SCHEDULES

SCHEDULE 19Minor and consequential amendments

PART 2Amendments of other legislation

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (S.I. 2005/2042)

317

(1)

Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information) is amended as follows.

(2)

In paragraph (1)(d)—

(a)

omit “, within the meaning of section 1(1) of the Data Protection Act 1998”, and

(b)

for “(2) or (3)” substitute “ (1A), (1B) or (1C) ”.

(3)

After paragraph (1) insert—

“(1A)

The condition in this paragraph is that the disclosure of the information to a member of the public—

(a)

would contravene any of the data protection principles, or

(b)

would do so if the exemptions in section 24(1) of the Data Protection Act 2018 (manual unstructured data held by public authorities) were disregarded.

(1B)

The condition in this paragraph is that the disclosure of the information to a member of the public would contravene—

(a)

Article 21 of the GDPR (general processing: right to object to processing), or

(b)

section 99 of the Data Protection Act 2018 (intelligence services processing: right to object to processing).

(1C)

The condition in this paragraph is that—

(a)

on a request under Article 15(1) of the GDPR (general processing: right of access by the data subject) for access to personal data, the information would be withheld in reliance on provision made by or under section 15, 16 or 26 of, or Schedule 2, 3 or 4 to, the Data Protection Act 2018,

(b)

on a request under section 45(1)(b) of that Act (law enforcement processing: right of access by the data subject), the information would be withheld in reliance on subsection (4) of that section, or

(c)

on a request under section 94(1)(b) of that Act (intelligence services processing: rights of access by the data subject), the information would be withheld in reliance on a provision of Chapter 6 of Part 4 of that Act.

(1D)

In this regulation—

the data protection principles” means the principles set out in—

(a)

Article 5(1) of the GDPR,

(b)

section 34(1) of the Data Protection Act 2018, and

(c)

section 85(1) of that Act;

“the GDPR” and references to a provision of Chapter 2 of Part 2 of the Data Protection Act 2018 have the same meaning as in Parts 5 to 7 of that Act (see section 3(10), (11) and (14) of that Act);

personal data” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2) and (14) of that Act).

(1E)

In determining for the purposes of this regulation whether the lawfulness principle in Article 5(1)(a) of the GDPR would be contravened by the disclosure of information, Article 6(1) of the GDPR (lawfulness) is to be read as if the second sub-paragraph (disapplying the legitimate interests gateway in relation to public authorities) were omitted.”

(4)

Omit paragraphs (2) to (4).