1. Introductory Text

  2. PART 1 Preliminary

    1. 1.Overview

    2. 2.Protection of personal data

    3. 3.Terms relating to the processing of personal data

  3. PART 2 General processing

    1. CHAPTER 1 Scope and definitions

      1. 4.Processing to which this Part applies

      2. 5.Definitions

    2. CHAPTER 2 The GDPR

      1. Meaning of certain terms used in the GDPR

        1. 6.Meaning of “controller”

        2. 7.Meaning of “public authority” and “public body”

      2. Lawfulness of processing

        1. 8.Lawfulness of processing: public interest etc

        2. 9.Child’s consent in relation to information society services

      3. Special categories of personal data

        1. 10.Special categories of personal data and criminal convictions etc data

        2. 11.Special categories of personal data etc: supplementary

      4. Rights of the data subject

        1. 12.Limits on fees that may be charged by controllers

        2. 13.Obligations of credit reference agencies

        3. 14.Automated decision-making authorised by law: safeguards

      5. Restrictions on data subject's rights

        1. 15.Exemptions etc

        2. 16.Power to make further exemptions etc by regulations

      6. Accreditation of certification providers

        1. 17.Accreditation of certification providers

      7. Transfers of personal data to third countries etc

        1. 18.Transfers of personal data to third countries etc

      8. Specific processing situations

        1. 19.Processing for archiving, research and statistical purposes: safeguards

      9. Minor definition

        1. 20.Meaning of “court”

    3. CHAPTER 3 Other general processing

      1. Scope

        1. 21.Processing to which this Chapter applies

      2. Application of the GDPR

        1. 22.Application of the GDPR to processing to which this Chapter applies

        2. 23.Power to make provision in consequence of regulations related to the GDPR

      3. Exemptions etc

        1. 24.Manual unstructured data held by FOI public authorities

        2. 25.Manual unstructured data used in longstanding historical research

        3. 26.National security and defence exemption

        4. 27.National security: certificate

        5. 28.National security and defence: modifications to Articles 9 and 32 of the applied GDPR

  4. PART 3 Law enforcement processing

    1. CHAPTER 1 Scope and definitions

      1. Scope

        1. 29.Processing to which this Part applies

      2. Definitions

        1. 30.Meaning of “competent authority”

        2. 31.“The law enforcement purposes”

        3. 32.Meaning of “controller” and “processor”

        4. 33.Other definitions

    2. CHAPTER 2 Principles

      1. 34.Overview and general duty of controller

      2. 35.The first data protection principle

      3. 36.The second data protection principle

      4. 37.The third data protection principle

      5. 38.The fourth data protection principle

      6. 39.The fifth data protection principle

      7. 40.The sixth data protection principle

      8. 41.Safeguards: archiving

      9. 42.Safeguards: sensitive processing

    3. CHAPTER 3 Rights of the data subject

      1. Overview and scope

        1. 43.Overview and scope

      2. Information: controller's general duties

        1. 44.Information: controller’s general duties

      3. Data subject's right of access

        1. 45.Right of access by the data subject

      4. Data subject's rights to rectification or erasure etc

        1. 46.Right to rectification

        2. 47.Right to erasure or restriction of processing

        3. 48.Rights under section 46 or 47: supplementary

      5. Automated individual decision-making

        1. 49.Right not to be subject to automated decision-making

        2. 50.Automated decision-making authorised by law: safeguards

      6. Supplementary

        1. 51.Exercise of rights through the Commissioner

        2. 52.Form of provision of information etc

        3. 53.Manifestly unfounded or excessive requests by the data subject

        4. 54.Meaning of “applicable time period”

    4. CHAPTER 4 Controller and processor

      1. Overview and scope

        1. 55.Overview and scope

      2. General obligations

        1. 56.General obligations of the controller

        2. 57.Data protection by design and default

        3. 58.Joint controllers

        4. 59.Processors

        5. 60.Processing under the authority of the controller or processor

        6. 61.Records of processing activities

        7. 62.Logging

        8. 63.Co-operation with the Commissioner

        9. 64.Data protection impact assessment

        10. 65.Prior consultation with the Commissioner

      3. Obligations relating to security

        1. 66.Security of processing

      4. Obligations relating to personal data breaches

        1. 67.Notification of a personal data breach to the Commissioner

        2. 68.Communication of a personal data breach to the data subject

      5. Data protection officers

        1. 69.Designation of a data protection officer

        2. 70.Position of data protection officer

        3. 71.Tasks of data protection officer

    5. CHAPTER 5 Transfers of personal data to third countries etc

      1. Overview and interpretation

        1. 72.Overview and interpretation

      2. General principles for transfers

        1. 73.General principles for transfers of personal data

        2. 74.Transfers on the basis of an adequacy decision

        3. 75.Transfers on the basis of appropriate safeguards

        4. 76.Transfers on the basis of special circumstances

      3. Transfers to particular recipients

        1. 77.Transfers of personal data to persons other than relevant authorities

      4. Subsequent transfers

        1. 78.Subsequent transfers

    6. CHAPTER 6 Supplementary

      1. 79.National security: certificate

      2. 80.Special processing restrictions

      3. 81.Reporting of infringements

  5. PART 4 Intelligence services processing

    1. CHAPTER 1 Scope and definitions

      1. Scope

        1. 82.Processing to which this Part applies

      2. Definitions

        1. 83.Meaning of “controller” and “processor”

        2. 84.Other definitions

    2. CHAPTER 2 Principles

      1. Overview

        1. 85.Overview

      2. The data protection principles

        1. 86.The first data protection principle

        2. 87.The second data protection principle

        3. 88.The third data protection principle

        4. 89.The fourth data protection principle

        5. 90.The fifth data protection principle

        6. 91.The sixth data protection principle

    3. CHAPTER 3 Rights of the data subject

      1. Overview

        1. 92.Overview

      2. Rights

        1. 93.Right to information

        2. 94.Right of access

        3. 95.Right of access: supplementary

        4. 96.Right not to be subject to automated decision-making

        5. 97.Right to intervene in automated decision-making

        6. 98.Right to information about decision-making

        7. 99.Right to object to processing

        8. 100.Rights to rectification and erasure

    4. CHAPTER 4 Controller and processor

      1. Overview

        1. 101.Overview

      2. General obligations

        1. 102.General obligations of the controller

        2. 103.Data protection by design

        3. 104.Joint controllers

        4. 105.Processors

        5. 106.Processing under the authority of the controller or processor

      3. Obligations relating to security

        1. 107.Security of processing

      4. Obligations relating to personal data breaches

        1. 108.Communication of a personal data breach

    5. CHAPTER 5 Transfers of personal data outside the United Kingdom

      1. 109.Transfers of personal data outside the United Kingdom

    6. CHAPTER 6 Exemptions

      1. 110.National security

      2. 111.National security: certificate

      3. 112.Other exemptions

      4. 113.Power to make further exemptions

  6. PART 5 The Information Commissioner

    1. The Commissioner

      1. 114.The Information Commissioner

    2. General functions

      1. 115.General functions under the GDPR and safeguards

      2. 116.Other general functions

      3. 117.Competence in relation to courts etc

    3. International role

      1. 118.Co-operation and mutual assistance

      2. 119.Inspection of personal data in accordance with international obligations

      3. 120.Further international role

    4. Codes of practice

      1. 121.Data-sharing code

      2. 122.Direct marketing code

      3. 123.Age-appropriate design code

      4. 124.Data protection and journalism code

      5. 125.Approval of codes prepared under sections 121 to 124

      6. 126.Publication and review of codes issued under section 125(4)

      7. 127.Effect of codes issued under section 125(4)

