- Latest available (Revised)
- Original (As enacted)
This is the original version (as it was originally enacted).
(1)Regulations under this Act are to be made by statutory instrument.
(2)Before making regulations under this Act, the Secretary of State must consult—
(a)the Commissioner, and
(b)such other persons as the Secretary of State considers appropriate.
(3)Subsection (2) does not apply to regulations made under—
(a)section 23;
(b)section 30;
(c)section 211;
(d)section 212;
(e)section 213;
(f)paragraph 15 of Schedule 2.
(4)Subsection (2) does not apply to regulations made under section 18 where the Secretary of State has made an urgency statement in respect of them.
(5)Regulations under this Act may—
(a)make different provision for different purposes;
(b)include consequential, supplementary, incidental, transitional, transitory or saving provision.
(6)Where regulations under this Act are subject to “the negative resolution procedure” the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament.
(7)Where regulations under this Act are subject to “the affirmative resolution procedure” the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament.
(8)Where regulations under this Act are subject to “the made affirmative resolution procedure”—
(a)the statutory instrument containing the regulations must be laid before Parliament after being made, together with the urgency statement in respect of them, and
(b)the regulations cease to have effect at the end of the period of 120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament.
(9)In calculating the period of 120 days, no account is to be taken of any time during which—
(a)Parliament is dissolved or prorogued, or
(b)both Houses of Parliament are adjourned for more than 4 days.
(10)Where regulations cease to have effect as a result of subsection (8), that does not—
(a)affect anything previously done under the regulations, or
(b)prevent the making of new regulations.
(11)Any provision that may be included in regulations under this Act subject to the negative resolution procedure may be made by regulations subject to the affirmative resolution procedure or the made affirmative resolution procedure.
(12)If a draft of a statutory instrument containing regulations under section 7 would, apart from this subsection, be treated for the purposes of the standing orders of either House of Parliament as a hybrid instrument, it is to proceed in that House as if it were not such an instrument.
(13)A requirement under a provision of this Act to consult may be satisfied by consultation before, as well as by consultation after, the provision comes into force.
(14)In this section, “urgency statement” has the meaning given in section 18(4).
(1)The Secretary of State may by regulations make such provision as the Secretary of State considers necessary or appropriate in connection with an amendment of, or an instrument replacing, the Data Protection Convention which has effect, or is expected to have effect, in the United Kingdom.
(2)The power under subsection (1) includes power—
(a)to amend or replace the definition of “the Data Protection Convention” in section 3;
(b)to amend Chapter 3 of Part 2 of this Act;
(c)to amend Part 4 of this Act;
(d)to make provision about the functions of the Commissioner, courts or tribunals in connection with processing of personal data to which Chapter 3 of Part 2 or Part 4 of this Act applies, including provision amending Parts 5 to 7 of this Act;
(e)to make provision about the functions of the Commissioner in connection with the Data Protection Convention or an instrument replacing that Convention, including provision amending Parts 5 to 7 of this Act;
(f)to consequentially amend this Act.
(3)Regulations under this section are subject to the affirmative resolution procedure.
(4)Regulations under this section may not be made after the end of the period of 3 years beginning with the day on which this Act is passed.
(1)It is an offence for a person (“P1”) to require another person to provide P1 with, or give P1 access to, a relevant record in connection with—
(a)the recruitment of an employee by P1,
(b)the continued employment of a person by P1, or
(c)a contract for the provision of services to P1.
(2)It is an offence for a person (“P2”) to require another person to provide P2 with, or give P2 access to, a relevant record if—
(a)P2 is involved in the provision of goods, facilities or services to the public or a section of the public, and
(b)the requirement is a condition of providing or offering to provide goods, facilities or services to the other person or to a third party.
(3)It is a defence for a person charged with an offence under subsection (1) or (2) to prove that imposing the requirement—
(a)was required or authorised by an enactment, by a rule of law or by the order of a court or tribunal, or
(b)in the particular circumstances, was justified as being in the public interest.
(4)The imposition of the requirement referred to in subsection (1) or (2) is not to be regarded as justified as being in the public interest on the ground that it would assist in the prevention or detection of crime, given Part 5 of the Police Act 1997 (certificates of criminal records etc).
(5)In subsections (1) and (2), the references to a person who requires another person to provide or give access to a relevant record include a person who asks another person to do so—
(a)knowing that, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request, or
(b)being reckless as to whether, in the circumstances, it would be reasonable for the other person to feel obliged to comply with the request,
and the references to a “requirement” in subsections (3) and (4) are to be interpreted accordingly.
(6)In this section—
“employment” means any employment, including—
work under a contract for services or as an office-holder,
work under an apprenticeship,
work experience as part of a training course or in the course of training for employment, and
voluntary work,
and “employee” is to be interpreted accordingly;
“relevant record” has the meaning given in Schedule 18 and references to a relevant record include—
a part of such a record, and
a copy of, or of part of, such a record.
(1)A term or condition of a contract is void in so far as it purports to require an individual to supply another person with a record which—
(a)consists of the information contained in a health record, and
(b)has been or is to be obtained by a data subject in the exercise of a data subject access right.
(2)A term or condition of a contract is also void in so far as it purports to require an individual to produce such a record to another person.
