collected other than from data subject: information to be provided);

(c)

Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers);

(d)

Article 16 (right to rectification);

(e)

Article 17(1) and (2) (right to erasure);

(f)

Article 18(1) (restriction of processing);

(g)

Article 20(1) and (2) (right to data portability);

(h)

Article 21(1) (objections to processing);

(i)

Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in sub-paragraphs (a) to (h).

PART 2Health data

Definitions

2

(1)

In this Part of this Schedule—

the appropriate health professional”, in relation to a question as to whether the serious harm test is met with respect to data concerning health, means—

(a)

the health professional who is currently or was most recently responsible for the diagnosis, care or treatment of the data subject in connection with the matters to which the data relates,

(b)

where there is more than one such health professional, the health professional who is the most suitable to provide an opinion on the question, or

(c)

a health professional who has the necessary experience and qualifications to provide an opinion on the question, where—

  1. (i)

    there is no health professional available falling within paragraph (a) or (b), or

  2. (ii)

    the controller is the Secretary of State and data is processed in connection with the exercise of the functions conferred on the Secretary of State by or under the Child Support Act 1991 and the Child Support Act 1995, or the Secretary of State’s functions in relation to social security or war pensions, or

  3. (iii)

    the controller is the Department for Communities in Northern Ireland and data is processed in connection with the exercise of the functions conferred on the Department by or under the Child Support (Northern Ireland) Order 1991 (S.I. 1991/2628 (N.I. 23)) and the Child Support (Northern Ireland) Order 1995 (S.I. 1995/2702 (N.I. 13));

war pension” has the same meaning as in section 25 of the Social Security Act 1989 (establishment and functions of war pensions committees).

(2)

For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to data concerning health if the application of Article 15 of the F4UK GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a court

3

(1)

The listed GDPR provisions do not apply to data concerning health if—

(a)

it is processed by a court,

(b)

it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)

in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)

Those rules are—

(a)

the Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)

the Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)

the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)

the Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)

the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)

the Sheriff Court Adoption Rules 2009;

(g)

the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)

the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject’s expectations and wishes

4

(1)

This paragraph applies where a request for data concerning health is made in exercise of a power conferred by an enactment or rule of law and—

(a)

in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,

(b)

in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or

(c)

the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)

The listed GDPR provisions do not apply to data concerning health to the extent that complying with the request would disclose information—

(a)

which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,

(b)

which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or

(c)

which the data subject has expressly indicated should not be so disclosed.

(3)

The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the F5UK GDPR: serious harm

5

(1)

Article 15(1) to (3) of the F6UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to data concerning health to the extent that the serious harm test is met with respect to the data.

(2)

A controller who is not a health professional may not rely on sub-paragraph (1) to withhold data concerning health unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is met with respect to the data.

(3)

An opinion does not count for the purposes of sub-paragraph (2) if—

(a)

it was obtained before the beginning of the relevant period, or

(b)

it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.

(4)

In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

Restriction of Article 15 of the F7UK GDPR: prior opinion of appropriate health professional

6

(1)

Article 15(1) to (3) of the F8UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the disclosure of data concerning health by a controller who is not a health professional unless the controller has obtained an opinion from the person who appears to the controller to be the appropriate health professional to the effect that the serious harm test is not met with respect to the data.

(2)

Sub-paragraph (1) does not apply to the extent that the controller is satisfied that the data concerning health has already been seen by, or is within the knowledge of, the data subject.

(3)

An opinion does not count for the purposes of sub-paragraph (1) if—

(a)

it was obtained before the beginning of the relevant period, or

(b)

it was obtained during that period but it is reasonable in all the circumstances to re-consult the appropriate health professional.

(4)

In this paragraph, “the relevant period” means the period of 6 months ending with the day on which the opinion would be relied on.

PART 3Social work data

Definitions

7

(1)

In this Part of this Schedule—

education data” has the meaning given by paragraph 17 of this Schedule;

Health and Social Care trust” means a Health and Social Care trust established under the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1));

Principal Reporter” means the Principal Reporter appointed under the Children’s Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children’s Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;

social work data” means personal data which—

(a)

is data to which paragraph 8 applies, but

(b)

is not education data or data concerning health.