      8. 128.Other codes of practice

    5. Consensual audits

      1. 129.Consensual audits

    6. Records of national security certificates

      1. 130.Records of national security certificates

    7. Information provided to the Commissioner

      1. 131.Disclosure of information to the Commissioner

      2. 132.Confidentiality of information

      3. 133.Guidance about privileged communications

    8. Fees

      1. 134.Fees for services

      2. 135.Manifestly unfounded or excessive requests by data subjects etc

      3. 136.Guidance about fees

    9. Charges

      1. 137.Charges payable to the Commissioner by controllers

      2. 138.Regulations under section 137: supplementary

    10. Reports etc

      1. 139.Reporting to Parliament

      2. 140.Publication by the Commissioner

      3. 141.Notices from the Commissioner

  7. PART 6 Enforcement

    1. Information notices

      1. 142.Information notices

      2. 143.Information notices: restrictions

      3. 144.False statements made in response to information notices

      4. 145.Information orders

    2. Assessment notices

      1. 146.Assessment notices

      2. 147.Assessment notices: restrictions

    3. Information notices and assessment notices: destruction of documents etc

      1. 148.Destroying or falsifying information and documents etc

    4. Enforcement notices

      1. 149.Enforcement notices

      2. 150.Enforcement notices: supplementary

      3. 151.Enforcement notices: rectification and erasure of personal data etc

      4. 152.Enforcement notices: restrictions

      5. 153.Enforcement notices: cancellation and variation

    5. Powers of entry and inspection

      1. 154.Powers of entry and inspection

    6. Penalties

      1. 155.Penalty notices

      2. 156.Penalty notices: restrictions

      3. 157.Maximum amount of penalty

      4. 158.Fixed penalties for non-compliance with charges regulations

      5. 159.Amount of penalties: supplementary

    7. Guidance

      1. 160.Guidance about regulatory action

      2. 161.Approval of first guidance about regulatory action

    8. Appeals etc

      1. 162.Rights of appeal

      2. 163.Determination of appeals

      3. 164.Applications in respect of urgent notices

    9. Complaints

      1. 165.Complaints by data subjects

      2. 166.Orders to progress complaints

    10. Remedies in the court

      1. 167.Compliance orders

      2. 168.Compensation for contravention of the GDPR

      3. 169.Compensation for contravention of other data protection legislation

    11. Offences relating to personal data

      1. 170.Unlawful obtaining etc of personal data

      2. 171.Re-identification of de-identified personal data

      3. 172.Re-identification: effectiveness testing conditions

      4. 173.Alteration etc of personal data to prevent disclosure to data subject

    12. The special purposes

      1. 174.The special purposes

      2. 175.Provision of assistance in special purposes proceedings

      3. 176.Staying special purposes proceedings

      4. 177.Guidance about how to seek redress against media organisations

      5. 178.Review of processing of personal data for the purposes of journalism

      6. 179.Effectiveness of the media’s dispute resolution procedures

    13. Jurisdiction of courts

      1. 180.Jurisdiction

    14. Definitions

      1. 181.Interpretation of Part 6

  8. PART 7 Supplementary and final provision

    1. Regulations under this Act

      1. 182.Regulations and consultation

    2. Changes to the Data Protection Convention

      1. 183.Power to reflect changes to the Data Protection Convention

    3. Rights of the data subject

      1. 184.Prohibition of requirement to produce relevant records

      2. 185.Avoidance of certain contractual terms relating to health records

      3. 186.Data subject’s rights and other prohibitions and restrictions

    4. Representation of data subjects

      1. 187.Representation of data subjects with their authority

      2. 188.Representation of data subjects with their authority: collective proceedings

      3. 189.Duty to review provision for representation of data subjects

      4. 190.Post-review powers to make provision about representation of data subjects

    5. Framework for Data Processing by Government

      1. 191.Framework for Data Processing by Government

      2. 192.Approval of the Framework

      3. 193.Publication and review of the Framework

      4. 194.Effect of the Framework

    6. Data-sharing: HMRC and reserve forces

      1. 195.Reserve forces: data-sharing by HMRC

    7. Offences

      1. 196.Penalties for offences

      2. 197.Prosecution

      3. 198.Liability of directors etc

      4. 199.Recordable offences

      5. 200.Guidance about PACE codes of practice

    8. The Tribunal

      1. 201.Disclosure of information to the Tribunal

      2. 202.Proceedings in the First-tier Tribunal: contempt

      3. 203.Tribunal Procedure Rules

    9. Interpretation

      1. 204.Meaning of “health professional” and “social work professional”

      2. 205.General interpretation

      3. 206.Index of defined expressions

    10. Territorial application

      1. 207.Territorial application of this Act

    11. General

      1. 208.Children in Scotland

      2. 209.Application to the Crown

      3. 210.Application to Parliament

      4. 211.Minor and consequential provision

    12. Final

      1. 212.Commencement

      2. 213.Transitional provision

      3. 214.Extent

      4. 215.Short title

  9. SCHEDULES

    1. SCHEDULE 1

      Special categories of personal data and criminal convictions etc data

      1. PART 1 Conditions relating to employment, health and research etc

        1. 1.Employment, social security and social protection

        2. 2.Health or social care purposes

        3. 3.Public health

        4. 4.Research etc

      2. PART 2 Substantial public interest conditions

        1. 5.Requirement for an appropriate policy document when relying on conditions in this Part

        2. 6.Statutory etc and government purposes

        3. 7.Administration of justice and parliamentary purposes

        4. 8.Equality of opportunity or treatment

        5. 9.Racial and ethnic diversity at senior levels of organisations

        6. 10.Preventing or detecting unlawful acts

        7. 11.Protecting the public against dishonesty etc

        8. 12.Regulatory requirements relating to unlawful acts and dishonesty etc

        9. 13.Journalism etc in connection with unlawful acts and dishonesty etc

        10. 14.Preventing fraud

        11. 15.Suspicion of terrorist financing or money laundering

        12. 16.Support for individuals with a particular disability or medical condition

        13. 17.Counselling etc

        14. 18.Safeguarding of children and of individuals at risk

        15. 19.Safeguarding of economic well-being of certain individuals

        16. 20.Insurance

        17. 21.Occupational pensions

        18. 22.Political parties

        19. 23.Elected representatives responding to requests

        20. 24.Disclosure to elected representatives

        21. 25.Informing elected representatives about prisoners

        22. 26.Publication of legal judgments

        23. 27.Anti-doping in sport

        24. 28.Standards of behaviour in sport

      3. PART 3 Additional conditions relating to criminal convictions etc

        1. 29.Consent

        2. 30.Protecting individual’s vital interests

        3. 31.Processing by not-for-profit bodies

        4. 32.Personal data in the public domain

        5. 33.Legal claims

        6. 34.Judicial acts

        7. 35.Administration of accounts used in commission of indecency offences involving children

        8. 36.Extension of conditions in Part 2 of this Schedule referring to substantial public interest

        9. 37.Extension of insurance conditions

      4. PART 4 Appropriate policy document and additional safeguards

        1. 38.Application of this Part of this Schedule

        2. 39.Requirement to have an appropriate policy document in place

        3. 40.Additional safeguard: retention of appropriate policy document

        4. 41.Additional safeguard: record of processing

    2. SCHEDULE 2

      Exemptions etc from the GDPR

      1. PART 1 Adaptations and restrictions based on Articles 6(3) and 23(1)

        1. 1.GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

        2. 2.Crime and taxation: general

        3. 3.Crime and taxation: risk assessment systems

        4. 4.Immigration

        5. 5.Information required to be disclosed by law etc or in connection with legal proceedings

      2. PART 2 Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 21 and 34

        1. 6.GDPR provisions to be restricted: “the listed GDPR provisions”

        2. 7.Functions designed to protect the public etc

        3. 8.Audit functions

        4. 9.Functions of the Bank of England

        5. 10.Regulatory functions relating to legal services, the health service and children’s services

        6. 11.Regulatory functions of certain other persons

        7. 12.In the Table in paragraph 11— “consumer protection enforcer” has...

        8. 13.Parliamentary privilege

        9. 14.Judicial appointments, judicial independence and judicial proceedings

        10. 15.Crown honours, dignities and appointments

      3. PART 3 Restriction based on Article 23(1): protection of rights of others

        1. 16.Protection of the rights of others: general

        2. 17.Assumption of reasonableness for health workers, social workers and education workers

      4. PART 4 Restrictions based on Article 23(1): restrictions of rules in Articles 13 to 15

        1. 18.GDPR provisions to be restricted: “the listed GDPR provisions”

        2. 19.Legal professional privilege

        3. 20.Self incrimination

        4. 21.Corporate finance

        5. 22.Management forecasts

        6. 23.Negotiations

        7. 24.Confidential references

        8. 25.Exam scripts and exam marks

      5. PART 5 Exemptions etc based on Article 85(2) for reasons of freedom of expression and information

        1. 26.Journalistic, academic, artistic and literary purposes

      6. PART 6 Derogations etc based on Article 89 for research, statistics and archiving

        1. 27.Research and statistics

        2. 28.Archiving in the public interest

    3. SCHEDULE 3

      Exemptions etc from the GDPR: health, social work, education and child abuse data

      1. PART 1 GDPR provisions to be restricted

        1. 1.In this Schedule “the listed GDPR provisions” means the following...

      2. PART 2 Health data

        1. 2.Definitions

        2. 3.Exemption from the listed GDPR provisions: data processed by a court

        3. 4.Exemption from the listed GDPR provisions: data subject’s expectations and wishes

        4. 5.Exemption from Article 15 of the GDPR: serious harm

        5. 6.Restriction of Article 15 of the GDPR: prior opinion of appropriate health professional

      3. PART 3 Social work data

        1. 7.Definitions

        2. 8.(1) This paragraph applies to personal data falling within any...

        3. 9.Exemption from the listed GDPR provisions: data processed by a court

        4. 10.Exemption from the listed GDPR provisions: data subject’s expectations and wishes

        5. 11.Exemption from Article 15 of the GDPR: serious harm

        6. 12.Restriction of Article 15 of the GDPR: prior opinion of Principal Reporter

      4. PART 4 Education data

        1. 13.Educational records

        2. 14.(1) This paragraph applies to a record of information which—...

        3. 15.(1) This paragraph applies to a record of information which...