(3)The references in subsections (1) and (2) to a record include a part of a record and a copy of all or part of a record.
(4)In this section, “data subject access right” means a right under—
(a)Article 15 of the GDPR (right of access by the data subject);
(b)Article 20 of the GDPR (right to data portability);
(c)section 45 of this Act (law enforcement processing: right of access by the data subject);
(d)section 94 of this Act (intelligence services processing: right of access by the data subject).
(1)An enactment or rule of law prohibiting or restricting the disclosure of information, or authorising the withholding of information, does not remove or restrict the obligations and rights provided for in the provisions listed in subsection (2), except as provided by or under the provisions listed in subsection (3).
(2)The provisions providing obligations and rights are—
(a)Chapter III of the GDPR (rights of the data subject),
(b)Chapter 3 of Part 3 of this Act (law enforcement processing: rights of the data subject), and
(c)Chapter 3 of Part 4 of this Act (intelligence services processing: rights of the data subject).
(3)The provisions providing exceptions are—
(a)in Chapter 2 of Part 2 of this Act, sections 15 and 16 and Schedules 2, 3 and 4,
(b)in Chapter 3 of Part 2 of this Act, sections 23, 24, 25 and 26,
(c)in Part 3 of this Act, sections 44(4), 45(4) and 48(3), and
(d)in Part 4 of this Act, Chapter 6 .
(1)In relation to the processing of personal data to which the GDPR applies—
(a)Article 80(1) of the GDPR (representation of data subjects) enables a data subject to authorise a body or other organisation which meets the conditions set out in that Article to exercise the data subject’s rights under Articles 77, 78 and 79 of the GDPR (rights to lodge complaints and to an effective judicial remedy) on the data subject’s behalf, and
(b)a data subject may also authorise such a body or organisation to exercise the data subject’s rights under Article 82 of the GDPR (right to compensation).
(2)In relation to the processing of personal data to which the GDPR does not apply, a body or other organisation which meets the conditions in subsections (3) and (4), if authorised to do so by a data subject, may exercise some or all of the following rights of a data subject on the data subject’s behalf—
(a)rights under section 165(2), (4)(d) and (6)(c) (complaints to the Commissioner);
(b)rights under section 166(2) (orders for the Commissioner to progress complaints);
(c)rights under section 167(1) (compliance orders);
(d)the right to bring judicial review proceedings against the Commissioner.
(3)The first condition is that the body or organisation, by virtue of its constitution or an enactment—
(a)is required (after payment of outgoings) to apply the whole of its income and any capital it expends for charitable or public purposes,
(b)is prohibited from directly or indirectly distributing amongst its members any part of its assets (otherwise than for charitable or public purposes), and
(c)has objectives which are in the public interest.
(4)The second condition is that the body or organisation is active in the field of protection of data subjects’ rights and freedoms with regard to the protection of their personal data.
(5)In this Act, references to a “representative body”, in relation to a right of a data subject, are to a body or other organisation authorised to exercise the right on the data subject’s behalf under Article 80 of the GDPR or this section.
(1)The Secretary of State may by regulations make provision for representative bodies to bring proceedings before a court or tribunal in England and Wales or Northern Ireland combining two or more relevant claims.
(2)In this section, “relevant claim”, in relation to a representative body, means a claim in respect of a right of a data subject which the representative body is authorised to exercise on the data subject’s behalf under Article 80(1) of the GDPR or section 187.
(3)The power under subsection (1) includes power—
(a)to make provision about the proceedings;
(b)to confer functions on a person, including functions involving the exercise of a discretion;
(c)to make different provision in relation to England and Wales and in relation to Northern Ireland.
(4)The provision mentioned in subsection (3)(a) includes provision about—
(a)the effect of judgments and orders;
(b)agreements to settle claims;
(c)the assessment of the amount of compensation;
(d)the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e)costs.
(5)Regulations under this section are subject to the negative resolution procedure.
(1)Before the end of the review period, the Secretary of State must—
(a)review the matters listed in subsection (2) in relation to England and Wales and Northern Ireland,
(b)prepare a report of the review, and
(c)lay a copy of the report before Parliament.
(2)Those matters are—
(a)the operation of Article 80(1) of the GDPR,
(b)the operation of section 187,
(c)the merits of exercising the power under Article 80(2) of the GDPR (power to enable a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise some or all of a data subject’s rights under Articles 77, 78 and 79 of the GDPR without being authorised to do so by the data subject),
(d)the merits of making equivalent provision in relation to data subjects’ rights under Article 82 of the GDPR (right to compensation), and
(e)the merits of making provision for a children’s rights organisation to exercise some or all of a data subject’s rights under Articles 77, 78, 79 and 82 of the GDPR on behalf of a data subject who is a child, with or without being authorised to do so by the data subject.
(3)“The review period” is the period of 30 months beginning when section 187 comes into force.
(4)In carrying out the review, the Secretary of State must—
(a)consider the particular needs of children separately from the needs of adults,
(b)have regard to the fact that children have different needs at different stages of development,
(c)carry out an analysis of the particular challenges that children face in authorising, and deciding whether to authorise, other persons to act on their behalf under Article 80(1) of the GDPR or section 187,
(d)consider the support and advice available to children in connection with the exercise of their rights under Articles 77, 78, 79 and 82 of the GDPR by another person on their behalf and the merits of making available other support or advice, and
(e)have regard to the United Kingdom’s obligations under the United Nations Convention on the Rights of the Child.
