法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·UK legislation / curated by LawPlayer from legislation.gov.uk

Act of Parliament

Data Protection Act 2018

Citation
2018 c. 12
As at
Sections
1138
Section 1Overview

(1) This Act makes provision about the processing of personal data.

(2) Most processing of personal data is subject to the UK GDPR .

(3) Part 2 supplements the UK GDPR .

(4) Part 3 makes provision about the processing of personal data by competent authorities for law enforcement purposes ....

(5) Part 4 makes provision about the processing of personal data by the intelligence services (and certain processing carried out by competent authorities jointly with the intelligence services) .

(6) Part 5 makes provision about the Information Commissioner.

(7) Part 6 makes provision about the enforcement of the data protection legislation.

(8) Part 7 makes supplementary provision, including provision about the application of this Act to the Crown and to Parliament.

Section 2Protection of personal data

(1) The UK GDPR and this Act protect individuals with regard to the processing of personal data, in particular by—

(a) requiring personal data to be processed lawfully and fairly, on the basis of the data subject's consent or another specified basis,

(b) conferring rights on the data subject to obtain information about the processing of personal data and to require inaccurate personal data to be rectified, and

(c) conferring functions on the Commissioner, giving the holder of that office responsibility for monitoring and enforcing their provisions.

(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 3Terms relating to the processing of personal data

(1) This section defines some terms used in this Act.

(2) “ Personal data ” means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).

(3) “ Identifiable living individual ” means a living individual who can be identified, directly or indirectly, in particular by reference to—

(a) an identifier such as a name, an identification number, location data or an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.

(4) “ Processing ”, in relation to information, means an operation or set of operations which is performed on information, or on sets of information, such as—

(a) collection, recording, organisation, structuring or storage,

(b) adaptation or alteration,

(c) retrieval, consultation or use,

(d) disclosure by transmission, dissemination or otherwise making available,

(e) alignment or combination, or

(f) restriction, erasure or destruction,

(subject to subsection (14)(c) and sections 5(7), 29(2) and 82(3), which make provision about references to processing in the different Parts of this Act).

(5) “ Data subject ” means the identified or identifiable living individual to whom personal data relates.

(6) “Controller” and “ processor ”, in relation to the processing of personal data to which ... Part 2, Part 3 or Part 4 applies, have the same meaning as in that ... Part (see sections 5, 6, 32 and 83 and see also subsection (14)(d)).

(7) “ Filing system ” means any structured set of personal data which is accessible according to specific criteria, whether held by automated means or manually and whether centralised, decentralised or dispersed on a functional or geographical basis.

(8) “ The Commissioner ” means the Information Commissioner (see section 114).

(8A) “ The Commission ” means the Information Commission (see section 114A).

(9) “ The data protection legislation ” means—

(a) the UK GDPR,

(b) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c) this Act, and

(d) regulations made under this Act or the UK GDPR , ...

(e) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(10) “ The UK GDPR ” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) .

(10A) “ The EU GDPR ” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.

(11) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(12) “ The Law Enforcement Directive ” means Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

(13) “ The Data Protection Convention ” means the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data which was opened for signature on 28 January 1981, as amended up to the day on which this Act is passed.

(14) In Parts 5 to 7, except where otherwise provided—

(a) references to the UK GDPR are to the UK GDPR read with Part 2;

(b) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(c) references to personal data, and the processing of personal data, are to personal data and processing to which ... Part 2, Part 3 or Part 4 applies;

(d) references to a controller or processor are to a controller or processor in relation to the processing of personal data to which ... Part 2, Part 3 or Part 4 applies.

(15) There is an index of defined expressions in section 206.

Section 4Processing to which this Part applies

(1) This Part is relevant to most processing of personal data.

(2) This Part —

(a) applies to the types of processing of personal data to which the UK GDPR applies by virtue of Article 2 of the UK GDPR , and

(b) supplements, and must be read with, the UK GDPR .

(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 5Definitions

(1) Terms used in ... this Part and in the UK GDPR have the same meaning in this Part as they have in the UK GDPR .

(2) In subsection (1), the reference to a term's meaning in the UK GDPR is to its meaning in the UK GDPR read with any provision of this Part which modifies the term's meaning for the purposes of the UK GDPR .

(3) Subsection (1) is subject to any provision in this Part which provides expressly for the term to have a different meaning and to section 204.

(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(7) A reference in ... this Part to the processing of personal data is to processing to which this Part applies.

(8) Sections 3 and 205 include definitions of other expressions used in this Part.

Section 6Meaning of “controller”

(1) The definition of “controller” in Article 4(1)(7) of the UK GDPR has effect subject to—

(a) subsection (2),

(b) section 209, and

(c) section 210.