        4. 16.(1) This paragraph applies to a record of information which—...

        5. 17.Other definitions

        6. 18.Exemption from the listed GDPR provisions: data processed by a court

        7. 19.Exemption from Article 15 of the GDPR: serious harm

        8. 20.Restriction of Article 15 of the GDPR: prior opinion of Principal Reporter

      5. PART 5 Child abuse data

        1. 21.Exemption from Article 15 of the GDPR: child abuse data

    4. SCHEDULE 4

      Exemptions etc from the GDPR: disclosure prohibited or restricted by an enactment

      1. 1.GDPR provisions to be restricted: “the listed GDPR provisions”

      2. 2.Human fertilisation and embryology information

      3. 3.Adoption records and reports

      4. 4.Statements of special educational needs

      5. 5.Parental order records and reports

      6. 6.Information provided by Principal Reporter for children’s hearing

    5. SCHEDULE 5

      Accreditation of certification providers: reviews and appeals

      1. 1.Introduction

      2. 2.Review

      3. 3.Right to appeal

      4. 4.Appeal panel

      5. 5.Hearing

      6. 6.Decision following referral to appeal panel

      7. 7.Meaning of “working day”

    6. SCHEDULE 6

      The applied GDPR and the applied Chapter 2

      1. PART 1 Modifications to the GDPR

        1. 1.Introductory

        2. 2.References to the GDPR and its provisions

        3. 3.References to Union law and Member State law

        4. 4.References to the Union and to Member States

        5. 5.References to supervisory authorities

        6. 6.References to the national parliament

        7. 7.Chapter I of the GDPR (general provisions)

        8. 8.For Article 3 substitute— Article 3 Territorial application Subsections (1),...

        9. 9.In Article 4 (definitions)— (a) in paragraph (7) (meaning of...

        10. 10.Chapter II of the GDPR (principles)

        11. 11.In Article 8 (conditions applicable to child’s consent in relation...

        12. 12.In Article 9 (processing of special categories of personal data)—...

        13. 13.In Article 10 (processing of personal data relating to criminal...

        14. 14.Section 1 of Chapter III of the GDPR (rights of the data subject: transparency and modalities)

        15. 15.Section 2 of Chapter III of the GDPR (rights of the data subject: information and access to personal data)

        16. 16.In Article 14 (personal data collected other than from data...

        17. 17.Section 3 of Chapter III of the GDPR (rights of the data subject: rectification and erasure)

        18. 18.In Article 18 (right to restriction of processing), in paragraph...

        19. 19.Section 4 of Chapter III of the GDPR (rights of the data subject: right to object and automated individual decision-making)

        20. 20.In Article 22 (automated individual decision-making, including profiling), for paragraph...

        21. 21.Section 5 of Chapter III of the GDPR (rights of the data subject: restrictions)

        22. 22.Section 1 of Chapter IV of the GDPR (controller and processor: general obligations)

        23. 23.Omit Article 27 (representatives of controllers or processors not established...

        24. 24.In Article 28 (processor)— (a) in paragraph 3, in point...

        25. 25.In Article 30 (records of processing activities)—

        26. 26.In Article 31 (co-operation with the supervisory authority), omit “and,...

        27. 27.Section 3 of Chapter IV of the GDPR (controller and processor: data protection impact assessment and prior consultation)

        28. 28.In Article 36 (prior consultation)— (a) for paragraph 4 substitute—...

        29. 29.Section 4 of Chapter IV of the GDPR (controller and processor: data protection officer)

        30. 30.In Article 39 (tasks of the data protection officer), in...

        31. 31.Section 5 of Chapter IV of the GDPR (controller and processor: codes of conduct and certification)

        32. 32.In Article 41 (monitoring of approved codes of conduct), omit...

        33. 33.In Article 42 (certification)— (a) in paragraph 1—

        34. 34.In Article 43 (certification bodies)— (a) in paragraph 1, in...

        35. 35.Chapter V of the GDPR (transfers of data to third countries or international organisations)

        36. 36.In Article 46 (transfers subject to appropriate safeguards)—

        37. 37.In Article 47 (binding corporate rules)— (a) in paragraph 1,...

        38. 38.In Article 49 (derogations for specific situations)—

        39. 39.In Article 50 (international co-operation for the protection of personal...

        40. 40.Section 1 of Chapter VI of the GDPR (independent supervisory authorities: independent status)

        41. 41.In Article 52 (independence)— (a) in paragraph 2—

        42. 42.Omit Article 53 (general conditions for the members of the...

        43. 43.Omit Article 54 (rules on the establishment of the supervisory...

        44. 44.Section 2 of Chapter VI of the GDPR (independent supervisory authorities: competence, tasks and powers)

        45. 45.Omit Article 56 (competence of the lead supervisory authority).

        46. 46.In Article 57 (tasks)— (a) in paragraph 1, in the...

        47. 47.In Article 58 (powers)— (a) in paragraph 1, in point...

        48. 48.In Article 59 (activity reports)— (a) for “, the government...

        49. 49.Chapter VII of the GDPR (co-operation and consistency)

        50. 50.Chapter VIII of the GDPR (remedies, liability and penalties)

        51. 51.In Article 78 (right to an effective judicial remedy against...

        52. 52.In Article 79 (right to an effective judicial remedy against...

        53. 53.In Article 80 (representation of data subjects)—

        54. 54.Omit Article 81 (suspension of proceedings).

        55. 55.In Article 82 (right to compensation and liability), for paragraph...

        56. 56.In Article 83 (general conditions for imposing administrative fines)—

        57. 57.In Article 84 (penalties)— (a) for paragraph 1 substitute— The rules on other penalties applicable to infringements of this...

        58. 58.Chapter IX of the GDPR (provisions relating to specific processing situations)

        59. 59.In Article 86 (processing and public access to official documents),...

        60. 60.Omit Article 87 (processing of national identification number).

        61. 61.Omit Article 88 (processing in the context of employment).

        62. 62.In Article 89 (safeguards and derogations relating to processing for...

        63. 63.Omit Article 90 (obligations of secrecy).

        64. 64.Omit Article 91 (existing data protection rules of churches and...

        65. 65.Chapter X of the GDPR (delegated acts and implementing acts)

        66. 66.Omit Article 93 (committee procedure).

        67. 67.Chapter XI of the GDPR (final provisions)

        68. 68.Omit Article 95 (relationship with Directive 2002/58/EC).

        69. 69.In Article 96 (relationship with previously concluded Agreements), for “by...

        70. 70.Omit Article 97 (Commission reports).

        71. 71.Omit Article 98 (Commission reviews).

        72. 72.Omit Article 99 (entry into force and application).

      2. PART 2 Modifications to Chapter 2 of Part 2

        1. 73.Introductory

        2. 74.General modifications

        3. 75.Exemptions

    7. SCHEDULE 7

      Competent authorities

      1. 1.Any United Kingdom government department other than a non-ministerial government...

      2. 2.The Scottish Ministers.

      3. 3.Any Northern Ireland department.

      4. 4.The Welsh Ministers.

      5. 5.Chief officers of police and other policing bodies

      6. 6.The Commissioner of Police of the Metropolis.

      7. 7.The Commissioner of Police for the City of London.

      8. 8.The Chief Constable of the Police Service of Northern Ireland....

      9. 9.The chief constable of the Police Service of Scotland.

      10. 10.The chief constable of the British Transport Police.

      11. 11.The chief constable of the Civil Nuclear Constabulary.

      12. 12.The chief constable of the Ministry of Defence Police.

      13. 13.The Provost Marshal of the Royal Navy Police.

      14. 14.The Provost Marshal of the Royal Military Police.

      15. 15.The Provost Marshal of the Royal Air Force Police.

      16. 16.The chief officer of— (a) a body of constables appointed...

      17. 17.A body established in accordance with a collaboration agreement under...

      18. 18.The Director General of the Independent Office for Police Conduct....

      19. 19.The Police Investigations and Review Commissioner.

      20. 20.The Police Ombudsman for Northern Ireland.

      21. 21.Other authorities with investigatory functions

      22. 22.The Welsh Revenue Authority.

      23. 23.Revenue Scotland.

      24. 24.The Director General of the National Crime Agency.

      25. 25.The Director of the Serious Fraud Office.

      26. 26.The Director of Border Revenue.

      27. 27.The Financial Conduct Authority.

      28. 28.The Health and Safety Executive.

      29. 29.The Competition and Markets Authority.

      30. 30.The Gas and Electricity Markets Authority.

      31. 31.The Food Standards Agency.

      32. 32.Food Standards Scotland.

      33. 33.Her Majesty’s Land Registry.

      34. 34.The Criminal Cases Review Commission.

      35. 35.The Scottish Criminal Cases Review Commission.

      36. 36.Authorities with functions relating to offender management

      37. 37.The Youth Justice Board for England and Wales.

      38. 38.The Parole Board for England and Wales.

      39. 39.The Parole Board for Scotland.

      40. 40.The Parole Commissioners for Northern Ireland.