(5)Before preparing the report under subsection (1), the Secretary of State must consult the Commissioner and such other persons as the Secretary of State considers appropriate, including—
(a)persons active in the field of protection of data subjects’ rights and freedoms with regard to the protection of their personal data,
(b)children and parents,
(c)children’s rights organisations and other persons who appear to the Secretary of State to represent the interests of children,
(d)child development experts, and
(e)trade associations.
(6)In this section—
“children’s rights organisation” means a body or other organisation which—
is active in representing the interests of children, and
has objectives which are in the public interest;
“trade association” includes a body representing controllers or processors;
“the United Nations Convention on the Rights of the Child” means the Convention on the Rights of the Child adopted by the General Assembly of the United Nations on 20 November 1989 (including any Protocols to that Convention which are in force in relation to the United Kingdom), subject to any reservations, objections or interpretative declarations by the United Kingdom for the time being in force.
(1)After the report under section 189(1) is laid before Parliament, the Secretary of State may by regulations—
(a)exercise the powers under Article 80(2) of the GDPR in relation to England and Wales and Northern Ireland,
(b)make provision enabling a body or other organisation which meets the conditions in Article 80(1) of the GDPR to exercise a data subject’s rights under Article 82 of the GDPR in England and Wales and Northern Ireland without being authorised to do so by the data subject, and
(c)make provision described in section 189(2)(e) in relation to the exercise in England and Wales and Northern Ireland of the rights of a data subject who is a child.
(2)The powers under subsection (1) include power—
(a)to make provision enabling a data subject to prevent a body or other organisation from exercising, or continuing to exercise, the data subject’s rights;
(b)to make provision about proceedings before a court or tribunal where a body or organisation exercises a data subject’s rights;
(c)to make provision for bodies or other organisations to bring proceedings before a court or tribunal combining two or more claims in respect of a right of a data subject;
(d)to confer functions on a person, including functions involving the exercise of a discretion;
(e)to amend sections 166 to 168, 180, 187, 203, 205 and 206;
(f)to insert new sections and Schedules into Part 6 or 7 ;
(g)to make different provision in relation to England and Wales and in relation to Northern Ireland.
(3)The powers under subsection (1)(a) and (b) include power to make provision in relation to data subjects who are children or data subjects who are not children or both.
(4)The provision mentioned in subsection (2)(b) and (c) includes provision about—
(a)the effect of judgments and orders;
(b)agreements to settle claims;
(c)the assessment of the amount of compensation;
(d)the persons to whom compensation may or must be paid, including compensation not claimed by the data subject;
(e)costs.
(5)Regulations under this section are subject to the affirmative resolution procedure.
(1)The Secretary of State may prepare a document, called the Framework for Data Processing by Government, which contains guidance about the processing of personal data in connection with the exercise of functions of—
(a)the Crown, a Minister of the Crown or a United Kingdom government department, and
(b)a person with functions of a public nature who is specified or described in regulations made by the Secretary of State.
(2)The document may make provision relating to all of those functions or only to particular functions or persons.
(3)The document may not make provision relating to, or to the functions of, a part of the Scottish Administration, the Welsh Government, a Northern Ireland Minister or a Northern Ireland department.
(4)The Secretary of State may from time to time prepare amendments of the document or a replacement document.
(5)Before preparing a document or amendments under this section, the Secretary of State must consult—
(a)the Commissioner, and
(b)any other person the Secretary of State considers it appropriate to consult.
(6)Regulations under subsection (1)(b) are subject to the negative resolution procedure.
(7)In this section, “Northern Ireland Minister” includes the First Minister and deputy First Minister in Northern Ireland.
(1)Before issuing a document prepared under section 191, the Secretary of State must lay it before Parliament.
(2)If, within the 40-day period, either House of Parliament resolves not to approve the document, the Secretary of State must not issue it.
(3)If no such resolution is made within that period—
(a)the Secretary of State must issue the document, and
(b)the document comes into force at the end of the period of 21 days beginning with the day on which it is issued.
(4)Nothing in subsection (2) prevents another version of the document being laid before Parliament.
(5)In this section, “the 40-day period” means—
(a)if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or
(b)if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.
(6)In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.
(7)This section applies in relation to amendments prepared under section 191 as it applies in relation to a document prepared under that section.
(1)The Secretary of State must publish a document issued under section 192(3).
(2)Where an amendment of a document is issued under section 192(3), the Secretary of State must publish—
(a)the amendment, or
(b)the document as amended by it.
(3)The Secretary of State must keep under review the document issued under section 192(3) for the time being in force.
(4)Where the Secretary of State becomes aware that the terms of such a document could result in a breach of an international obligation of the United Kingdom, the Secretary of State must exercise the power under section 191(4) with a view to remedying the situation.
(1)When carrying out processing of personal data which is the subject of a document issued under section 192(3) which is for the time being in force, a person must have regard to the document.
(2)A failure to act in accordance with a provision of such a document does not of itself make a person liable to legal proceedings in a court or tribunal.