(2)

For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to social work data if the application of Article 15 of the F9UK GDPR to the data would be likely to prejudice carrying out social work, because it would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

(3)

In sub-paragraph (2), “carrying out social work” is to be taken to include doing any of the following—

(a)

the exercise of any functions mentioned in paragraph 8(1)(a), (d), (f) to (j), (m), (p), (s), (t), (u), (v) or (w);

(b)

the provision of any service mentioned in paragraph 8(1)(b), (c) or (k);

(c)

the exercise of the functions of a body mentioned in paragraph 8(1)(e) or a person mentioned in paragraph 8(1)(q) or (r).

(4)

In this Part of this Schedule, a reference to a local authority, in relation to data processed or formerly processed by it, includes a reference to the Council of the Isles of Scilly, in relation to data processed or formerly processed by the Council in connection with any functions mentioned in paragraph 8(1)(a)(ii) which are or have been conferred on the Council by an enactment.

8

(1)

This paragraph applies to personal data falling within any of the following descriptions—

(a)

data processed by a local authority—

(i)

in connection with its social services functions (within the meaning of the Local Authority Social Services Act 1970 or the Social Services and Well-being (Wales) Act 2014 (anaw 4)) or any functions exercised by local authorities under the Social Work (Scotland) Act 1968 or referred to in section 5(1B) of that Act, or

(ii)

in the exercise of other functions but obtained or consisting of information obtained in connection with any of the functions mentioned in sub-paragraph (i);

(b)

data processed by F10the Department of Health in Northern Ireland or any person or body exercising functions by virtue of paragraph 22A of Schedule 3 to the Health and Personal Social Services (Northern Ireland) Order 1991

(i)

in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)), or

(ii)

in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;

(c)

data processed by a Health and Social Care trust—

F11(i)

in the exercise of social care and children functions within the meaning of Article 10A of the Health and Personal Social Services (Northern Ireland) Order 1991,

(ia)

in connection with the provision of social care within the meaning of section 2(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)) by virtue of a delegation direction under Article 10B of the Health and Personal Social Services (Northern Ireland) Order 1991, or

(ii)

in the exercise of other functions but obtained or consisting of information obtained in connection with the provision of that care;

(d)

data processed by a council in the exercise of its functions under Part 2 of Schedule 9 to the Health and Social Services and Social Security Adjudications Act 1983;

(e)

data processed by—

(i)

a probation trust established under section 5 of the Offender Management Act 2007, or

(ii)

the Probation Board for Northern Ireland established by the Probation Board (Northern Ireland) Order 1982 (S.I. 1982/713 (N.I. 10));

(f)

data processed by a local authority in the exercise of its functions under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the Education Act 1996, so far as those functions relate to ensuring that children of compulsory school age (within the meaning of section 8 of the Education Act 1996) receive suitable education whether by attendance at school or otherwise;

(g)

data processed by the Education Authority in the exercise of its functions under Article 55 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 45 of, and Schedule 13 to, the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)), so far as those functions relate to ensuring that children of compulsory school age (within the meaning of Article 46 of the Education and Libraries (Northern Ireland) Order 1986) receive efficient full-time education suitable to their age, ability and aptitude and to any special educational needs they may have, either by regular attendance at school or otherwise;

(h)

data processed by an education authority in the exercise of its functions under sections 35 to 42 of the Education (Scotland) Act 1980 so far as those functions relate to ensuring that children of
school age (within the meaning of section 31 of the Education (Scotland) Act 1980) receive efficient education suitable to their age, ability and aptitude, whether by attendance at school or otherwise;

(i)

data relating to persons detained in a hospital at which high security psychiatric services are provided under section 4 of the National Health Service Act 2006 and processed by a Special Health Authority established under section 28 of that Act in the exercise of any functions similar to any social services functions of a local authority;

(j)

data relating to persons detained in special accommodation provided under Article 110 of the Mental Health (Northern Ireland) Order 1986 (S.I. 1986/595 (N.I. 4)) and processed by a Health and
Social Care trust in the exercise of any functions similar to any social services functions of a local authority;

(k)

data which—

(i)

is processed by the National Society for the Prevention of Cruelty to Children, or by any other voluntary organisation or other body designated under this paragraph by the
Secretary of State or the Department of Health in Northern Ireland, and

(ii)

appears to the Secretary of State or the Department, as the case may be, to be processed for the purposes of the provision of any service similar to a service provided in the exercise of
any functions specified in paragraph (a), (b), (c) or (d);