      41. 41.The Probation Board for Northern Ireland.

      42. 42.The Prisoner Ombudsman for Northern Ireland.

      43. 43.A person who has entered into a contract for the...

      44. 44.A person who has entered into a contract with the...

      45. 45.A person who is, under or by virtue of any...

      46. 46.A youth offending team established under section 39 of the...

      47. 47.Other authorities

      48. 48.The Director of Public Prosecutions for Northern Ireland.

      49. 49.The Lord Advocate.

      50. 50.A Procurator Fiscal.

      51. 51.The Director of Service Prosecutions.

      52. 52.The Information Commissioner.

      53. 53.The Scottish Information Commissioner.

      54. 54.The Scottish Courts and Tribunal Service.

      55. 55.The Crown agent.

      56. 56.A court or tribunal.

    8. SCHEDULE 8

      Conditions for sensitive processing under Part 3

      1. 1.Statutory etc purposes

      2. 2.Administration of justice

      3. 3.Protecting individual’s vital interests

      4. 4.Safeguarding of children and of individuals at risk

      5. 5.Personal data already in the public domain

      6. 6.Legal claims

      7. 7.Judicial acts

      8. 8.Preventing fraud

      9. 9.Archiving etc

    9. SCHEDULE 9

      Conditions for processing under Part 4

      1. 1.The data subject has given consent to the processing.

      2. 2.The processing is necessary— (a) for the performance of a...

      3. 3.The processing is necessary for compliance with a legal obligation...

      4. 4.The processing is necessary in order to protect the vital...

      5. 5.The processing is necessary— (a) for the administration of justice,...

      6. 6.(1) The processing is necessary for the purposes of legitimate...

    10. SCHEDULE 10

      Conditions for sensitive processing under Part 4

      1. 1.Consent to particular processing

      2. 2.Right or obligation relating to employment

      3. 3.Vital interests of a person

      4. 4.Safeguarding of children and of individuals at risk

      5. 5.Data already published by data subject

      6. 6.Legal proceedings etc

      7. 7.Administration of justice, parliamentary, statutory etc and government purposes

      8. 8.Medical purposes

      9. 9.Equality

    11. SCHEDULE 11

      Other exemptions under Part 4

      1. 1.Preliminary

      2. 2.Crime

      3. 3.Information required to be disclosed by law etc or in connection with legal proceedings

      4. 4.Parliamentary privilege

      5. 5.Judicial proceedings

      6. 6.Crown honours and dignities

      7. 7.Armed forces

      8. 8.Economic well-being

      9. 9.Legal professional privilege

      10. 10.Negotiations

      11. 11.Confidential references given by the controller

      12. 12.Exam scripts and marks

      13. 13.Research and statistics

      14. 14.Archiving in the public interest

    12. SCHEDULE 12

      The Information Commissioner

      1. 1.Status and capacity

      2. 2.Appointment

      3. 3.Resignation and removal

      4. 4.Salary etc

      5. 5.Officers and staff

      6. 6.Carrying out of the Commissioner’s functions by officers and staff

      7. 7.Authentication of the seal of the Commissioner

      8. 8.Presumption of authenticity of documents issued by the Commissioner

      9. 9.Money

      10. 10.Fees etc and other sums

      11. 11.Accounts

      12. 12.Scotland

    13. SCHEDULE 13

      Other general functions of the Commissioner

      1. 1.General tasks

      2. 2.General powers

      3. 3.Definitions

    14. SCHEDULE 14

      Co-operation and mutual assistance

      1. PART 1 Law Enforcement Directive

        1. 1.Co-operation

        2. 2.Requests for information and assistance from LED supervisory authorities

        3. 3.Fees

        4. 4.Restrictions on use of information

        5. 5.LED supervisory authority

      2. PART 2 Data Protection Convention

        1. 6.Co-operation between the Commissioner and foreign designated authorities

        2. 7.Assisting persons resident outside the UK with requests under Article 14 of the Convention

        3. 8.Assisting UK residents with requests under Article 8 of the Convention

        4. 9.Restrictions on use of information

        5. 10.Foreign designated authority

    15. SCHEDULE 15

      Powers of entry and inspection

      1. 1.Issue of warrants in connection with non-compliance and offences

      2. 2.Issue of warrants in connection with assessment notices

      3. 3.Restrictions on issuing warrants: processing for the special purposes

      4. 4.Restrictions on issuing warrants: procedural requirements

      5. 5.Content of warrants

      6. 6.Copies of warrants

      7. 7.Execution of warrants: reasonable force

      8. 8.Execution of warrants: time when executed

      9. 9.Execution of warrants: occupier of premises

      10. 10.Execution of warrants: seizure of documents etc

      11. 11.Matters exempt from inspection and seizure: privileged communications

      12. 12.Matters exempt from inspection and seizure: Parliamentary privilege

      13. 13.Partially exempt material

      14. 14.Return of warrants

      15. 15.Offences

      16. 16.Self-incrimination

      17. 17.Vessels, vehicles etc

      18. 18.Scotland

      19. 19.Northern Ireland

    16. SCHEDULE 16

      Penalties

      1. 1.Meaning of “penalty”

      2. 2.Notice of intent to impose penalty

      3. 3.Contents of notice of intent

      4. 4.Giving a penalty notice

      5. 5.Contents of penalty notice

      6. 6.Period for payment of penalty

      7. 7.Variation of penalty

      8. 8.Cancellation of penalty

      9. 9.Enforcement of payment

    17. SCHEDULE 17

      Review of processing of personal data for the purposes of journalism

      1. 1.Interpretation

      2. 2.Information notices

      3. 3.Assessment notices

      4. 4.Applications in respect of urgent notices

    18. SCHEDULE 18

      Relevant records

      1. 1.Relevant records

      2. 2.Relevant health records

      3. 3.Relevant records relating to a conviction or caution

      4. 4.Relevant records relating to statutory functions

      5. 5.Data subject access right

      6. 6.Records stating that personal data is not processed

      7. 7.Power to amend

    19. SCHEDULE 19

      Minor and consequential amendments

      1. PART 1 Amendments of primary legislation

        1. 1.Registration Service Act 1953 (c. 37)

        2. 2.Veterinary Surgeons Act 1966 (c. 36)

        3. 3.Parliamentary Commissioner Act 1967 (c. 13)

        4. 4.Local Government Act 1974 (c. 7)

        5. 5.In section 33A(1) (disclosure of information by Local Commissioner to...

        6. 6.In section 34O(1) (disclosure of information by Local Commissioner to...

        7. 7.Consumer Credit Act 1974 (c. 39)

        8. 8.In section 157(2A) (duty to disclose name etc of agency)—...

        9. 9.In section 159(1)(a) (correction of wrong information) for “section 7...

        10. 10.In section 189(1) (definitions), at the appropriate place insert— “the...

        11. 11.Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22))

        12. 12.In article 2(2) (interpretation), omit the definition of “Directive 95/46/EC”....

        13. 13.In article 8D (European professional card), after paragraph (3) insert—...

        14. 14.In article 22A(6) (Directive 2005/36/EC: functions of competent authority etc.),...

        15. 15.(1) Schedule 2C (Directive 2005/36/EC: European professional card) is amended...

        16. 16.(1) The table in Schedule 2D (functions of the Society...

        17. 17.(1) Paragraph 2 of Schedule 3 (fitness to practice: disclosure...

        18. 18.Representation of the People Act 1983 (c. 2)

        19. 19.Medical Act 1983 (c. 54)

        20. 20.(1) Section 29E (evidence) is amended as follows.

        21. 21.(1) Section 35A (General Medical Council’s power to require disclosure...

        22. 22.In section 49B(7) (Directive 2005/36: designation of competent authority etc.),...

        23. 23.In section 55(1) (interpretation), omit the definition of “Directive 95/46/EC”....

        24. 24.(1) Paragraph 9B of Schedule 1 (incidental powers of the...

        25. 25.(1) Paragraph 5A of Schedule 4 (professional performance assessments and...

        26. 26.(1) The table in Schedule 4A (functions of the General...

        27. 27.Dentists Act 1984 (c. 24)

        28. 28.(1) Section 33B (the General Dental Council’s power to require...

        29. 29.In section 36ZA(6) (Directive 2005/36: designation of competent authority etc),...

        30. 30.(1) Section 36Y (the General Dental Council’s power to require...

        31. 31.In section 53(1) (interpretation), omit the definition of “Directive 95/46/EC”....

        32. 32.(1) The table in Schedule 4ZA (Directive 2005/36: functions of...

        33. 33.Companies Act 1985 (c. 6)

        34. 34.Access to Medical Reports Act 1988 (c. 28)

        35. 35.Opticians Act 1989 (c. 44)

        36. 36.Access to Health Records Act 1990 (c. 23)

        37. 37.For section 2 substitute— Health professionals In this Act, “health professional” has the same meaning as...

        38. 38.(1) Section 3 (right of access to health records) is...