(3)A document issued under section 192(3), including an amendment or replacement document, is admissible in evidence in legal proceedings.
(4)In any legal proceedings before a court or tribunal, the court or tribunal must take into account a provision of any document issued under section 192(3) in determining a question arising in the proceedings if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to the court or tribunal to be relevant to the question.
(5)In determining a question arising in connection with the carrying out of any of the Commissioner’s functions, the Commissioner must take into account a provision of a document issued under section 192(3) if—
(a)the question relates to a time when the provision was in force, and
(b)the provision appears to the Commissioner to be relevant to the question.
(1)The Reserve Forces Act 1996 is amended as follows.
(2)After section 125 insert—
(1)This subsection applies to contact details for—
(a)a member of an ex-regular reserve force, or
(b)a person to whom section 66 (officers and former servicemen liable to recall) applies,
which are held by HMRC in connection with a function of HMRC.
(2)HMRC may supply contact details to which subsection (1) applies to the Secretary of State for the purpose of enabling the Secretary of State—
(a)to contact a member of an ex-regular reserve force in connection with the person’s liability, or potential liability, to be called out for service under Part 6;
(b)to contact a person to whom section 66 applies in connection with the person’s liability, or potential liability, to be recalled for service under Part 7.
(3)Where a person’s contact details are supplied under subsection (2) for a purpose described in that subsection, they may also be used for defence purposes connected with the person’s service (whether past, present or future) in the reserve forces or regular services.
(4)In this section, “HMRC” means Her Majesty’s Revenue and Customs.
(1)A person who receives information supplied under section 125A may not disclose it except with the consent of the Commissioners for Her Majesty’s Revenue and Customs (which may be general or specific).
(2)A person who contravenes subsection (1) is guilty of an offence.
(3)It is a defence for a person charged with an offence under this section to prove that the person reasonably believed—
(a)that the disclosure was lawful, or
(b)that the information had already lawfully been made available to the public.
(4)Subsections (4) to (7) of section 19 of the Commissioners for Revenue and Customs Act 2005 apply to an offence under this section as they apply to an offence under that section.
(5)Nothing in section 107 or 108 (institution of proceedings and evidence) applies in relation to an offence under this section.
(1)Nothing in section 125A or 125B authorises the making of a disclosure which contravenes the data protection legislation.
(2)In this section, “the data protection legislation” has the same meaning as in the Data Protection Act 2018 (see section 3 of that Act).”
(1)A person who commits an offence under section 119 or 173 or paragraph 15 of Schedule 15 is liable—
(a)on summary conviction in England and Wales, to a fine;
(b)on summary conviction in Scotland or Northern Ireland, to a fine not exceeding level 5 on the standard scale.
(2)A person who commits an offence under section 132, 144, 148, 170, 171 or 184 is liable—
(a)on summary conviction in England and Wales, to a fine;
(b)on summary conviction in Scotland or Northern Ireland, to a fine not exceeding the statutory maximum;
(c)on conviction on indictment, to a fine.
(3)Subsections (4) and (5) apply where a person is convicted of an offence under section 170 or 184.
(4)The court by or before which the person is convicted may order a document or other material to be forfeited, destroyed or erased if—
(a)it has been used in connection with the processing of personal data, and
(b)it appears to the court to be connected with the commission of the offence,
subject to subsection (5).
(5)If a person, other than the offender, who claims to be the owner of the material, or to be otherwise interested in the material, applies to be heard by the court, the court must not make an order under subsection (4) without giving the person an opportunity to show why the order should not be made.
(1)In England and Wales, proceedings for an offence under this Act may be instituted only—
(a)by the Commissioner, or
(b)by or with the consent of the Director of Public Prosecutions.
(2)In Northern Ireland, proceedings for an offence under this Act may be instituted only—
(a)by the Commissioner, or
(b)by or with the consent of the Director of Public Prosecutions for Northern Ireland.
(3)Subject to subsection (4), summary proceedings for an offence under section 173 (alteration etc of personal data to prevent disclosure) may be brought within the period of 6 months beginning with the day on which the prosecutor first knew of evidence that, in the prosecutor’s opinion, was sufficient to bring the proceedings.
(4)Such proceedings may not be brought after the end of the period of 3 years beginning with the day on which the offence was committed.
(5)A certificate signed by or on behalf of the prosecutor and stating the day on which the 6 month period described in subsection (3) began is conclusive evidence of that fact.
(6)A certificate purporting to be signed as described in subsection (5) is to be treated as so signed unless the contrary is proved.
(7)In relation to proceedings in Scotland, section 136(3) of the Criminal Procedure (Scotland) Act 1995 (deemed date of commencement of proceedings) applies for the purposes of this section as it applies for the purposes of that section.
(1)Subsection (2) applies where—
(a)an offence under this Act has been committed by a body corporate, and
(b)it is proved to have been committed with the consent or connivance of or to be attributable to neglect on the part of—
(i)a director, manager, secretary or similar officer of the body corporate, or
(ii)a person who was purporting to act in such a capacity.
(2)The director, manager, secretary, officer or person, as well as the body corporate, is guilty of the offence and liable to be proceeded against and punished accordingly.