(2) For the purposes of the UK GDPR , where personal data is processed only—

(a) for purposes for which it is required by an enactment to be processed, and

(b) by means by which it is required by an enactment to be processed,

the person on whom the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

Section 7Meaning of “public authority” and “public body”

(1) For the purposes of the UK GDPR , the following (and only the following) are “public authorities” and “public bodies” ...—

(a) a public authority as defined by the Freedom of Information Act 2000,

(b) a Scottish public authority as defined by the Freedom of Information (Scotland) Act 2002 (asp 13),

(ba) the Advanced Research and Invention Agency, and

(c) an authority or body specified or described by the Secretary of State in regulations,

subject to subsections (2), (3) and (4).

(2) An authority or body that falls within subsection (1) is only a “public authority” or “ public body ” for the purposes of the UK GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.

(3) The references in subsection (1)(a) and (b) to public authorities and Scottish public authorities as defined by the Freedom of Information Act 2000 and the Freedom of Information (Scotland) Act 2002 (asp 13) do not include any of the following that fall within those definitions—

(a) a parish council in England;

(b) a community council in Wales;

(c) a community council in Scotland;

(d) a parish meeting constituted under section 13 of the Local Government Act 1972;

(e) a community meeting constituted under section 27 of that Act;

(f) charter trustees constituted—

(i) under section 246 of that Act,

(ii) under Part 1 of the Local Government and Public Involvement in Health Act 2007, or

(iii) by the Charter Trustees Regulations 1996 ( S.I. 1996/263).

(4) The Secretary of State may by regulations provide that a person specified or described in the regulations that is a public authority described or mentioned in subsection (1)(a), (b) or (ba) is not a “public authority” or “ public body ” for the purposes of the UK GDPR .

(5) Regulations under this section are subject to the affirmative resolution procedure.

Section 8Lawfulness of processing: public interest etc

In Article 6(1) of the UK GDPR (lawfulness of processing), the reference in point (e) to processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of ... official authority includes processing of personal data that is necessary for—

(a) the administration of justice,

(b) the exercise of a function of either House of Parliament,

(c) the exercise of a function conferred on a person by an enactment or rule of law,

(d) the exercise of a function of the Crown, a Minister of the Crown or a government department, or

(e) an activity that supports or promotes democratic engagement.

Section 9Child's consent in relation to information society services

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 9AProcessing in reliance on relevant international law

(1) Processing of personal data meets the requirement in Article 6(3), 8A(3)(e), 9(2)(g) or 10(1) of the UK GDPR for a basis in, or authorisation by, relevant international law only if it meets a condition in Schedule A1.

(2) A condition in Schedule A1 may be relied on for the purposes of any of those provisions, unless that Schedule provides otherwise.

(3) The Secretary of State may by regulations amend Schedule A1 by adding, varying or omitting—

(a) conditions,

(b) provision about the purposes for which a condition may be relied on, and

(c) safeguards in connection with processing carried out in reliance on a condition in the Schedule.

(4) Regulations under this section may only add a condition relating entirely or partly to a treaty ratified by the United Kingdom.

(5) Regulations under this section are subject to the affirmative resolution procedure.

(6) In this section, “ treaty ” and “ ratified ” have the same meaning as in Part 2 of the Constitutional Reform and Governance Act 2010 (see section 25 of that Act).

Section 10Special categories of personal data and criminal convictions etc data

(1) Subsections (2) and (3) make provision about the processing of personal data described in Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) in reliance on an exception in one of the following points of Article 9(2)—

(a) point (b) (employment, social security and social protection);

(b) point (g) (substantial public interest);

(c) point (h) (health and social care);

(d) point (i) (public health);

(e) point (j) (archiving, research and statistics).

(2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2) of the UK GDPR for authorisation by, or a basis in, the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1 of Schedule 1.

(3) The processing meets the requirement in point (g) of Article 9(2) of the UK GDPR for a basis in the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 2 of Schedule 1.

(4) Subsection (5) makes provision about the processing of personal data relating to criminal convictions and offences or related security measures that is not carried out under the control of official authority.

(5) The processing meets the requirement in Article 10(1) of the UK GDPR for authorisation by the law of the United Kingdom or a part of the United Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

(6) The Secretary of State may by regulations—

(a) amend Schedule 1—

(i) by adding or varying conditions or safeguards, and

(ii) by omitting conditions or safeguards added by regulations under this section, and

(b) consequentially amend this section.

(7) Regulations under this section are subject to the affirmative resolution procedure.

Section 11Special categories of personal data etc: supplementary

(1) For the purposes of Article 9(2)(h) of the UK GDPR (processing for health or social care purposes etc), the circumstances in which the processing of personal data is carried out subject to the conditions and safeguards referred to in Article 9(3) of the UK GDPR (obligation of secrecy) include circumstances in which it is carried out—

(a) by or under the responsibility of a health professional or a social work professional, or

(b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

(2) In Article 10 of the UK GDPR and section 10, references to personal data relating to criminal convictions and offences or related security measures include personal data relating to—

(a) the alleged commission of offences by the data subject, or

(b) proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing.