(l)

data processed by a body mentioned in sub-paragraph (2)—

(i)

which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (k) or from a government department, and

(ii)

in the case of data obtained, or consisting of information obtained, from an authority or body mentioned in any of paragraphs (a) to (k), fell within any of those paragraphs while processed by the authority or body;

(m)

data processed by a National Health Service trust first established under section 25 of the National Health Service Act 2006, section 18 of the National Health Service (Wales) Act 2006 or section 5 of the National Health Service and Community Care Act 1990 in the exercise of any functions similar to any social services functions of a local authority;

(n)

data processed by an NHS foundation trust in the exercise of any functions similar to any social services functions of a local authority;

(o)

data processed by a government department—

(i)

which was obtained, or consists of information which was obtained, from an authority or body mentioned in any of paragraphs (a) to (n), and

(ii)

which fell within any of those paragraphs while processed by that authority or body;

(p)

data processed for the purposes of the functions of the Secretary of State pursuant to section 82(5) of the Children Act 1989;

(q)

data processed by—

(i)

a children’s guardian appointed under Part 16 of the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17)),

(ii)

a guardian ad litem appointed under Article 60 of the Children (Northern Ireland) Order 1995 (S.I. 1995/755 (N.I. 2)) or Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I. 1987/2203 (N.I. 22)), or

(iii)

a safeguarder appointed under section 30(2) or 31(3) of the Children’s Hearings (Scotland) Act 2011 (asp 1);

(r)

data processed by the Principal Reporter;

(s)

data processed by an officer of the Children and Family Court Advisory and Support Service for the purpose of the officer’s functions under section 7 of the Children Act 1989 or Part 16 of the
Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(t)

data processed by the Welsh family proceedings officer for the purposes of the functions under section 7 of the Children Act 1989 or Part 16 of the Family Procedure Rules 2010;

(u)

data processed by an officer of the service appointed as guardian ad litem under Part 16 of the Family Procedure Rules 2010;

(v)

data processed by the Children and Family Court Advisory and Support Service for the purpose of its functions under section 12(1) and (2) and section 13(1), (2) and (4) of the Criminal Justice and Court Services Act 2000;

(w)

data processed by the Welsh Ministers for the purposes of their functions under section 35(1) and (2) and section 36(1), (2), (4), (5) and (6) of the Children Act 2004;

(x)

data processed for the purposes of the functions of the appropriate Minister pursuant to section 12 of the Adoption and Children Act 2002 (independent review of determinations).

(2)

The bodies referred to in sub-paragraph (1)(l) are—

(a)

a National Health Service trust first established under section 25 of the National Health Service Act 2006 or section 18 of the National Health Service (Wales) Act 2006;

(b)

a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;

(c)

an NHS foundation trust;

F12(d)

an integrated care board established under section 14Z25 of the National Health Service Act 2006;

(e)

F13NHS England;

(f)

a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;

(g)

a Health Board established under section 2 of the National Health Service (Scotland) Act 1978.

Exemption from the listed GDPR provisions: data processed by a court

9

(1)

The listed GDPR provisions do not apply to data that is not education data or data concerning health if—

(a)

it is processed by a court,

(b)

it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)

in accordance with any of those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)

Those rules are—

(a)

the Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)

the Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)

the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)

the Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)

the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)

the Sheriff Court Adoption Rules 2009;

(g)

the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)

the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject’s expectations and wishes

10

(1)

This paragraph applies where a request for social work data is made in exercise of a power conferred by an enactment or rule of law and—

(a)

in relation to England and Wales or Northern Ireland, the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject,

(b)

in relation to Scotland, the data subject is an individual aged under 16 and the person making the request has parental responsibilities for the data subject, or

(c)

the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)

The listed GDPR provisions do not apply to social work data to the extent that complying with the request would disclose information—

(a)

which was provided by the data subject in the expectation that it would not be disclosed to the person making the request,

(b)

which was obtained as a result of any examination or investigation to which the data subject consented in the expectation that the information would not be so disclosed, or

(c)

which the data subject has expressly indicated should not be so disclosed.

(3)

The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data subject has expressly indicated that he or she no longer has the expectation mentioned there.