(3)Where the affairs of a body corporate are managed by its members, subsections (1) and (2) apply in relation to the acts and omissions of a member in connection with the member’s management functions in relation to the body as if the member were a director of the body corporate.
(4)Subsection (5) applies where—
(a)an offence under this Act has been committed by a Scottish partnership, and
(b)the contravention in question is proved to have occurred with the consent or connivance of, or to be attributable to any neglect on the part of, a partner.
(5)The partner, as well as the partnership, is guilty of the offence and liable to be proceeded against and punished accordingly.
(1)The National Police Records (Recordable Offences) Regulations 2000 (S.I. 2000/1139) have effect as if the offences under the following provisions were listed in the Schedule to the Regulations—
(a)section 119;
(b)section 132;
(c)section 144;
(d)section 148;
(e)section 170;
(f)section 171;
(g)section 173;
(h)section 184;
(i)paragraph 15 of Schedule 15.
(2)Regulations under section 27(4) of the Police and Criminal Evidence Act 1984 (recordable offences) may repeal subsection (1).
(1)The Commissioner must produce and publish guidance about how the Commissioner proposes to perform the duty under section 67(9) of the Police and Criminal Evidence Act 1984 (duty to have regard to codes of practice under that Act when investigating offences and charging offenders) in connection with offences under this Act.
(2)The Commissioner—
(a)may alter or replace the guidance, and
(b)must publish any altered or replacement guidance.
(3)The Commissioner must consult the Secretary of State before publishing guidance under this section (including any altered or replacement guidance).
(4)The Commissioner must arrange for guidance under this section (including any altered or replacement guidance) to be laid before Parliament.
(1)No enactment or rule of law prohibiting or restricting the disclosure of information precludes a person from providing the First-tier Tribunal or the Upper Tribunal with information necessary for the discharge of—
(a)its functions under the data protection legislation, or
(b)its other functions relating to the Commissioner’s acts and omissions.
(2)But this section does not authorise the making of a disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of the Investigatory Powers Act 2016.
(3)Until the repeal of Part 1 of the Regulation of Investigatory Powers Act 2000 by paragraphs 45 and 54 of Schedule 10 to the Investigatory Powers Act 2016 is fully in force, subsection (2) has effect as if it included a reference to that Part.
(1)This section applies where—
(a)a person does something, or fails to do something, in relation to proceedings before the First-tier Tribunal—
(i)on an appeal under section 27, 79, 111 or 162, or
(ii)for an order under section 166, and
(b)if those proceedings were proceedings before a court having power to commit for contempt, the act or omission would constitute contempt of court.
(2)The First-tier Tribunal may certify the offence to the Upper Tribunal.
(3)Where an offence is certified under subsection (2), the Upper Tribunal may—
(a)inquire into the matter, and
(b)deal with the person charged with the offence in any manner in which it could deal with the person if the offence had been committed in relation to the Upper Tribunal.
(4)Before exercising the power under subsection (3)(b), the Upper Tribunal must—
(a)hear any witness who may be produced against or on behalf of the person charged with the offence, and
(b)hear any statement that may be offered in defence.
(1)Tribunal Procedure Rules may make provision for regulating—
(a)the exercise of the rights of appeal conferred by section 27, 79, 111 or 162, and
(b)the exercise of the rights of data subjects under section 166, including their exercise by a representative body.
(2)In relation to proceedings involving the exercise of those rights, Tribunal Procedure Rules may make provision about—
(a)securing the production of material used for the processing of personal data, and
(b)the inspection, examination, operation and testing of equipment or material used in connection with the processing of personal data.
(1)In this Act, “health professional” means any of the following—
(a)a registered medical practitioner;
(b)a registered nurse or midwife;
(c)a registered dentist within the meaning of the Dentists Act 1984 (see section 53 of that Act);
(d)a registered dispensing optician or a registered optometrist within the meaning of the Opticians Act 1989 (see section 36 of that Act);
(e)a registered osteopath with the meaning of the Osteopaths Act 1993 (see section 41 of that Act);
(f)a registered chiropractor within the meaning of the Chiropractors Act 1994 (see section 43 of that Act);
(g)a person registered as a member of a profession to which the Health and Social Work Professions Order 2001 (S.I. 2002/254) for the time being extends, other than the social work profession in England;
(h)a registered pharmacist or a registered pharmacy technician within the meaning of the Pharmacy Order 2010 (S.I. 2010/231) (see article 3 of that Order);
(i)a registered person within the meaning of the Pharmacy (Northern Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)) (see Article 2 of that Order);
(j)a child psychotherapist;
(k)a scientist employed by a health service body as head of a department.
(2)In this Act, “social work professional” means any of the following—
(a)a person registered as a social worker in England in the register maintained under the Health and Social Work Professions Order 2001 (S.I. 2002/254);
(b)a person registered as a social worker in the register maintained by Social Care Wales under section 80 of the Regulation and Inspection of Social Care (Wales) Act 2016 (anaw 2);
(c)a person registered as a social worker in the register maintained by the Scottish Social Services Council under section 44 of the Regulation of Care (Scotland) Act 2001 (asp 8);
(d)a person registered as a social worker in the register maintained by the Northern Ireland Social Care Council under section 3 of the Health and Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.)).