        39. 39.Human Fertilisation and Embryology Act 1990 (c. 37)

        40. 40.Trade Union and Labour Relations (Consolidation) Act 1992 (c. 52)

        41. 41.Tribunals and Inquiries Act 1992 (c. 53)

        42. 42.Industrial Relations (Northern Ireland) Order 1992 (S.I. 1992/807 (N.I. 5))

        43. 43.Health Service Commissioners Act 1993 (c. 46)

        44. 44.Data Protection Act 1998 (c. 29)

        45. 45.Crime and Disorder Act 1998 (c. 37)

        46. 46.Food Standards Act 1999 (c. 28)

        47. 47.Immigration and Asylum Act 1999 (c. 33)

        48. 48.Financial Services and Markets Act 2000 (c. 8)

        49. 49.In section 86(9) (exempt offers to the public), for “the...

        50. 50.In section 391A(6)(b) (publication: special provisions relating to the capital...

        51. 51.In section 391C(7)(a) (publication: special provisions relating to the UCITS...

        52. 52.In section 391D(9)(a) (publication: special provisions relating to the markets...

        53. 53.In section 417 (definitions), at the appropriate place insert— “the...

        54. 54.Terrorism Act 2000 (c. 11)

        55. 55.Freedom of Information Act 2000 (c. 36)

        56. 56.In section 2(3) (absolute exemptions), for paragraph (f) substitute—

        57. 57.In section 18 (the Information Commissioner), omit subsection (1).

        58. 58.(1) Section 40 (personal information) is amended as follows.

        59. 59.Omit section 49 (reports to be laid before Parliament).

        60. 60.For section 61 (appeal proceedings) substitute— Appeal proceedings (1) Tribunal Procedure Rules may make provision for regulating the...

        61. 61.In section 76(1) (disclosure of information between Commissioner and ombudsmen),...

        62. 62.After section 76A insert— Disclosure of information to Tribunal (1) No enactment or rule of law prohibiting or restricting...

        63. 63.In section 77(1)(b) (offence of altering etc records with intent...

        64. 64.In section 84 (interpretation), at the appropriate place insert— “the...

        65. 65.Political Parties, Elections and Referendums Act 2000 (c. 41)

        66. 66.Public Finance and Accountability (Scotland) Act 2000 (asp 1)

        67. 67.In section 26B(3)(a) (voluntary disclosure of data to Audit Scotland),...

        68. 68.In section 26C(3)(a) (power to require disclosure of data), for...

        69. 69.In section 29(1) (interpretation), at the appropriate place insert— “the...

        70. 70.Criminal Justice and Police Act 2001 (c. 16)

        71. 71.In section 57(1) (retention of seized items)—

        72. 72.In section 65(7) (meaning of “legal privilege”)—

        73. 73.In Schedule 1 (powers of seizure)— (a) omit paragraph 65,...

        74. 74.Anti-terrorism, Crime and Security Act 2001 (c.24)

        75. 75.(1) Section 19 (disclosure of information held by revenue departments)...

        76. 76.(1) Part 1 of Schedule 4 (extension of existing disclosure...

        77. 77.Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.))

        78. 78.Justice (Northern Ireland) Act 2002 (c. 26)

        79. 79.Proceeds of Crime Act 2002 (c. 29)

        80. 80.In section 333C(2)(d) (other permitted disclosures between institutions etc), for...

        81. 81.In section 436(3)(a) (disclosure of information to certain Directors), for...

        82. 82.In section 438(8)(a) (disclosure of information by certain Directors), for...

        83. 83.In section 439(3)(a) (disclosure of information to Lord Advocate and...

        84. 84.In section 441(7)(a) (disclosure of information by Lord Advocate and...

        85. 85.After section 442 insert— Data protection legislation In this Part, “the data protection legislation” has the same...

        86. 86.Enterprise Act 2002 (c. 40)

        87. 87.Scottish Public Services Ombudsman Act 2002 (asp 11)

        88. 88.Freedom of Information (Scotland) Act 2002 (asp 13)

        89. 89.In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection...

        90. 90.(1) Section 38 (personal information) is amended as follows.

        91. 91.Courts Act 2003 (c. 39)

        92. 92.(1) Paragraph 9C (disclosure of information in connection with making...

        93. 93.(1) Paragraph 10A (attachment of earnings orders (Justice Act (Northern...

        94. 94.Sexual Offences Act 2003 (c. 42)

        95. 95.Criminal Justice Act 2003 (c. 44)

        96. 96.In section 327A(9) (disclosure of information about convictions etc of...

        97. 97.In section 327B (disclosure of information about convictions etc of...

        98. 98.Mental Health (Care and Treatment) (Scotland) Act 2003 (asp 13)

        99. 99.Public Audit (Wales) Act 2004 (c. 23)

        100. 100.Companies (Audit, Investigations and Community Enterprise) Act 2004 (c. 27)

        101. 101.(1) Section 15A (disclosure of information by tax authorities) is...

        102. 102.(1) Section 15D (permitted disclosure of information obtained under compulsory...

        103. 103.Domestic Violence, Crime and Victims Act 2004 (c. 28)

        104. 104.Children Act 2004 (c. 31)

        105. 105.(1) Section 12 (information databases) is amended as follows.

        106. 106.(1) Section 29 (information databases: Wales) is amended as follows....

        107. 107.Constitutional Reform Act 2005 (c. 4)

        108. 108.Mental Capacity Act 2005 (c. 9)

        109. 109.Public Services Ombudsman (Wales) Act 2005 (c. 10)

        110. 110.Commissioners for Revenue and Customs Act 2005 (c. 11)

        111. 111.Gambling Act 2005 (c. 19)

        112. 112.Commissioner for Older People (Wales) Act 2006 (c. 30)

        113. 113.National Health Service Act 2006 (c. 41)

        114. 114.(1) Section 251 (control of patient information) is amended as...

        115. 115.(1) Section 264C (provision and disclosure of information about health...

        116. 116.In paragraph 7B(3) of Schedule 1 (further provision about the...

        117. 117.National Health Service (Wales) Act 2006 (c. 42)

        118. 118.(1) Section 201C (provision of information about medical supplies: supplementary)...

        119. 119.In paragraph 7B(3) of Schedule 1 (further provision about the...

        120. 120.Companies Act 2006 (c. 46)

        121. 121.In section 458(2) (disclosure of information by tax authorities)—

        122. 122.In section 461(7) (permitted disclosure of information obtained under compulsory...

        123. 123.In section 948(9) (restrictions on disclosure) for “the Data Protection...

        124. 124.In section 1173(1) (minor definitions: general), at the appropriate place...

        125. 125.In section 1224A(7) (restrictions on disclosure), for “the Data Protection...

        126. 126.In section 1253D(3) (restriction on transfer of audit working papers...

        127. 127.In section 1261(1) (minor definitions: Part 42), at the appropriate...

        128. 128.In section 1262 (index of defined expressions: Part 42), at...

        129. 129.In Schedule 8 (index of defined expressions: general), at the...

        130. 130.Tribunals, Courts and Enforcement Act 2007 (c. 15)

        131. 131.In section 11(5)(b) (right to appeal to Upper Tribunal), for...

        132. 132.In section 13(8)(a) (right to appeal to the Court of...

        133. 133.Statistics and Registration Service Act 2007 (c. 18)

        134. 134.(1) Section 45 (information held by HMRC) is amended as...

        135. 135.(1) Section 45A (information held by other public authorities) is...

        136. 136.(1) Section 45B(3) (access to information held by Crown bodies...

        137. 137.(1) Section 45C(13) (power to require disclosures by other public...

        138. 138.In section 45D(9)(b) (power to require disclosure by undertakings), for...

        139. 139.(1) Section 45E (further provision about powers in sections 45B,...

        140. 140.(1) Section 53A (disclosure by the Statistics Board to devolved...

        141. 141.(1) Section 54 (Data Protection Act 1998 and Human Rights...

        142. 142.In section 67 (general interpretation: Part 1), at the appropriate...

        143. 143.Serious Crime Act 2007 (c. 27)

        144. 144.(1) Section 5A (verification and disclosure of information) is amended...

        145. 145.(1) Section 68 (disclosure of information to prevent fraud) is...

        146. 146.(1) Section 85 (disclosure of information by Revenue and Customs)...

        147. 147.Legal Services Act 2007 (c. 29)

        148. 148.Adoption and Children (Scotland) Act 2007 (asp 4)

        149. 149.Criminal Justice and Immigration Act 2008 (c. 4)

        150. 150.Omit— (a) section 77 (power to alter penalty for unlawfully...

        151. 151.(1) Section 114 (supply of information to Secretary of State...

        152. 152.Regulatory Enforcement and Sanctions Act 2008 (c. 13)

        153. 153.Health and Social Care Act 2008 (c. 14)

        154. 154.Counter-Terrorism Act 2008 (c. 28)

        155. 155.Public Health etc. (Scotland) Act 2008 (asp 5)

        156. 156.Banking Act 2009 (c. 1)

        157. 157.Borders, Citizenship and Immigration Act 2009 (c. 11)

        158. 158.Marine and Coastal Access Act 2009 (c. 23)

        159. 159.(1) Paragraph 13 of Schedule 7 (further provision about civil...