Section 12Limits on fees that may be charged by controllers

(1) The Secretary of State may by regulations specify limits on the fees that a controller may charge in reliance on—

(a) Article 12(5) of the UK GDPR (reasonable fees when responding to manifestly unfounded or excessive requests), or

(b) Article 15(3) of the UK GDPR (reasonable fees for provision of further copies).

(2) The Secretary of State may by regulations—

(a) require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in reliance on those provisions, and

(b) specify what the guidance must include.

(3) Regulations under this section are subject to the negative resolution procedure.

Section 13Obligations of credit reference agencies

(1) This section applies where a controller is a credit reference agency (within the meaning of section 145(8) of the Consumer Credit Act 1974).

(2) The controller's obligations under Article 15(1) to (3) of the UK GDPR (confirmation of processing, access to data and safeguards for third country transfers) are taken to apply only to personal data relating to the data subject's financial standing, unless the data subject has indicated a contrary intention.

(3) Where the controller discloses personal data in pursuance of Article 15(1) to (3) of the UK GDPR , the disclosure must be accompanied by a statement informing the data subject of the data subject's rights under section 159 of the Consumer Credit Act 1974 (correction of wrong information).

Section 14Automated decision-making authorised by law: safeguards

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 15Exemptions etc

(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and adaptations of the application of, rules of the UK GDPR .

(2) In Schedule 2—

(a) Part 1 makes provision adapting or restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 6(3) and Article 23(1) of the UK GDPR) ;

(b) Part 2 makes provision restricting the application of rules contained in Articles 13 to 21 and 34 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR) ;

(c) Part 3 makes provision restricting the application of Article 15 of the UK GDPR where this is necessary to protect the rights of others (of a kind described in Article 23(1) of the UK GDPR) ;

(d) Part 4 makes provision restricting the application of rules contained in Articles 13 to 15 of the UK GDPR in specified circumstances (of a kind described in Article 23(1) of the UK GDPR) ;

(e) Part 5 makes provision containing exemptions or derogations from Chapters II , III , IV and V of the UK GDPR for reasons relating to freedom of expression (of a kind described in Article 85(2) of the UK GDPR) ;

(f) Part 6 makes provision containing derogations from rights contained in Articles 15, 16, 18, 19, 20 and 21 of the UK GDPR for scientific or historical research purposes, statistical purposes and archiving purposes ....

(3) Schedule 3 makes provision restricting the application of rules contained in Articles 13 to 21 of the UK GDPR to health, social work, education and child abuse data (of a kind described in Article 23(1) of the UK GDPR) .

(4) Schedule 4 makes provision restricting the application of rules contained in Articles 13 to 21 of the UK GDPR to information the disclosure of which is prohibited or restricted by an enactment (of a kind described in Article 23(1) of the UK GDPR) .

(4A) In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25).

(5) In connection with the safeguarding of national security and with defence, see Chapter 3 of this Part (sections 26 to 28) .

Section 16Power to make further exemptions etc by regulations

(1) The following powers to make provision altering the application of the UK GDPR may be exercised by way of regulations made by the Secretary of State under this section—

(a) the power in Article 6(3) ... to lay down a legal basis containing specific provisions to adapt the application of rules of the UK GDPR where processing is necessary for compliance with a legal obligation, for the performance of a task in the public interest or in the exercise of official authority;

(b) the power in Article 23(1) to make provision restricting the scope of the obligations and rights mentioned in that Article where necessary and proportionate to safeguard certain objectives of general public interest;

(c) the power in Article 85(2) to provide for exemptions or derogations from certain Chapters of the UK GDPR where necessary to reconcile the protection of personal data with the freedom of expression and information.

(2) Regulations under this section may—

(a) amend Schedules 2 to 4—

(i) by adding or varying provisions, and

(ii) by omitting provisions added by regulations under this section, ...

(b) consequentially amend section 15 , and

(c) consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section.

(3) Regulations under this section are subject to the affirmative resolution procedure.

Section 17Accreditation of certification providers

(1) Accreditation of a person as a certification provider is only valid when carried out by—

(a) the Commissioner, or

(b) the UK national accreditation body .

(2) The Commissioner may only accredit a person as a certification provider where the Commissioner—

(a) has published a statement that the Commissioner will carry out such accreditation, and

(b) has not published a notice withdrawing that statement.

(3) The UK national accreditation body may only accredit a person as a certification provider where the Commissioner—

(a) has published a statement that the body may carry out such accreditation, and

(b) has not published a notice withdrawing that statement.

(4) The publication of a notice under subsection (2)(b) or (3)(b) does not affect the validity of any accreditation carried out before its publication.

(5) Schedule 5 makes provision about reviews of, and appeals from, a decision relating to accreditation of a person as a certification provider.

(6) The UK national accreditation body may charge a reasonable fee in connection with, or incidental to, the carrying out of the body's functions under this section, Schedule 5 and Article 43 of the UK GDPR .

(7) The UK national accreditation body must provide the Secretary of State with such information relating to its functions under this section, Schedule 5 and Article 43 of the UK GDPR as the Secretary of State may reasonably require.

(8) In this section—

“ certification provider ” means a person who issues certification for the purposes of Article 42 of the UK GDPR ;

“ the UK national accreditation body ” means the UK national accreditation body for the purposes of Article 4(1) of Regulation ( EC ) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation ( EEC ) No 339/93 .

Section 17ATransfers based on adequacy regulations

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 17BTransfers based on adequacy regulations: review etc

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 17CStandard data protection clauses

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 18Transfers of personal data to third countries etc : public interest

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 19Processing for archiving, research and statistical purposes: safeguards

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 20Meaning of “court”

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 21Definitions

(1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(5) In this Chapter, “ FOI public authority ” means—

(a) a public authority as defined in the Freedom of Information Act 2000, ...

(b) a Scottish public authority as defined in the Freedom of Information (Scotland) Act 2002 (asp 13) , or

(c) the Advanced Research and Invention Agency .

(6) References in this Chapter to personal data “held” by an FOI public authority are to be interpreted—

(a) in relation to England and Wales and Northern Ireland, in accordance with section 3(2) of the Freedom of Information Act 2000, and

(b) in relation to Scotland, in accordance with section 3(2), (4) and (5) of the Freedom of Information (Scotland) Act 2002 (asp 13),

but such references do not include information held by an intelligence service (as defined in section 82) on behalf of an FOI public authority.

(7) But personal data is not to be treated as “held” by an FOI public authority for the purposes of this Chapter, where—

(a) section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5 of that Act from applying to the personal data, or

(b) section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 13) prevents that Act from applying to the personal data.

(8) In relation to the Advanced Research and Invention Agency—

(a) for the purposes of subsection (6)(a)—

(i) section 3(2) of the Freedom of Information Act 2000 is to be read as if “public authority” included that Agency, and

(ii) section 3(2) of the Freedom of Information (Scotland) Act 2002 (asp 13) is to be read as if “authority” included that Agency, and

(b) subsection (7) does not apply.

Section 22Application of the GDPR to processing to which this Chapter applies

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 23Power to make provision in consequence of regulations related to the GDPR

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Section 24Manual unstructured data held by FOI public authorities

(1) The provisions of the UK GDPR and this Act listed in subsection (2) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) (manual unstructured personal data held by FOI public authorities).

(2) Those provisions are—

(a) in Chapter II of the UK GDPR (principles)—

(i) Article 5(1)(a) to (c), (e) and (f) (principles relating to processing, other than the accuracy principle),

(ii) Article 6 (lawfulness),

(iii) Article 7 (conditions for consent),

(iv) Article 8(1) and (2) (child's consent),

(v) Article 9 (processing of special categories of personal data),

(vi) Article 10 (data relating to criminal convictions etc), and

(vii) Article 11(2) (processing not requiring identification);

(b) in Chapter III of the UK GDPR (rights of the data subject)—

(i) Article 13(1) to (3) (personal data collected from data subject: information to be provided),

(ii) Article 14(1) to (4) (personal data collected other than from data subject: information to be provided),

(iii) Article 20 (right to data portability), and

(iv) Article 21(1) (objections to processing);

(c) in Chapter V of the UK GDPR , Articles 44A to 49A (transfers of personal data to third countries or international organisations);

(ca) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(cb) in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);

(d) in Part 7 of this Act, sections 170 and 171 (offences relating to personal data).

(see also paragraph 1(2) of Schedule 18).

(3) In addition, the provisions of the UK GDPR listed in subsection (4) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) where the personal data relates to appointments, removals, pay, discipline, superannuation or other personnel matters in relation to—

(a) service in any of the armed forces of the Crown;

(b) service in any office or employment under the Crown or under any public authority;

(c) service in any office or employment, or under any contract for services, in respect of which power to take action, or to determine or approve the action taken, in such matters is vested in—

(i) Her Majesty,

(ii) a Minister of the Crown,

(iii) the National Assembly for Wales,

(iv) the Welsh Ministers,

(v) a Northern Ireland Minister (within the meaning of the Freedom of Information Act 2000), or

(vi) an FOI public authority.

(4) Those provisions are—

(a) the remaining provisions of Chapters II and III (principles and rights of the data subject);

(b) Chapter IV (controller and processor);

(ba) Chapter 8A (safeguards for processing for research, archiving or statistical purposes);

(c) Chapter IX (specific processing situations).

(5) A controller is not obliged to comply with Article 15(1) to (3) of the UK GDPR (right of access by the data subject) in relation to personal data to which the UK GDPR applies by virtue of Article 2(1A) if—

(a) the request under Article 15 does not contain a description of the personal data, or

(b) the controller estimates that the cost of complying with the request so far as relating to the personal data would exceed the appropriate maximum.

(6) Subsection (5)(b) does not remove the controller's obligation to confirm whether or not personal data concerning the data subject is being processed unless the estimated cost of complying with that obligation alone in relation to the personal data would exceed the appropriate maximum.

(7) An estimate for the purposes of this section must be made in accordance with regulations under section 12(5) of the Freedom of Information Act 2000.

(8) In subsections (5) and (6), “ the appropriate maximum ” means the maximum amount specified by the Secretary of State by regulations.

(9) Regulations under subsection (8) are subject to the negative resolution procedure.

Section 25Manual unstructured data used in longstanding historical research

(1) The provisions of the UK GDPR listed in subsection (2) do not apply to personal data to which the UK GDPR applies by virtue of Article 2(1A) (manual unstructured personal data held by FOI public authorities) at any time when—

(a) the personal data—

(i) is subject to processing which was already underway immediately before 24 October 1998, and

(ii) is processed only for the purposes of historical research, and

(b) the processing is not carried out—

(i) for the purposes of measures or decisions with respect to a particular data subject, or

(ii) in a way that causes, or is likely to cause, substantial damage or substantial distress to a data subject.

(2) Those provisions are—

(a) in Chapter II ...(principles), Article 5(1)(d) (the accuracy principle), and

(b) in Chapter III ... (rights of the data subject)—

(i) Article 16 (right to rectification), and

(ii) Article 17(1) and (2) (right to erasure).

(3) The exemptions in this section apply in addition to the exemptions in section 24.

Section 26National security and defence exemption

(1) A provision of the UK GDPR or this Act mentioned in subsection (2) does not apply to personal data to which the UK GDPR applies if exemption from the provision is required for—

(a) the purpose of safeguarding national security, or

(b) defence purposes.

(2) The provisions are—

(a) Chapter II of the UK GDPR (principles) except for—

(i) Article 5(1)(a) (lawful, fair and transparent processing), so far as it requires processing of personal data to be lawful;

(ii) Article 6 (lawfulness of processing);

(iii) Article 9 (processing of special categories of personal data);

(b) Chapter III of the UK GDPR (rights of data subjects);

(c) in Chapter IV of the UK GDPR —

(i) Article 33 (notification of personal data breach to the Commissioner);

(ii) Article 34 (communication of personal data breach to the data subject);

(d) Chapter V of the UK GDPR (transfers of personal data to third countries or international organisations);

(e) in Chapter VI of the UK GDPR —

(i) Article 57(1)(a) and (h) (Commissioner's duties to monitor and enforce the UK GDPR and to conduct investigations);

(ii) Article 58 (investigative, corrective, authorisation and advisory powers of Commissioner);

(f) Chapter VIII of the UK GDPR (remedies, liabilities and penalties) except for—

(ai) Article 77 (right to lodge a complaint with the Commissioner);

(i) Article 83 (general conditions for imposing administrative fines);

(ii) Article 84 (penalties);

(fa) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(g) in Part 5 of this Act—

(i) in section 115 (general functions of the Commissioner), subsections (3) and (8);

(ii) in section 115, subsection (9), so far as it relates to Article 58(2)(i) of the UK GDPR ;

(iii) section 119 (inspection in accordance with international obligations);

(iv) section 119A (standard clauses for transfers to third countries);

(h) in Part 6 of this Act—

(i) sections 142 to 154 and Schedule 15 (Commissioner's notices and powers of entry and inspection);

(ii) sections 170 to 173 (offences relating to personal data);

(i) in Part 7 of this Act, section 187 (representation of data subjects).

Section 27National security: certificate

(1) Subject to subsection (3), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 26(2) is, or at any time was, required in relation to any personal data for the purpose of safeguarding national security is conclusive evidence of that fact.

(2) A certificate under subsection (1)—

(a) may identify the personal data to which it applies by means of a general description, and

(b) may be expressed to have prospective effect.

(3) Any person directly affected by a certificate under subsection (1) may appeal to the Tribunal against the certificate.

(4) If, on an appeal under subsection (3), the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Minister did not have reasonable grounds for issuing a certificate, the Tribunal may—

(a) allow the appeal, and

(b) quash the certificate.

(5) Where, in any proceedings under or by virtue of the UK GDPR or this Act, it is claimed by a controller that a certificate under subsection (1) which identifies the personal data to which it applies by means of a general description applies to any personal data, another party to the proceedings may appeal to the Tribunal on the ground that the certificate does not apply to the personal data in question.

(6) But, subject to any determination under subsection (7), the certificate is to be conclusively presumed so to apply.

(7) On an appeal under subsection (5), the Tribunal may determine that the certificate does not so apply.

(8) A document purporting to be a certificate under subsection (1) is to be—

(a) received in evidence, and

(b) deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of a Minister of the Crown as a true copy of a certificate issued by that Minister under subsection (1) is—

(a) in any legal proceedings, evidence of that certificate;

(b) in any legal proceedings in Scotland, sufficient evidence of that certificate.

(10) The power conferred by subsection (1) on a Minister of the Crown is exercisable only by—

(a) a Minister who is a member of the Cabinet, or

(b) the Attorney General or the Advocate General for Scotland.

Section 28National security and defence: modifications to Articles 9 and 32 of the UK GDPR

(1) Article 9(1) of the UK GDPR (prohibition on processing of special categories of personal data) does not prohibit the processing of personal data to which the UK GDPR applies to the extent that the processing is carried out—

(a) for the purpose of safeguarding national security or for defence purposes, and

(b) with appropriate safeguards for the rights and freedoms of data subjects.

(2) Article 32 of the UK GDPR (security of processing) does not apply to a controller or processor to the extent that the controller or the processor (as the case may be) is processing personal data to which the UK GDPR applies for—

(a) the purpose of safeguarding national security, or

(b) defence purposes.

(3) Where Article 32 of the UK GDPR does not apply, the controller or the processor must implement security measures appropriate to the risks arising from the processing of the personal data.

(4) For the purposes of subsection (3), where the processing of personal data is carried out wholly or partly by automated means, the controller or the processor must, following an evaluation of the risks, implement measures designed to—

(a) prevent unauthorised processing or unauthorised interference with the systems used in connection with the processing,

(b) ensure that it is possible to establish the precise details of any processing that takes place,

(c) ensure that any systems used in connection with the processing function properly and may, in the case of interruption, be restored, and

(d) ensure that stored personal data cannot be corrupted if a system used in connection with the processing malfunctions.

(5) The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).

Section 29Processing to which this Part applies

(1) This Part applies to—

(a) the processing by a competent authority of personal data wholly or partly by automated means, and

(b) the processing by a competent authority otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system.

(1A) This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).

(2) Any reference in this Part to the processing of personal data is to processing to which this Part applies.

(3) For the meaning of “competent authority”, see section 30.

Section 30Meaning of “competent authority”

(1) In this Part, “ competent authority ” means—

(a) a person specified or described in Schedule 7, and

(b) any other person if and to the extent that the person has statutory functions for any of the law enforcement purposes.

(2) But an intelligence service is not a competent authority within the meaning of this Part.

(3) The Secretary of State may by regulations amend Schedule 7—

(a) so as to add or remove a person or description of person;

(b) so as to reflect any change in the name of a person specified in the Schedule.

(4) Regulations under subsection (3) which make provision of the kind described in subsection (3)(a) may also make consequential amendments of section 73(4)(b).

(5) Regulations under subsection (3) which make provision of the kind described in subsection (3)(a), or which make provision of that kind and of the kind described in subsection (3)(b), are subject to the affirmative resolution procedure.

(6) Regulations under subsection (3) which make provision only of the kind described in subsection (3)(b) are subject to the negative resolution procedure.

(7) In this section—

“ intelligence service ” means—

the Security Service;

the Secret Intelligence Service;

the Government Communications Headquarters;

“ statutory function ” means a function under or by virtue of an enactment.

Section 31“The law enforcement purposes”

For the purposes of this Part, “the law enforcement purposes” are the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Section 32Meaning of “controller” and “processor”

(1) In this Part, “ controller ” means the competent authority which, alone or jointly with others—

(a) determines the purposes and means of the processing of personal data, or

(b) is the controller by virtue of subsection (2).

(2) Where personal data is processed only—

(a) for purposes for which it is required by an enactment to be processed, and

(b) by means by which it is required by an enactment to be processed,

the competent authority on which the obligation to process the data is imposed by the enactment (or, if different, one of the enactments) is the controller.

(3) In this Part, “ processor ” means any person who processes personal data on behalf of the controller (other than a person who is an employee of the controller).

Section 33Other definitions

(1) This section defines certain other expressions used in this Part.

(2) “ Employee ”, in relation to any person, includes an individual who holds a position (whether paid or unpaid) under the direction and control of that person.

(3) “ Personal data breach ” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

(4) “ Profiling ” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict aspects concerning that individual's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

(5) “ Recipient ”, in relation to any personal data, means any person to whom the data is disclosed, whether a third party or not, but it does not include a public authority to whom disclosure is or may be made in the framework of a particular inquiry in accordance with the law.

(6) “ Restriction of processing ” means the marking of stored personal data with the aim of limiting its processing for the future.

(6A) “ Sensitive processing ” has the meaning given in section 35(8).

(7) “ Third country ” means a country or territory outside the United Kingdom .

(8) Sections 3 and 205 include definitions of other expressions used in this Part.

Section 34Overview and general duty of controller

(1) This Chapter sets out the six data protection principles as follows—

(a) section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);

(b) section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);

(c) section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);

(d) section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);

(e) section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);

(f) section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).

(2) In addition—

(a) each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and

(b) sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.

(3) The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.

Section 35The first data protection principle

(1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.

(2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—

(a) the data subject has given consent to the processing for that purpose, or

(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority.

(3) In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).

(4) The first case is where—

(a) the data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and

(b) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

(5) The second case is where—

(a) the processing is strictly necessary for the law enforcement purpose,

(b) the processing meets at least one of the conditions in Schedule 8, and

(c) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).

(6) The Secretary of State may by regulations amend Schedule 8—

(a) by adding conditions;

(b) by varying or omitting conditions added by regulations under paragraph (a).

(7) Regulations under subsection (6) are subject to the affirmative resolution procedure.

(8) In this Part , “ sensitive processing ” means—

(a) the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;

(b) the processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;

(c) the processing of data concerning health;

(d) the processing of data concerning an individual's sex life or sexual orientation.

Section 36The second data protection principle

(1) The second data protection principle is that—

(a) the law enforcement purpose for which personal data is collected (whether from the data subject or otherwise) must be specified, explicit and legitimate, and

(b) personal data so collected must not be processed by or on behalf of a controller in a manner that is incompatible with the purpose for which the controller collected it .

(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).

(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that—

(a) the controller is authorised by law to process the data for the other purpose, and

(b) the processing is necessary and proportionate to that other purpose.

(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.

Section 37The third data protection principle

The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.

Section 38The fourth data protection principle

(1) The fourth data protection principle is that—

(a) personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and

(b) every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.

(2) In processing personal data for any of the law enforcement purposes, personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments.

(3) In processing personal data for any of the law enforcement purposes, a clear distinction must, where relevant and as far as possible, be made between personal data relating to different categories of data subject, such as—

(a) persons suspected of having committed or being about to commit a criminal offence;

(b) persons convicted of a criminal offence;

(c) persons who are or may be victims of a criminal offence;

(d) witnesses or other persons with information about offences.

(4) All reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.

(5) For that purpose—

(a) the quality of personal data must be verified before it is transmitted or made available,

(b) in all transmissions of personal data, the necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of the data and the extent to which it is up to date must be included, and

(c) if, after personal data has been transmitted, it emerges that the data was incorrect or that the transmission was unlawful, the recipient must be notified without delay.

Section 39The fifth data protection principle

(1) The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.

(2) Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.

Section 40The sixth data protection principle

The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “ appropriate security ” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).

Section 41Safeguards: archiving

(1) This section applies in relation to the processing of personal data for a law enforcement purpose where the processing is carried out —

(a) for archiving purposes in the public interest,

(b) for scientific or historical research purposes, or

(c) for statistical purposes.

(2) The processing is not permitted if—

(a) it is carried out for the purposes of, or in connection with, measures or decisions with respect to a particular data subject, or

(b) it is likely to cause substantial damage or substantial distress to a data subject.

Section 42Safeguards: sensitive processing

(1) This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).

(2) The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—

(a) explains the controller's procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and

(b) explains the controller's policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.

(3) Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—

(a) retain the appropriate policy document,

(b) review and (if appropriate) update it from time to time, and

(c) make it available to the Commissioner, on request, without charge.

(4) The record maintained by the controller under section 61(1) and, where the sensitive processing is carried out by a processor on behalf of the controller, the record maintained by the processor under section 61(3) must include the following information—

(a) whether the sensitive processing is carried out in reliance on the consent of the data subject or, if not, which condition in Schedule 8 is relied on,

(b) how the processing satisfies section 35 (lawfulness of processing), and

(c) whether the personal data is retained and erased in accordance with the policies described in subsection (2)(b) and, if it is not, the reasons for not following those policies.

(5) In this section, “ relevant period ”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—

(a) begins when the controller starts to carry out the sensitive processing in reliance on the data subject's consent or (as the case may be) in reliance on that condition, and

(b) ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.

Section 42AFurther provision about sensitive processing

(1) The Secretary of State may by regulations—

(a) make provision so that an additional description of processing of personal data is sensitive processing for the purposes of this Part,

(b) make provision so that added processing is not sensitive processing for the purposes of this Part,

(c) make provision so that a protected condition in Schedule 8 may or may not be relied on in connection with added processing, and

(d) make provision varying such a condition as it relates to added processing.

(2) In subsection (1)—

“ added processing ” means a description of processing which is sensitive processing by virtue of provision made under subsection (1)(a);

“ protected condition in Schedule 8 ” means a condition in that Schedule other than one that was added to the Schedule by regulations under section 35(6).

(3) Regulations under this section may amend this Part and sections 205 and 206.

(4) Regulations under this section are subject to the affirmative resolution procedure.

Section 43Overview and scope

(1) This Chapter—

(a) imposes general duties on the controller to make information available (see sections 44 and 45A );

(b) confers a right of access by the data subject (see sections 45 and 45A );

(c) confers rights on the data subject with respect to the rectification of personal data and the erasure of personal data or the restriction of its processing (see sections 46 to 48);

(d) regulates automated decision-making (see sections 50A to 50D );

(e) makes supplementary provision (see sections 51 to 54).

(2) This Chapter applies only in relation to the processing of personal data for a law enforcement purpose.

(3) But sections 44 to 48 do not apply in relation to the processing of relevant personal data in the course of a criminal investigation or criminal proceedings, including proceedings for the purpose of executing a criminal penalty.

(4) In subsection (3), “ relevant personal data ” means personal data contained in a judicial decision or in other documents relating to the investigation or proceedings which are created by or on behalf of a court or other judicial authority.

(5) In this Chapter, “ the controller ”, in relation to a data subject, means the controller in relation to personal data relating to the data subject.

Section 44... Controller's general duties

(1) The controller must make available to data subjects the following information (whether by making the information generally available to the public or in any other way)—

(a) the identity and the contact details of the controller;

(b) where applicable, the contact details of the data protection officer (see sections 69 to 71);

(c) the purposes for which the controller processes personal data;

(d) the existence of the rights of data subjects to request from the controller—

(i) access to personal data (see section 45),

(ii) rectification of personal data (see section 46), and

(iii) erasure of personal data or the restriction of its processing (see section 47);

(e) the existence of the right to lodge a complaint with the Commissioner and the contact details of the Commissioner.

(2) The controller must also, in specific cases for the purpose of enabling the exercise of a data subject's rights under this Part, give the data subject the following—

(a) information about the legal basis for the processing;

(b) information about the period for which the personal data will be stored or, where that is not possible, about the criteria used to determine that period;

(c) where applicable, information about the categories of recipients of the personal data (including recipients in third countries or international organisations);

(d) such further information as is necessary to enable the exercise of the data subject's rights under this Part.

(3) An example of where further information may be necessary as mentioned in subsection (2)(d) is where the personal data being processed was collected without the knowledge of the data subject.

(4) The controller may restrict, wholly or partly, the provision of information to the data subject under subsection (2) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a) avoid obstructing an official or legal inquiry, investigation or procedure;

(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e) protect the rights and freedoms of others.

(5) Where the provision of information to a data subject under subsection (2) is restricted under subsection (4) , wholly or partly, the controller must inform the data subject in writing without undue delay—

(a) that the provision of information has been restricted,

(b) of the reasons for the restriction,

(c) of the data subject's right to make a request to the Commissioner under section 51,

(d) of the data subject's right to lodge a complaint with the Commissioner, and

(e) of the data subject's right to apply to a court under section 167.

(6) Subsection (5)(a) and (b) do not apply to the extent that complying with them would undermine the purpose of the restriction.

(7) The controller must—

(a) record the reasons for a decision to restrict (whether wholly or partly) the provision of information to a data subject under subsection (2) in reliance on subsection (4) , and

(b) if requested to do so by the Commissioner, make the record available to the Commissioner.

Section 45Right of access by the data subject

(1) A data subject is entitled to obtain from the controller—

(a) confirmation as to whether or not personal data concerning him or her is being processed, and

(b) where that is the case, access to the personal data and the information set out in subsection (2).

(2) That information is—

(a) the purposes of and legal basis for the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data has been disclosed (including recipients or categories of recipients in third countries or international organisations);

(d) the period for which it is envisaged that the personal data will be stored or, where that is not possible, the criteria used to determine that period;

(e) the existence of the data subject's rights to request from the controller—

(i) rectification of personal data (see section 46), and

(ii) erasure of personal data or the restriction of its processing (see section 47);

(f) the existence of the data subject's right to lodge a complaint with the Commissioner and the contact details of the Commissioner;

(g) communication of the personal data undergoing processing and of any available information as to its origin.

(2A) Under subsection (1), the data subject is only entitled to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information described in that subsection.

(3) Where a data subject makes a request under subsection (1), the information to which the data subject is entitled must be provided in writing —

(a) without undue delay, and

(b) in any event, before the end of the applicable time period (as to which see section 54).

(4) The controller may restrict, wholly or partly, the rights conferred by subsection (1) to the extent that and for so long as the restriction is, having regard to the fundamental rights and legitimate interests of the data subject, a necessary and proportionate measure to—

(a) avoid obstructing an official or legal inquiry, investigation or procedure;

(b) avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

(e) protect the rights and freedoms of others.

(5) Where the rights of a data subject under subsection (1) are restricted under subsection (4) , wholly or partly, the controller must inform the data subject in writing without undue delay and in any event before the end of the applicable time period (as to which see section 54) —

(a) that the rights of the data subject have been restricted,

(b) of the reasons for the restriction,

(c) of the data subject's right to make a request to the Commissioner under section 51,

(d) of the data subject's right to lodge a complaint with the Commissioner, and

(e) of the data subject's right to apply to a court under section 167.

(6) Subsection (5)(a) and (b) do not apply to the extent that the provision of the information would undermine the purpose of the restriction.

(7) The controller must—

(a) record the reasons for a decision to restrict (whether wholly or partly) the rights of a data subject under subsection (1) in reliance on subsection (4) , and

(b) if requested to do so by the Commissioner, make the record available to the Commissioner.

1,138 sections

Cite this legislation

Data Protection Act 2018 (legislation.gov.uk, OGL v3.0). Retrieved via LawPlayer, https://lawplayer.com/uk/act/ukpga-2018-12

Contains public sector information licensed under the Open Government Licence v3.0.

OGL-3

本頁資料來源:legislation.gov.uk (The National Archives)·整理提供:法律人 LawPlayer· lawplayer.com