(3)In subsection (1)(a) “registered medical practitioner” includes a person who is provisionally registered under section 15 or 21 of the Medical Act 1983 and is engaged in such employment as is mentioned in subsection (3) of that section.
(4)In subsection (1)(k) “health service body” means any of the following—
(a)the Secretary of State in relation to the exercise of functions under section 2A or 2B of, or paragraph 7C, 8 or 12 of Schedule 1 to, the National Health Service Act 2006;
(b)a local authority in relation to the exercise of functions under section 2B or 111 of, or any of paragraphs 1 to 7B or 13 of Schedule 1 to, the National Health Service Act 2006;
(c)a National Health Service trust first established under section 25 of the National Health Service Act 2006;
(d)a Special Health Authority established under section 28 of the National Health Service Act 2006;
(e)an NHS foundation trust;
(f)the National Institute for Health and Care Excellence;
(g)the Health and Social Care Information Centre;
(h)a National Health Service trust first established under section 5 of the National Health Service and Community Care Act 1990;
(i)a Local Health Board established under section 11 of the National Health Service (Wales) Act 2006;
(j)a National Health Service trust first established under section 18 of the National Health Service (Wales) Act 2006;
(k)a Special Health Authority established under section 22 of the National Health Service (Wales) Act 2006;
(l)a Health Board within the meaning of the National Health Service (Scotland) Act 1978;
(m)a Special Health Board within the meaning of the National Health Service (Scotland) Act 1978;
(n)a National Health Service trust first established under section 12A of the National Health Service (Scotland) Act 1978;
(o)the managers of a State Hospital provided under section 102 of the National Health Service (Scotland) Act 1978;
(p)the Regional Health and Social Care Board established under section 7 of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I));
(q)a special health and social care agency established under the Health and Personal Social Services (Special Agencies) (Northern Ireland) Order 1990 (S.I. 1990/247 (N.I. 3));
(r)a Health and Social Care trust established under Article 10 of the Health and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/194 (N.I. 1)).
(1)In this Act—
“biometric data” means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data;
“data concerning health” means personal data relating to the physical or mental health of an individual, including the provision of health care services, which reveals information about his or her health status;
“enactment” includes—
an enactment passed or made after this Act,
an enactment comprised in subordinate legislation,
an enactment comprised in, or in an instrument made under, a Measure or Act of the National Assembly for Wales,
an enactment comprised in, or in an instrument made under, an Act of the Scottish Parliament, and
an enactment comprised in, or in an instrument made under, Northern Ireland legislation;
“genetic data” means personal data relating to the inherited or acquired genetic characteristics of an individual which gives unique information about the physiology or the health of that individual and which results, in particular, from an analysis of a biological sample from the individual in question;
“government department” includes the following (except in the expression “United Kingdom government department”)—
a part of the Scottish Administration;
a Northern Ireland department;
the Welsh Government;
a body or authority exercising statutory functions on behalf of the Crown;
“health record” means a record which—
consists of data concerning health, and
has been made by or on behalf of a health professional in connection with the diagnosis, care or treatment of the individual to whom the data relates;
“inaccurate”, in relation to personal data, means incorrect or misleading as to any matter of fact;
“international obligation of the United Kingdom” includes—
an EU obligation, and
an obligation that arises under an international agreement or arrangement to which the United Kingdom is a party;
“international organisation” means an organisation and its subordinate bodies governed by international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
“Minister of the Crown” has the same meaning as in the Ministers of the Crown Act 1975;
“publish” means make available to the public or a section of the public (and related expressions are to be read accordingly);
“subordinate legislation” has the meaning given in the Interpretation Act 1978;
“tribunal” means any tribunal in which legal proceedings may be brought;
“the Tribunal”, in relation to an application or appeal under this Act, means—
the Upper Tribunal, in any case where it is determined by or under Tribunal Procedure Rules that the Upper Tribunal is to hear the application or appeal, or
the First-tier Tribunal, in any other case.
(2)References in this Act to a period expressed in hours, days, weeks, months or years are to be interpreted in accordance with Article 3 of Regulation (EEC, Euratom) No. 1182/71 of the Council of 3 June 1971 determining the rules applicable to periods, dates and time limits, except in—
(a)section 125(4), (7) and (8);
(b)section 161(3), (5) and (6);
(c)section 176(2);
(d)section 178(2);
(e)section 182(8) and (9);
(f)section 183(4);
(g)section 192(3), (5) and (6);
(h)section 197(3) and (4);
(i)paragraph 23(4) and (5) of Schedule 1;
(j)paragraphs 5(4) and 6(4) of Schedule 3;
(k)Schedule 5;
(l)paragraph 11(5) of Schedule 12;
(m)Schedule 15;
(and the references in section 5 to terms used in Chapter 2 or 3 of Part 2 do not include references to a period expressed in hours, days, weeks, months or years).
(3)Section 3(14)(b) (interpretation of references to Chapter 2 of Part 2 in Parts 5 to 7) and the amendments in Schedule 19 which make equivalent provision are not to be treated as implying a contrary intention for the purposes of section 20(2) of the Interpretation Act 1978, or any similar provision in another enactment, as it applies to other references to, or to a provision of, Chapter 2 of Part 2 of this Act.