        160. 160.(1) Paragraph 9 of Schedule 10 (further provision about fixed...

        161. 161.Coroners and Justice Act 2009 (c. 25)

        162. 162.Broads Authority Act 2009 (c. i)

        163. 163.Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.))

        164. 164.Terrorist Asset-Freezing etc. Act 2010 (c. 38)

        165. 165.Marine (Scotland) Act 2010 (asp 5)

        166. 166.Charities Act 2011 (c. 25)

        167. 167.Welsh Language (Wales) Measure 2011 (nawm 1)

        168. 168.(1) Section 22 (power to disclose information) is amended as...

        169. 169.(1) Paragraph 8 of Schedule 2 (inquiries by the Commissioner:...

        170. 170.Safeguarding Board Act (Northern Ireland) 2011 (c. 7 (N.I))

        171. 171.Health and Social Care Act 2012 (c. 7)

        172. 172.In section 250(7) (power to publish information standards), for the...

        173. 173.(1) Section 251A (consistent identifiers) is amended as follows.

        174. 174.(1) Section 251B (duty to share information) is amended as...

        175. 175.Protection of Freedoms Act 2012 (c. 9)

        176. 176.(1) Section 27 (exceptions and further provision about consent and...

        177. 177.In section 28(1) (interpretation: Chapter 2), for the definition of...

        178. 178.In section 29(7) (code of practice for surveillance camera systems),...

        179. 179.HGV Road User Levy Act 2013 (c. 7)

        180. 180.Crime and Courts Act 2013 (c. 22)

        181. 181.(1) Section 42 (other interpretive provisions) is amended as follows....

        182. 182.(1) Paragraph 1 of Schedule 7 (statutory restrictions on disclosure)...

        183. 183.Marine Act (Northern Ireland) 2013 (c. 10 (N.I.))

        184. 184.Local Audit and Accountability Act 2014 (c. 2)

        185. 185.Anti-social Behaviour, Crime and Policing Act 2014 (c. 12)

        186. 186.Immigration Act 2014 (c. 22)

        187. 187.Care Act 2014 (c. 23)

        188. 188.Social Services and Well-being (Wales) Act 2014 (anaw 4)

        189. 189.Counter-Terrorism and Security Act 2015 (c. 6)

        190. 190.Small Business, Enterprise and Employment Act 2015 (c. 26)

        191. 191.Modern Slavery Act 2015 (c. 30)

        192. 192.Human Trafficking and Exploitation (Criminal Justice and Support for Victims) Act (Northern Ireland) 2015 (c. 2 (N.I.))

        193. 193.In section 13(5) (duty to notify National Crime Agency about...

        194. 194.In section 25(1) (interpretation of this Act), at the appropriate...

        195. 195.In paragraph 18(5) of Schedule 3 (supply of information to...

        196. 196.Justice Act (Northern Ireland) 2015 (c. 9 (N.I.))

        197. 197.Immigration Act 2016 (c. 19)

        198. 198.Investigatory Powers Act 2016 (c. 25)

        199. 199.In section 1(5)(b), for sub-paragraph (ii) substitute—

        200. 200.In section 199 (bulk personal datasets: interpretation), for subsection (2)...

        201. 201.In section 202(4) (restriction on use of class BPD warrants),...

        202. 202.In section 206 (additional safeguards for health records), for subsection...

        203. 203.(1) Section 237 (information gateway) is amended as follows.

        204. 204.Public Services Ombudsman Act (Northern Ireland) 2016 (c. 4 (N.I.))

        205. 205.Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016 (c. 12 (N.I.))

        206. 206.Mental Capacity Act (Northern Ireland) 2016 (c. 18 (N.I.))

        207. 207.Justice Act (Northern Ireland) 2016 (c. 21 (N.I.))

        208. 208.(1) Section 17 (disclosure of information) is amended as follows....

        209. 209.In section 44(3) (disclosure of information)— (a) in paragraph (a),...

        210. 210.Policing and Crime Act 2017 (c. 3)

        211. 211.Children and Social Work Act 2017 (c. 12)

        212. 212.Higher Education and Research Act 2017 (c. 29)

        213. 213.(1) Section 63 (cooperation and information sharing by the Office...

        214. 214.(1) Section 112 (cooperation and information sharing between the Office...

        215. 215.Digital Economy Act 2017 (c. 30)

        216. 216.(1) Section 40 (further provisions about disclosures under sections 35...

        217. 217.(1) Section 43 (codes of practice) is amended as follows....

        218. 218.(1) Section 49 (further provision about disclosures under section 48)...

        219. 219.(1) Section 52 (code of practice) is amended as follows....

        220. 220.(1) Section 57 (further provision about disclosures under section 56)...

        221. 221.(1) Section 60 (code of practice) is amended as follows....

        222. 222.(1) Section 65 (supplementary provision about disclosures under section 64)...

        223. 223.(1) Section 70 (code of practice) is amended as follows....

        224. 224.Omit sections 108 to 110 (charges payable to the Information...

        225. 225.Landfill Disposals Tax (Wales) Act 2017 (anaw 3)

        226. 226.Additional Learning Needs and Educational Tribunal (Wales) Act 2018 (anaw 2)

        227. 227.This Act

      2. PART 2 Amendments of other legislation

        1. 228.Estate Agents (Specified Offences) (No. 2) Order 1991 (S.I. 1991/1091)

        2. 229.Channel Tunnel (International Arrangements) Order 1993 (S.I. 1993/1813)

        3. 230.Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

        4. 231.In Article 4 (health professionals), for paragraph (1) substitute—

        5. 232.In Article 5(4)(a) (fees for access to health records), for...

        6. 233.Channel Tunnel (Miscellaneous Provisions) Order 1994 (S.I. 1994/1405)

        7. 234.European Primary and Specialist Dental Qualifications Regulations 1998 (S.I. 1998/811)

        8. 235.(1) Regulation 2(1) (interpretation) is amended as follows.

        9. 236.(1) The table in Schedule A1 (functions of the GDC...

        10. 237.Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (S.I. 1999/677)

        11. 238.Northern Ireland Assembly Commission (Crown Status) Order 1999 (S.I. 1999/3145)

        12. 239.Data Protection (Corporate Finance Exemption) Order 2000 (S.I. 2000/184)

        13. 240.Data Protection (Conditions under Paragraph 3 of Part II of Schedule 1) Order 2000 (S.I. 2000/185)

        14. 241.Data Protection (Functions of Designated Authority) Order 2000 (S.I. 2000/186)

        15. 242.Data Protection (International Co-operation) Order 2000 (S.I. 2000/190)

        16. 243.Data Protection (Subject Access) (Fees and Miscellaneous Provisions) Regulations 2000 (S.I. 2000/191)

        17. 244.Consumer Credit (Credit Reference Agency) Regulations 2000 (S.I. 2000/290)

        18. 245.Data Protection (Subject Access Modification) (Health) Order 2000 (S.I. 2000/413)

        19. 246.Data Protection (Subject Access Modification) (Education) Order 2000 (S.I. 2000/414)

        20. 247.Data Protection (Subject Access Modification) (Social Work) Order 2000 (S.I. 2000/415)

        21. 248.Data Protection (Crown Appointments) Order 2000 (S.I. 2000/416)

        22. 249.Data Protection (Processing of Sensitive Personal Data) Order 2000 (S.I. 2000/417)

        23. 250.Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 (S.I. 2000/419)

        24. 251.Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (S.I. 2000/1864)

        25. 252.Representation of the People (England and Wales) Regulations 2001 (S.I. 2001/341)

        26. 253.In regulation 3(1) (interpretation), at the appropriate places insert— “Article...

        27. 254.In regulation 26(3)(a) (applications for registration), for “the Data Protection...

        28. 255.In regulation 26A(2)(a) (application for alteration of register in respect...

        29. 256.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act...

        30. 257.In regulation 61A (conditions on the use, supply and inspection...

        31. 258.(1) Regulation 92(2) (interpretation and application of Part VI etc)...

        32. 259.In regulation 96(2A)(b)(i) (restriction on use of the full register),...

        33. 260.In regulation 97(5) and (6) (supply of free copy of...

        34. 261.In regulation 97A(7) and (8) (supply of free copy of...

        35. 262.In regulation 99(6) and (7) (supply of free copy of...

        36. 263.In regulation 109A(9) and (10) (supply of free copy of...

        37. 264.In regulation 119(2) (conditions on the use, supply and disclosure...

        38. 265.Representation of the People (Scotland) Regulations 2001 (S.I. 2001/497)

        39. 266.In regulation 3(1) (interpretation), at the appropriate places, insert— “Article...

        40. 267.In regulation 26(3)(a) (applications for registration), for “the Data Protection...

        41. 268.In regulation 26A(2)(a) (application for alteration of register in respect...

        42. 269.In regulation 32ZA(3)(f) (annual canvass), for “the Data Protection Act...

        43. 270.In regulation 61(3) (records and lists kept under Schedule 4),...

        44. 271.In regulation 61A (conditions on the use, supply and inspection...

        45. 272.(1) Regulation 92(2) (interpretation of Part VI etc) is amended...

        46. 273.In regulation 95(3)(b)(i) (restriction on use of the full register),...

        47. 274.In regulation 96(5) and (6) (supply of free copy of...

        48. 275.In regulation 98(6) and (7) (supply of free copy of...

        49. 276.In regulation 108A(9) and (10) (supply of full register to...

        50. 277.In regulation 119(2) (conditions on the use, supply and disclosure...

        51. 278.Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001 (S.I. 2001/2188)

        52. 279.Nursing and Midwifery Order 2001 (S.I. 2002/253)

        53. 280.(1) Article 3 (the Nursing and Midwifery Council and its...

        54. 281.(1) Article 25 (the Council’s power to require disclosure of...

        55. 282.In article 39B (European professional card), after paragraph (2) insert—...

        56. 283.In article 40(6) (Directive 2005/36/EC: designation of competent authority etc),...

        57. 284.(1) Schedule 2B (Directive 2005/36/EC: European professional card) is amended...

        58. 285.(1) The table in Schedule 3 (functions of the Council...

        59. 286.In Schedule 4 (interpretation), omit the definition of “Directive 95/46/EC”....

        60. 287.Electronic Commerce (EC Directive) Regulations 2002 (S.I. 2002/2013)

        61. 288.In paragraph (1)(b) for “the Data Protection Directive and the...

        62. 289.In paragraph (3)— (a) omit the definitions of “Data Protection...

        63. 290.Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (S.I. 2002/2905)

        64. 291.Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)

        65. 292.In regulation 2(1) (interpretation), in the definition of “the Information...

        66. 293.(1) Regulation 4 (relationship between these Regulations and the Data...

        67. 294.Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003 (S.I. 2003/2818)

        68. 295.In article 8(2) (exercise of powers by French officers in...

        69. 296.In article 11(4) (exercise of powers by UK immigration officers...

        70. 297.Pupils’ Educational Records (Scotland) Regulations 2003 (S.S.I. 2003/581)

        71. 298.(1) Regulation 2 (interpretation) is amended as follows.

        72. 299.(1) Regulation 6 (circumstances where information should not be disclosed)...

        73. 300.In regulation 9 (fees), for paragraph (1) substitute—

        74. 301.European Parliamentary Elections (Northern Ireland) Regulations 2004 (S.I. 2004/1267)

        75. 302.(1) Paragraph 74(1) (interpretation) is amended as follows.

        76. 303.In paragraph 77(2)(b) (conditions on the use, supply and disclosure...

        77. 304.Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 (S.I. 2004/3244)

        78. 305.Environmental Information Regulations 2004 (S.I. 2004/3391)

        79. 306.(1) Regulation 2 (interpretation) is amended as follows.

        80. 307.(1) Regulation 13 (personal data) is amended as follows.

        81. 308.In regulation 14 (refusal to disclose information), in paragraph (3)(b),...

        82. 309.In regulation 18 (enforcement and appeal provisions), in paragraph (5),...

        83. 310.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

        84. 311.(1) Regulation 2 (interpretation) is amended as follows.

        85. 312.(1) Regulation 11 (personal data) is amended as follows.

        86. 313.Licensing Act 2003 (Personal Licences) Regulations 2005 (S.I. 2005/41)

        87. 314.Education (Pupil Information) (England) Regulations 2005 (S.I. 2005/1437)

        88. 315.In regulation 3(5) (meaning of educational record) for “section 1(1)...

        89. 316.(1) Regulation 5 (disclosure of curricular and educational records) is...

        90. 317.Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

        91. 318.Register of Judgments, Orders and Fines Regulations 2005 (S.I. 2005/3595)

        92. 319.Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (S.S.I. 2005/494)

        93. 320.(1) Regulation 39 (sensitive information) is amended as follows.

        94. 321.Data Protection (Processing of Sensitive Personal Data) Order 2006 (S.I. 2006/2068)

        95. 322.National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)

        96. 323.Mental Capacity Act 2005 (Loss of Capacity during Research Project) (England) Regulations 2007 (S.I. 2007/679)

        97. 324.National Assembly for Wales Commission (Crown Status) Order 2007 (S.I. 2007/1118)

        98. 325.Mental Capacity Act 2005 (Loss of Capacity during Research Project) (Wales) Regulations 2007 (S.I. 2007/837 (W.72))

        99. 326.Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (S.S.I. 2007/170)

        100. 327.Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (S.S.I. 2007/264)

        101. 328.Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007 (S.R. (N.I.) 2007 No. 43)

        102. 329.In regulation 2 (interpretation), at the appropriate place insert— “the...

        103. 330.In regulation 10(2) (duties of Boards of Governors), for “documents...

        104. 331.Representation of the People (Northern Ireland) Regulations 2008 (S.I. 2008/1741)

        105. 332.Companies Act 2006 (Extension of Takeover Panel Provisions) (Isle of Man) Order 2008 (S.I. 2008/3122)

        106. 333.Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008 (S.I. 2008/3239 (W.286))

        107. 334.In regulation 2(1) (interpretation)— (a) at the appropriate place in...

        108. 335.(1) Regulation 25 (duty to co-operate by disclosing information as...

        109. 336.(1) Regulation 26 (responsible bodies requesting additional information be disclosed...

        110. 337.(1) Regulation 29 (occurrence reports) is amended as follows.

        111. 338.Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (S.R. (N.I.) 2008 No. 3)

        112. 339.Companies (Disclosure of Address) Regulations 2009 (S.I. 2009/214)

        113. 340.Overseas Companies Regulations 2009 (S.I. 2009/1801)

        114. 341.Data Protection (Processing of Sensitive Personal Data) Order 2009 (S.I. 2009/1811)

        115. 342.Provision of Services Regulations 2009 (S.I. 2009/2999)

        116. 343.INSPIRE Regulations 2009 (S.I. 2009/3157)

        117. 344.INSPIRE (Scotland) Regulations 2009 (S.S.I. 2009/440)

        118. 345.Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009 (S.R (N.I.) 2009 No. 225)

        119. 346.In regulation 2(2) (interpretation), at the appropriate place insert— “the...

        120. 347.(1) Regulation 25 (duty to co-operate by disclosing information as...

        121. 348.(1) Regulation 26 (responsible bodies requesting additional information be disclosed...

        122. 349.(1) Regulation 29 (occurrence reports) is amended as follows.

        123. 350.Data Protection (Monetary Penalties) (Maximum Penalty and Notices) Regulations 2010 (S.I. 2010/31)

        124. 351.Pharmacy Order 2010 (S.I. 2010/231)

        125. 352.In article 3(1) (interpretation), omit the definition of “Directive 95/46/EC”....

        126. 353.(1) Article 9 (inspection and enforcement) is amended as follows....

        127. 354.In article 33A (European professional card), after paragraph (2) insert—...

        128. 355.(1) Article 49 (disclosure of information: general) is amended as...

        129. 356.(1) Article 55 (professional performance assessments) is amended as follows....

        130. 357.In article 67(6) (Directive 2005/36/EC: designation of competent authority etc.),...

        131. 358.(1) Schedule 2A (Directive 2005/36/EC: European professional card) is amended...

        132. 359.(1) The table in Schedule 3 (Directive 2005/36/EC: designation of...

        133. 360.Data Protection (Monetary Penalties) Order 2010 (S.I. 2010/910)

        134. 361.National Employment Savings Trust Order 2010 (S.I. 2010/917)

        135. 362.In article 2 (interpretation)— (a) omit the definition of “data”...

        136. 363.(1) Article 10 (disclosure of requested data to the Secretary...

        137. 364.Local Elections (Northern Ireland) Order 2010 (S.I. 2010/2977)

        138. 365.Pupil Information (Wales) Regulations 2011 (S.I. 2011/1942 (W.209))

        139. 366.Debt Arrangement Scheme (Scotland) Regulations 2011 (S.S.I. 2011/141)

        140. 367.Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)

        141. 368.(1) Schedule 2 (absent voting in Police and Crime Commissioner...

        142. 369.(1) Schedule 10 (access to marked registers and other documents...

        143. 370.Data Protection (Processing of Sensitive Personal Data) Order 2012 (S.I. 2012/1978)

        144. 371.Neighbourhood Planning (Referendums) Regulations 2012 (S.I. 2012/2031)

        145. 372.(1) Paragraph 29(1) (interpretation of Part 8) is amended as...

        146. 373.In paragraph 32(3)(b)(i), for “section 11(3) of the Data Protection...

        147. 374.In paragraph 33(6) and (7) (supply of copy of business...

        148. 375.In paragraph 34(6) and (7) (supply of copy of business...

        149. 376.In paragraph 39(8) and (97) (supply of copy of business...