Exemption from Article 15 of the F14UK GDPR: serious harm

11

Article 15(1) to (3) of the F15UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to social work data to the extent that the serious harm test is met with respect to the data.

Restriction of Article 15 of the F16UK GDPR: prior opinion of Principal Reporter

12

(1)

This paragraph applies where—

(a)

a question arises as to whether a controller who is a social work authority is obliged by Article 15(1) to (3) of the F17UK GDPR (confirmation of processing, access to data and safeguards for third country
transfers) to disclose social work data, and

(b)

the data—

(i)

originated from or was supplied by the Principal Reporter acting in pursuance of the Principal Reporter’s statutory duties, and

(ii)

is not data which the data subject is entitled to receive from the Principal Reporter.

(2)

The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.

(3)

Article 15(1) to (3) of the F18UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.

(4)

In this paragraph “social work authority” means a local authority for the purposes of the Social Work (Scotland) Act 1968.

PART 4Education data

Educational records

13

In this Part of this Schedule “educational record” means a record to which paragraph 14, 15 or 16 applies.

14

(1)

This paragraph applies to a record of information which—

(a)

is processed by or on behalf of the proprietor of, or a teacher at, a school in England and Wales specified in sub-paragraph (3),

(b)

relates to an individual who is or has been a pupil at the school, and

(c)

originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).

(2)

But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.

(3)

The schools referred to in sub-paragraph (1)(a) are—

(a)

a school maintained by a local authority;

(b)

an Academy school;

(c)

an alternative provision Academy;

(d)

an independent school that is not an Academy school or an alternative provision Academy;

(e)

a non-maintained special school.

(4)

The persons referred to in sub-paragraph (1)(c) are—

(a)

an employee of the local authority which maintains the school;

(b)

in the case of—

(i)

a voluntary aided, foundation or foundation special school (within the meaning of the School Standards and Framework Act 1998),

(ii)

an Academy school,

(iii)

an alternative provision Academy,

(iv)

an independent school that is not an Academy school or an alternative provision Academy, or

(v)

a non-maintained special school,

a teacher or other employee at the school (including an educational psychologist engaged by the proprietor under a contract for services);

(c)

the pupil to whom the record relates;

(d)

a parent, as defined by section 576(1) of the Education Act 1996, of that pupil.

(5)

In this paragraph—

independent school” has the meaning given by section 463 of the Education Act 1996;

local authority” has the same meaning as in that Act (see sections 579(1) and 581 of that Act);

non-maintained special school” has the meaning given by section 337A of that Act;

proprietor” has the meaning given by section 579(1) of that Act.

15

(1)

This paragraph applies to a record of information which is processed—

(a)

by an education authority in Scotland, and

(b)

for the purpose of the relevant function of the authority.

(2)

But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.

(3)

For the purposes of this paragraph, information processed by an education authority is processed for the purpose of the relevant function of the authority if the processing relates to the discharge of that function in respect of a person—

(a)

who is or has been a pupil in a school provided by the authority, or

(b)

who receives, or has received, further education provided by the authority.

(4)

In this paragraph “the relevant function” means, in relation to each education authority, its function under section 1 of the Education (Scotland) Act 1980 and section 7(1) of the Self-Governing Schools etc. (Scotland) Act 1989.

16

(1)

This paragraph applies to a record of information which—

(a)

is processed by or on behalf of the Board of Governors, proprietor or trustees of, or a teacher at, a school in Northern Ireland specified in sub-paragraph (3),

(b)

relates to an individual who is or has been a pupil at the school, and

(c)

originated from, or was supplied by or on behalf of, any of the persons specified in sub-paragraph (4).

(2)

But this paragraph does not apply to information which is processed by a teacher solely for the teacher’s own use.

(3)

The schools referred to in sub-paragraph (1)(a) are—

(a)

a grant-aided school;

(b)

an independent school.

(4)

The persons referred to in sub-paragraph (1)(c) are—

(a)

a teacher at the school;

(b)

an employee of the Education Authority, other than a teacher at the school;

(c)

an employee of the Council for Catholic Maintained Schools, other than a teacher at the school;

(d)

the pupil to whom the record relates;

(e)

a parent, as defined by Article 2(2) of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

(5)

In this paragraph, “grant-aided school”, “independent school”, “proprietor” and “trustees” have the same meaning as in the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3)).

Other definitions

17

(1)

In this Part of this Schedule—

education authority” and “further education” have the same meaning as in the Education (Scotland) Act 1980;

education data” means personal data consisting of information which—

(a)

constitutes an educational record, but

(b)

is not data concerning health;

Principal Reporter” means the Principal Reporter appointed under the Children’s Hearings (Scotland) Act 2011 (asp 1), or an officer of the Scottish Children’s Reporter Administration to whom there is delegated under paragraph 10(1) of Schedule 3 to that Act any function of the Principal Reporter;

pupil” means—

(a)

in relation to a school in England and Wales, a registered pupil within the meaning of the Education Act 1996,

(b)

in relation to a school in Scotland, a pupil within the meaning of the Education (Scotland) Act 1980, and

(c)

in relation to a school in Northern Ireland, a registered pupil within the meaning of the Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I. 3));

“school”—

(a)

in relation to England and Wales, has the same meaning as in the Education Act 1996,

(b)

in relation to Scotland, has the same meaning as in the Education (Scotland) Act 1980, and

(c)

in relation to Northern Ireland, has the same meaning as in the Education and Libraries (Northern Ireland) Order 1986;

teacher” includes—

(a)

in Great Britain, head teacher, and

(b)

in Northern Ireland, the principal of a school.

(2)

For the purposes of this Part of this Schedule, the “serious harm test” is met with respect to education data if the application of Article 15 of the F19UK GDPR to the data would be likely to cause serious harm to the physical or mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a court

18

(1)

The listed GDPR provisions do not apply to education data if—

(a)

it is processed by a court,

(b)

it consists of information supplied in a report or other evidence given to the court in the course of proceedings to which rules listed in subparagraph (2) apply, and

(c)

in accordance with those rules, the data may be withheld by the court in whole or in part from the data subject.

(2)

Those rules are—

(a)

the Magistrates’ Courts (Children and Young Persons) Rules (Northern Ireland) 1969 (S.R. (N.I.) 1969 No. 221);

(b)

the Magistrates’ Courts (Children and Young Persons) Rules 1992 (S.I. 1992/2071 (L. 17));

(c)

the Family Proceedings Rules (Northern Ireland) 1996 (S.R. (N.I.) 1996 No. 322);

(d)

the Magistrates’ Courts (Children (Northern Ireland) Order 1995) Rules (Northern Ireland) 1996 (S.R. (N. I.) 1996 No. 323);

(e)

the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I. 1997/291 (S. 19));

(f)

the Sheriff Court Adoption Rules 2009;

(g)

the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(h)

the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from Article 15 of the F20UK GDPR: serious harm

19

Article 15(1) to (3) of the F21UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to education data to the extent that the serious harm test is met with respect to the data.

Restriction of Article 15 of the F22UK GDPR: prior opinion of Principal Reporter

20

(1)

This paragraph applies where—

(a)

a question arises as to whether a controller who is an education authority is obliged by Article 15(1) to (3) of the F23UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) to disclose education data, and

(b)

the controller believes that the data—

(i)

originated from or was supplied by or on behalf of the Principal Reporter acting in pursuance of the Principal Reporter’s statutory duties, and

(ii)

is not data which the data subject is entitled to receive from the Principal Reporter.

(2)

The controller must inform the Principal Reporter of the fact that the question has arisen before the end of the period of 14 days beginning when the question arises.

(3)

Article 15(1) to (3) of the F24UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not permit the controller to disclose the data to the data subject unless the Principal Reporter has informed the controller that, in the opinion of the Principal Reporter, the serious harm test is not met with respect to the data.

PART 5Child abuse data

Exemption from Article 15 of the F25UK GDPR: child abuse data

21

(1)

This paragraph applies where a request for child abuse data is made in exercise of a power conferred by an enactment or rule of law and—

(a)

the data subject is an individual aged under 18 and the person making the request has parental responsibility for the data subject, or

(b)

the data subject is incapable of managing his or her own affairs and the person making the request has been appointed by a court to manage those affairs.

(2)

Article 15(1) to (3) of the F26UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) do not apply to child abuse data to the extent that the application of that provision would not be in the best interests of the data subject.

(3)

“Child abuse data” is personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse.

(4)

For this purpose, “child abuse” includes physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18.

(5)

This paragraph does not apply in relation to Scotland.