The Table below lists provisions which define or otherwise explain terms defined for this Act, for a Part of this Act or for Chapter 2 or 3 of Part 2 of this Act.
the affirmative resolution procedure | section 182 |
the applied Chapter 2 (in Chapter 3 of Part 2) | section 22 |
the applied GDPR | section 3 |
assessment notice (in Part 6) | section 181 |
biometric data | section 205 |
certification provider (in Part 6) | section 181 |
the Commissioner | section 3 |
competent authority (in Part 3) | section 30 |
consent (in Part 4) | section 84 |
controller | section 3 |
data concerning health | section 205 |
the Data Protection Convention | section 3 |
the data protection legislation | section 3 |
data subject | section 3 |
employee (in Parts 3 and 4) | sections 33 and 84 |
enactment | section 205 |
enforcement notice (in Part 6) | section 181 |
filing system | section 3 |
FOI public authority (in Chapter 3 of Part 2) | section 21 |
the GDPR | section 3 |
genetic data | section 205 |
government department | section 205 |
health professional | section 204 |
health record | section 205 |
identifiable living individual | section 3 |
inaccurate | section 205 |
information notice (in Part 6) | section 181 |
intelligence service (in Part 4) | section 82 |
international obligation of the United Kingdom | section 205 |
international organisation | section 205 |
the Law Enforcement Directive | section 3 |
the law enforcement purposes (in Part 3) | section 31 |
the made affirmative resolution procedure | section 182 |
Minister of the Crown | section 205 |
the negative resolution procedure | section 182 |
penalty notice (in Part 6) | section 181 |
penalty variation notice (in Part 6) | section 181 |
personal data | section 3 |
personal data breach (in Parts 3 and 4) | sections 33 and 84 |
processing | section 3 |
processor | section 3 |
profiling (in Part 3) | section 33 |
public authority (in the GDPR and Part 2) | section 7 |
public body (in the GDPR and Part 2) | section 7 |
publish | section 205 |
recipient (in Parts 3 and 4) | sections 33 and 84 |
representative (in Part 6) | section 181 |
representative body (in relation to a right of a data subject) | section 187 |
restriction of processing (in Parts 3 and 4) | sections 33 and 84 |
social work professional | section 204 |
the special purposes (in Part 6) | section 174 |
special purposes proceedings (in Part 6) | section 174 |
subordinate legislation | section 205 |
third country (in Part 3) | section 33 |
tribunal | section 205 |
the Tribunal | section 205 |
(1)This Act applies only to processing of personal data described in subsections (2) and (3).
(2)It applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the United Kingdom, whether or not the processing takes place in the United Kingdom.
(3)It also applies to the processing of personal data to which Chapter 2 of Part 2 (the GDPR) applies where—
(a)the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a member State, whether or not the processing takes place in such a country or territory,
(b)the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c)the processing activities are related to—
(i)the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii)the monitoring of data subjects’ behaviour in the United Kingdom.
(4)Subsections (1) to (3) have effect subject to any provision in or made under section 120 providing for the Commissioner to carry out functions in relation to other processing of personal data.
(5)Section 3(14)(c) does not apply to the reference to the processing of personal data in subsection (2).
(6)The reference in subsection (3) to Chapter 2 of Part 2 (the GDPR) does not include that Chapter as applied by Chapter 3 of Part 2 (the applied GDPR).
(7)In this section, references to a person who has an establishment in the United Kingdom include the following—
(a)an individual who is ordinarily resident in the United Kingdom,
(b)a body incorporated under the law of the United Kingdom or a part of the United Kingdom,
(c)a partnership or other unincorporated association formed under the law of the United Kingdom or a part of the United Kingdom, and
(d)a person not within paragraph (a), (b) or (c) who maintains, and carries on activities through, an office, branch or agency or other stable arrangements in the United Kingdom,
and references to a person who has an establishment in another country or territory have a corresponding meaning.
(1)Subsections (2) and (3) apply where a question falls to be determined in Scotland as to the legal capacity of a person aged under 16 to—
(a)exercise a right conferred by the data protection legislation, or
(b)give consent for the purposes of the data protection legislation.
(2)The person is to be taken to have that capacity where the person has a general understanding of what it means to exercise the right or give such consent.
(3)A person aged 12 or over is to be presumed to be of sufficient age and maturity to have such understanding, unless the contrary is shown.
(1)This Act binds the Crown.
(2)For the purposes of the GDPR and this Act, each government department is to be treated as a person separate from the other government departments (to the extent that is not already the case).
(3)Where government departments are not able to enter into contracts with each other, a provision of the GDPR or this Act that would require relations between them to be governed by a contract (or other binding legal act) in writing is to be treated as satisfied if the relations are the subject of a memorandum of understanding between them.
(4)Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by a person acting on behalf of the Royal Household, the Duchy of Lancaster or the Duchy of Cornwall, the controller in respect of that data for the purposes of the GDPR and this Act is—
(a)in relation to the Royal Household, the Keeper of the Privy Purse,
(b)in relation to the Duchy of Lancaster, such person as the Chancellor of the Duchy appoints, and
(c)in relation to the Duchy of Cornwall, such person as the Duke of Cornwall, or the possessor for the time being of the Duchy of Cornwall, appoints.