        150. 377.In paragraph 45(2) (conditions on the use, supply and disclosure...

        151. 378.Controlled Drugs (Supervision of Management and Use) Regulations 2013 (S.I. 2013/373)

        152. 379.Communications Act 2003 (Disclosure of Information) Order 2014 (S.I. 2014/1825)

        153. 380.Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)

        154. 381.Data Protection (Assessment Notices) (Designation of National Health Service Bodies) Order 2014 (S.I. 2014/3282)

        155. 382.The Control of Explosives Precursors etc Regulations (Northern Ireland) 2014 (S.R. (N.I.) 2014 No. 224)

        156. 383.Control of Poisons and Explosives Precursors Regulations 2015 (S.I. 2015/966)

        157. 384.Companies (Disclosure of Date of Birth Information) Regulations 2015 (S.I. 2015/1694)

        158. 385.Small and Medium Sized Business (Credit Information) Regulations 2015 (S.I. 2015/1945)

        159. 386.(1) Regulation 12 (criteria for the designation of a credit...

        160. 387.(1) Regulation 15 (access to and correction of information for...

        161. 388.European Union (Recognition of Professional Qualifications) Regulations 2015 (S.I. 2015/2059)

        162. 389.(1) Regulation 2(1) (interpretation) is amended as follows.

        163. 390.In regulation 5(5) (functions of competent authorities in the United...

        164. 391.In regulation 45(3) (processing and access to data regarding the...

        165. 392.In regulation 46(1) (processing and access to data regarding the...

        166. 393.In regulation 48(2) (processing and access to data regarding the...

        167. 394.In regulation 66(3) (exchange of information), for “Directives 95/46/EC” substitute...

        168. 395.Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)

        169. 396.(1) Schedule 3 (absent voting) is amended as follows.

        170. 397.(1) Schedule 8 (access to marked registers and other documents...

        171. 398.Recall of MPs Act 2015 (Recall Petition) Regulations 2016 (S.I. 2016/295)

        172. 399.Register of People with Significant Control Regulations 2016 (S.I. 2016/339)

        173. 400.(1) Paragraph 6 (disclosure to a credit reference agency) is...

        174. 401.In paragraph 12A (disclosure to a credit institution or a...

        175. 402.In Part 3 (interpretation), after paragraph 13 insert— In this Schedule, “data protection obligations”, in relation to a...

        176. 403.Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (S.I. 2016/696)

        177. 404.In regulation 2(1) (interpretation), omit the definition of “the 1998...

        178. 405.In regulation 3(3) (supervision), omit “under the 1998 Act”.

        179. 406.For Schedule 2 substitute— SCHEDULE 2 Information Commissioner’s enforcement powers...

        180. 407.Court Files Privileged Access Rules (Northern Ireland) 2016 (S.R. (N.I.) 2016 No. 123)

        181. 408.In rule 5 (information that may released) for “Schedule 1...

        182. 409.In rule 7(2) (provision of information) for “Schedule 1 of...

        183. 410.Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (S.I. 2017/692)

        184. 411.In regulation 3(1) (interpretation), at the appropriate places insert— “the...

        185. 412.In regulation 16(8) (risk assessment by the Treasury and Home...

        186. 413.In regulation 17(9) (risk assessment by supervisory authorities), for “the...

        187. 414.For regulation 40(9)(c) (record keeping) substitute— (c) “data subject” has...

        188. 415.(1) Regulation 41 (data protection) is amended as follows.

        189. 416.(1) Regulation 84 (publication: the Financial Conduct Authority) is amended...

        190. 417.(1) Regulation 85 (publication: the Commissioners) is amended as follows....

        191. 418.For regulation 106(a) (general restrictions) substitute— (a) a disclosure in...

        192. 419.After paragraph 27 of Schedule 3 (relevant offences) insert— An offence under the Data Protection Act 2018, apart from...

        193. 420.Scottish Partnerships (Register of People with Significant Control) Regulations 2017 (S.I. 2017/694)

        194. 421.Data Protection (Charges and Information) Regulations 2018 (S.I. 2018/480)

        195. 422.National Health Service (General Medical Services Contracts) (Scotland) Regulations 2018 (S.S.I. 2018/66)

        196. 423.(1) Regulation 1 (citation and commencement) is amended as follows....

        197. 424.In regulation 3(1) (interpretation)— (a) omit the definition of “the...

        198. 425.(1) Schedule 6 (other contractual terms) is amended as follows....

        199. 426.National Health Service (Primary Medical Services Section 17C Agreements) (Scotland) Regulations 2018 (S.S.I. 2018/67)

        200. 427.(1) Regulation 1 (citation and commencement) is amended as follows....

        201. 428.In regulation 3(1) (interpretation)— (a) omit the definition of “the...

        202. 429.(1) Schedule 1 (content of agreements) is amended as follows....

      3. PART 3 Modifications

        1. 430.Introduction

        2. 431.General modifications

        3. 432.Specific modification of references to terms used in the Data Protection Act 1998

      4. PART 4 Supplementary

        1. 433.Definitions

        2. 434.Provision inserted in subordinate legislation by this Schedule

    20. SCHEDULE 20

      Transitional provision etc

      1. PART 1 General

        1. 1.Interpretation

      2. PART 2 Rights of data subjects

        1. 2.Right of access to personal data under the 1998 Act

        2. 3.Right to prevent processing likely to cause damage or distress under the 1998 Act

        3. 4.Right to prevent processing for purposes of direct marketing under the 1998 Act

        4. 5.Automated processing under the 1998 Act

        5. 6.Compensation for contravention of the 1998 Act or Part 4 of the 2014 Regulations

        6. 7.Rectification, blocking, erasure and destruction under the 1998 Act

        7. 8.Jurisdiction and procedure under the 1998 Act

        8. 9.Exemptions under the 1998 Act

        9. 10.Prohibition by this Act of requirement to produce relevant records

        10. 11.Avoidance under this Act of certain contractual terms relating to health records

      3. PART 3 The GDPR and Part 2 of this Act

        1. 12.Exemptions from the GDPR: restrictions of rules in Articles 13 to 15 of the GDPR

        2. 13.Manual unstructured data held by FOI public authorities

      4. PART 4 Law enforcement and intelligence services processing

        1. 14.Logging

        2. 15.Regulation 50 of the 2014 Regulations (disapplication of the 1998 Act)

        3. 16.Maximum fee for data subject access requests to intelligence services

      5. PART 5 National security certificates

        1. 17.National security certificates: processing of personal data under the 1998 Act

        2. 18.National security certificates: processing of personal data under the 2018 Act

      6. PART 6 The Information Commissioner

        1. 19.Appointment etc

        2. 20.Accounts

        3. 21.Annual report

        4. 22.Fees etc received by the Commissioner

        5. 23.Paragraph 10 of Schedule 12 to this Act applies only...

        6. 24.Functions in connection with the Data Protection Convention

        7. 25.Co-operation with the European Commission: transfers of personal data outside the EEA

        8. 26.Charges payable to the Commissioner by controllers

        9. 27.Requests for assessment

        10. 28.Codes of practice

      7. PART 7 Enforcement etc under the 1998 Act

        1. 29.Interpretation of this Part

        2. 30.Information notices

        3. 31.Special information notices

        4. 32.Assessment notices

        5. 33.Enforcement notices

        6. 34.Determination by Commissioner as to the special purposes

        7. 35.Restriction on enforcement in case of processing for the special purposes

        8. 36.Offences

        9. 37.Powers of entry

        10. 38.Monetary penalties

        11. 39.Appeals

        12. 40.Exemptions

        13. 41.Tribunal Procedure Rules

        14. 42.Obstruction etc

        15. 43.Enforcement etc under the 2014 Regulations

      8. PART 8 Enforcement etc under this Act

        1. 44.Information notices

        2. 45.Powers of entry

        3. 46.Tribunal Procedure Rules

      9. PART 9 Other enactments

        1. 47.Powers to disclose information to the Commissioner

        2. 48.Codes etc required to be consistent with the Commissioner’s data-sharing code

        3. 49.(1) This paragraph applies in relation to the original statement...

        4. 50.Consumer Credit Act 1974

        5. 51.Freedom of Information Act 2000

        6. 52.(1) This paragraph applies where a request for information was...

        7. 53.(1) Tribunal Procedure Rules made under paragraph 7(1)(b) of Schedule...

        8. 54.(1) The repeal of paragraph 8 of Schedule 6 to...

        9. 55.(1) The amendment of section 77 of the 2000 Act...

        10. 56.Freedom of Information (Scotland) Act 2002

        11. 57.Access to Health Records (Northern Ireland) Order 1993 (S.I. 1993/1250 (N.I. 4))

        12. 58.Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2450)

        13. 59.Health and Personal Social Services (Quality, Improvement and Regulation) (Northern Ireland) Order 2003 (S.I. 2003/431 (N.I. 9))

        14. 60.Environmental Information Regulations 2004 (S.I. 2004/3391)

        15. 61.Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)