(5)Different persons may be appointed under subsection (4)(b) or (c) for different purposes.
(6)As regards criminal liability—
(a)a government department is not liable to prosecution under this Act;
(b)nothing in subsection (4) makes a person who is a controller by virtue of that subsection liable to prosecution under this Act;
(c)a person in the service of the Crown is liable to prosecution under the provisions of this Act listed in subsection (7).
(7)Those provisions are—
(a)section 119;
(b)section 170;
(c)section 171;
(d)section 173;
(e)paragraph 15 of Schedule 15.
(1)Parts 1, 2 and 5 to 7 of this Act apply to the processing of personal data by or on behalf of either House of Parliament.
(2)Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by or on behalf of the House of Commons, the controller in respect of that data for the purposes of the GDPR and this Act is the Corporate Officer of that House.
(3)Where the purposes for which and the manner in which personal data is, or is to be, processed are determined by or on behalf of the House of Lords, the controller in respect of that data for the purposes of the GDPR and this Act is the Corporate Officer of that House.
(4)Subsections (2) and (3) do not apply where the purposes for which and the manner in which the personal data is, or is to be, processed are determined by or on behalf of the Intelligence and Security Committee of Parliament.
(5)As regards criminal liability—
(a)nothing in subsection (2) or (3) makes the Corporate Officer of the House of Commons or the Corporate Officer of the House of Lords liable to prosecution under this Act;
(b)a person acting on behalf of either House of Parliament is liable to prosecution under the provisions of this Act listed in subsection (6).
(6)Those provisions are—
(a)section 170;
(b)section 171;
(c)section 173;
(d)paragraph 15 of Schedule 15.
(1)In Schedule 19—
(a)Part 1 contains minor and consequential amendments of primary legislation;
(b)Part 2 contains minor and consequential amendments of other legislation;
(c)Part 3 contains consequential modifications of legislation;
(d)Part 4 contains supplementary provision.
(2)The Secretary of State may by regulations make provision that is consequential on any provision made by this Act.
(3)Regulations under subsection (2)—
(a)may include transitional, transitory or saving provision;
(b)may amend, repeal or revoke an enactment.
(4)The reference to an enactment in subsection (3)(b) does not include an enactment passed or made after the end of the Session in which this Act is passed.
(5)Regulations under this section that amend, repeal or revoke primary legislation are subject to the affirmative resolution procedure.
(6)Any other regulations under this section are subject to the negative resolution procedure.
(7)In this section, “primary legislation” means—
(a)an Act;
(b)an Act of the Scottish Parliament;
(c)a Measure or Act of the National Assembly for Wales;
(d)Northern Ireland legislation.
(1)Except as provided by subsections (2) and (3), this Act comes into force on such day as the Secretary of State may by regulations appoint.
(2)This section and the following provisions come into force on the day on which this Act is passed—
(a)sections 1 and 3;
(b)section 182;
(c)sections 204, 205 and 206;
(d)sections 209 and 210;
(e)sections 213(2), 214 and 215;
(f)any other provision of this Act so far as it confers power to make regulations or Tribunal Procedure Rules or is otherwise necessary for enabling the exercise of such a power on or after the day on which this Act is passed.
(3)The following provisions come into force at the end of the period of 2 months beginning when this Act is passed—
(a)section 124;
(b)sections 125, 126 and 127, so far as they relate to a code prepared under section 124;
(c)section 177;
(d)section 178 and Schedule 17;
(e)section 179.
(4)Regulations under this section may make different provision for different areas.
(1)Schedule 20 contains transitional, transitory and saving provision.
(2)The Secretary of State may by regulations make transitional, transitory or saving provision in connection with the coming into force of any provision of this Act or with the GDPR beginning to apply, including provision amending or repealing a provision of Schedule 20.
(3)Regulations under this section that amend or repeal a provision of Schedule 20 are subject to the negative resolution procedure.
(1)This Act extends to England and Wales, Scotland and Northern Ireland, subject to—
(a)subsections (2) to (5), and
(b)paragraph 12 of Schedule 12.
(2)Section 199 extends to England and Wales only.
(3)Sections 188, 189 and 190 extend to England and Wales and Northern Ireland only.
(4)An amendment, repeal or revocation made by this Act has the same extent in the United Kingdom as the enactment amended, repealed or revoked.
(5)This subsection and the following provisions also extend to the Isle of Man—
(a)paragraphs 332 and 434 of Schedule 19;
(b)sections 211(1), 212(1) and 213(2), so far as relating to those paragraphs.
(6)Where there is a power to extend a part of an Act by Order in Council to any of the Channel Islands, the Isle of Man or any of the British overseas territories, the power may be exercised in relation to an amendment or repeal of that part which is made by or under this Act.
This Act may be cited as the Data Protection Act 2018.
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download.
Would you like to continue?
The Whole Act you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Whole Act without Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As Enacted or Made): The original version of the legislation as it stood when it was enacted or made. No changes have been applied to the text.
Text created by the government department responsible for the subject matter of the Act to explain what the Act sets out to achieve and to make the Act accessible to readers who are not legally qualified. Explanatory Notes were introduced in 1999 and accompany all Public Acts except Appropriation, Consolidated Fund, Finance and Consolidation Acts.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: