Table of Contents
Data Protection Act 2018 (c. 12)Introductory TextPart 1 Preliminary (ss. 1-3)1. Overview2. Protection of personal data3. Terms relating to the processing of personal dataPart 2 General processing (ss. 4-28)Chapter 1 Scope and definitions (ss. 4-5)4. Processing to which this Part applies5. DefinitionsChapter 2 The UK GDPR (ss. 6-20)Meaning of certain terms used in the UK GDPR (ss. 6-7)6. Meaning of "controller"7. Meaning of "public authority" and "public body"Lawfulness of processing (ss. 8-9)8. Lawfulness of processing: public interest etc9. Child's consent in relation to information society servicesDraft Relevant international law (draft s. 9A)Draft 9A Processing in reliance on relevant international lawSpecial categories of personal data (ss. 10-11)10. Special categories of personal data and criminal convictions etc data11. Special categories of personal data etc: supplementaryRights of the data subject (ss. 12-14)12. Limits on fees that may be charged by controllers13. Obligations of credit reference agencies13A. Meaning of "relevant offence" for purpose of right to erasure14. Automated decision-making authorised by law: safeguardsExemptions etc (ss. 15-16)15. Exemptions etc16. Power to make further exemptions etc by regulationsCertification (s. 17)17. Accreditation of certification providersTransfers of personal data to third countries etc (ss. 17A-18)17A. Transfers based on adequacy regulations17B. Transfers based on adequacy regulations: review etc17C. Standard data protection clauses18. Transfers of personal data to third countries etc: public interestSpecific processing situations (s. 19)19. Processing for archiving, research and statistical purposes: safeguardsMinor definition (s. 20)20. Meaning of "court"Chapter 3 Exemptions for manual unstructured processing and for national security and defence purposes (ss. 21-28)Definitions (s. 21)21. DefinitionsApplication of the GDPR (ss. 22-23)22. Application of the GDPR to processing to which this Chapter applies23. Power to make provision in consequence of regulations related to the GDPRExemptions etc (ss. 24-28)24. Manual unstructured data held by FOI public authorities25. Manual unstructured data used in longstanding historical research26. National security and defence exemption27. National security: certificate28. National security and defence: modifications to Articles 9 and 32 of the UK GDPRPart 3 Law enforcement processing (ss. 29-81)Chapter 1 Scope and definitions (ss. 29-33)Scope (s. 29)29. Processing to which this Part appliesDefinitions (ss. 30-33)30. Meaning of "competent authority"31. "The law enforcement purposes"32. Meaning of "controller" and "processor"33. Other definitionsChapter 2 Principles (ss. 34-42 and draft s. 42A)34. Overview and general duty of controller35. The first data protection principle36. The second data protection principle37. The third data protection principle38. The fourth data protection principle39. The fifth data protection principle40. The sixth data protection principleDraft 40A Conditions for consent41. Safeguards: archiving42. Safeguards: sensitive processingDraft 42A Further provision about sensitive processingChapter 3 Rights of the data subject (ss. 43-54)Overview and scope (s. 43)43. Overview and scopeInformation: controller's general duties (s. 44)44. Information: controller's general dutiesData subject's right of access (s. 45 and draft s. 45A)45. Right of access by the data subjectDraft 45A Exemption from sections 44 and 45: legal professional privilegeData subject's rights to rectification or erasure etc (ss. 46-48)46. Right to rectification47. Right to erasure or restriction of processing48. Rights under section 46 or 47: supplementaryAutomated individual decision-making (ss. 49-50 and draft ss. 50C-50D)49. Right not to be subject to automated decision-making50. Automated decision-making authorised by law: safeguardsDraft 50C Safeguards for automated decision-makingDraft 50D Further provision about automated decision-makingSupplementary (ss. 51-54)51. Exercise of rights through the Commissioner52. Form of provision of information etc53. Manifestly unfounded or excessive requests by the data subject54. Meaning of "applicable time period"Chapter 4 Controller and processor (ss. 55-71 and draft s. 71A)55. Overview and scopeGeneral obligations (ss. 56-63)56. General obligations of the controller57. Data protection by design and default58. Joint controllers59. Processors60. Processing under the authority of the controller or processor61. Records of processing activities62. Logging63. Co-operation with the Commissioner64. Data protection impact assessment65. Prior consultation with the CommissionerObligations relating to security (s. 66)66. Security of processingObligations relating to personal data breaches (ss. 67-68)67. Notification of a personal data breach to the Commissioner68. Communication of a personal data breach to the data subjectData protection officers (ss. 69-71)69. Designation of a data protection officer70. Position of data protection officer71. Tasks of data protection officerDraft Codes of conduct (draft s. 71A)Draft 71A Codes of conductChapter 5 Transfers of personal data to third countries etc (ss. 72-78)Overview and interpretation (s. 72)72. Overview and interpretationGeneral principles for transfers (ss. 73-76)73. General principles for transfers of personal data74. Transfers on the basis of an adequacy decision74A. Transfers based on adequacy regulationsDraft 74AA Transfers approved by regulationsDraft 74AB The data protection test74B. Transfers based on adequacy regulations: review etc75. Transfers on the basis of appropriate safeguards76. Transfers on the basis of special circumstancesTransfers to particular recipients (s. 77)77. Transfers of personal data to persons other than relevant authoritiesSubsequent transfers (s. 78)78. Subsequent transfersChapter 6 Supplementary (draft s. 78A and ss. 79-81)Draft 78A National security exemption79. National security: certificate80. Special processing restrictions81. Reporting of infringementsPart 4 Intelligence services processing (ss. 82-113)Chapter 1 Scope and definitions (ss. 82-84)Scope (s. 82 and draft ss. 82A-82E)82. Processing to which this Part appliesDraft 82A Designation of processing by a qualifying competent authorityDraft 82B Duration of designation noticeDraft 82C Review and withdrawal of designation noticeDraft 82D Records of designation noticesDraft 82E Appeal against designation noticeDraft 82D. Records of designation noticesDefinitions (ss. 83-84)83. Meaning of "controller" and "processor"84. Other definitionsChapter 2 Principles (ss. 85-91)Overview (s. 85)85. OverviewThe data protection principles (ss. 86-91 and draft s. 91A)86. The first data protection principle87. The second data protection principle88. The third data protection principle89. The fourth data protection principle90. The fifth data protection principle91. The sixth data protection principleDraft 91A Further provision about sensitive processingChapter 3 Rights of the data subject (ss. 92-100)Overview (s. 92)92. OverviewRights (ss. 93-100)93. Right to information94. Right of access95. Right of access: supplementary96. Right not to be subject to automated decision-making97. Right to intervene in automated decision-making98. Right to information about decision-making99. Right to object to processing100. Rights to rectification and erasureChapter 4 Controller and processor (ss. 101-108)Overview (s. 101)101. OverviewGeneral obligations (ss. 102-106)102. General obligations of the controller103. Data protection by design104. Joint controllers105. Processors106. Processing under the authority of the controller or processorObligations relating to security (s. 107)107. Security of processingObligations relating to personal data breaches (s. 108)108. Communication of a personal data breachChapter 5 Transfers of personal data outside the united kingdom (s. 109)109. Transfers of personal data outside the United KingdomChapter 6 Exemptions (ss. 110-113)110. National security111. National security: certificate112. Other exemptions113. Power to make further exemptionsPart 5 The information commissioner (ss. 114-141)The Commissioner (s. 114)114. The Information CommissionerDraft The Information Commission (draft s. 114A)Draft 114A The Information CommissionGeneral functions (ss. 115-117)115. General functions under the UK GDPR and safeguards116. Other general functions117. Competence in relation to courts etcInternational role (ss. 118-120)118. Co-operation between parties to the Data Protection Convention119. Inspection of personal data in accordance with international obligations119A. Standard clauses for transfers to third countries etc120. Further international roleDraft Duties in carrying out functions (draft ss. 120A-120D)Draft 120A Principal objectiveDraft 120B Duties in relation to functions under the data protection legislationDraft 120C StrategyDraft 120D Duty to consult other regulatorsCodes of practice (ss. 121-128)121. Data-sharing code122. Direct marketing code123. Age-appropriate design code124. Data protection and journalism codeDraft 124A Other codes of practiceDraft 124B Panels to consider codes of practiceDraft 124C Impact assessments for codes of practice125. Approval of codes prepared under sections 121 to 124126. Publication and review of codes issued under section 125(4)127. Effect of codes issued under section 125(4)128. Other codes of practiceConsensual audits (s. 129)129. Consensual auditsRecords of national security certificates (s. 130)130. Records of national security certificatesInformation provided to the Commissioner (ss. 131-133)131. Disclosure of information to the Commissioner132. Confidentiality of information133. Guidance about privileged communicationsFees (ss. 134-136)134. Fees for services135. Manifestly unfounded or excessive requests by data subjects etc136. Guidance about feesCharges (ss. 137-138)137. Charges payable to the Commissioner by controllers138. Regulations under section 137: supplementaryReports etc (s. 139 and draft s. 139A)139. Reporting to ParliamentDraft 139A Analysis of performanceDraft new Title - Documents and notices (ss. 140-141 and draft s. 141A)140. Publication by the Commissioner141. Notices from the CommissionerDraft 141A Notices from the CommissionerPart 6 Enforcement (ss. 142-181)Information notices (ss. 142-145)142. Information notices143. Information notices: restrictions144. False statements made in response to information notices145. Information ordersAssessment notices (ss. 146-147)146. Assessment noticesDraft 146A Assessment notices: approval of person to prepare report etc147. Assessment notices: restrictionsInformation notices and assessment notices: destruction of documents etc (s. 148)148. Destroying or falsifying information and documents etcDraft Interview notices (draft ss. 148A-148C)Draft 148A Interview noticesDraft 148B Interview notices: restrictionsDraft 148C False statements made in response to interview noticesEnforcement notices (ss. 149-153)149. Enforcement notices150. Enforcement notices: supplementary151. Enforcement notices: rectification and erasure of personal data etc152. Enforcement notices: restrictions153. Enforcement notices: cancellation and variationPowers of entry and inspection (s. 154)154. Powers of entry and inspectionPenalties (ss. 155-159)155. Penalty notices156. Penalty notices: restrictions157. Maximum amount of penalty158. Fixed penalties for non-compliance with charges regulations159. Amount of penalties: supplementaryGuidance (ss. 160-161 and draft s. 161A)160. Guidance about regulatory action161. Approval of first guidance about regulatory actionDraft 161A Annual report on regulatory actionAppeals etc (ss. 162-164)162. Rights of appeal163. Determination of appeals164. Applications in respect of urgent noticesComplaints (draft ss. 164A-164B and ss. 165-166)Draft 164A Complaints by data subjects to controllersDraft 164B Controllers to notify the Commissioner of the number of complaints165. Complaints by data subjects166. Orders to progress complaintsRemedies in the court (ss. 167-169)167. Compliance orders168. Compensation for contravention of the UK GDPR169. Compensation for contravention of other data protection legislationOffences relating to personal data (ss. 170-173)170. Unlawful obtaining etc of personal data171. Re-identification of de-identified personal data172. Re-identification: effectiveness testing conditions173. Alteration etc of personal data to prevent disclosure to data subjectThe special purposes (ss. 174-179)174. The special purposes175. Provision of assistance in special purposes proceedings176. Staying special purposes proceedings177. Guidance about how to seek redress against media organisations178. Review of processing of personal data for the purposes of journalism179. Effectiveness of the media's dispute resolution proceduresJurisdiction of courts (s. 180 and draft s. 180A)180. JurisdictionDraft 180A Procedure in connection with subject access requestsDefinitions (s. 181)181. Interpretation of Part 6Part 7 Supplementary and final provision (ss. 182-215)Regulations under this Act (s. 182)182. Regulations and consultationChanges to the Data Protection Convention (s. 183)183. Power to reflect changes to the Data Protection ConventionDraft Prohibitions and restrictions etc on processing (draft ss. 183A-183B)Draft 183A Protection of prohibitions and restrictions etc on processing: relevant enactmentsDraft 183B Protection of prohibitions and restrictions etc on processing: other enactmentsRights of the data subject (ss. 184-186 and draft s. 186A)184. Prohibition of requirement to produce relevant records185. Avoidance of certain contractual terms relating to health records186. Data subject's rights and other prohibitions and restrictionsDraft 186A Protection of data subject's rights: further provisionRepresentation of data subjects (ss. 187-190)187. Representation of data subjects with their authority188. Representation of data subjects with their authority: collective proceedings189. Duty to review provision for representation of data subjects190. Post-review powers to make provision about representation of data subjectsFramework for Data Processing by Government (ss. 191-194)191. Framework for Data Processing by Government192. Approval of the Framework193. Publication and review of the Framework194. Effect of the FrameworkData-sharing: HMRC and reserve forces (s. 195)195. Reserve forces: data-sharing by HMRCOffences (ss. 196-200)196. Penalties for offences197. Prosecution198. Liability of directors etc199. Recordable offences200. Guidance about PACE codes of practiceThe Tribunal (ss. 201-203)201. Disclosure of information to the Tribunal202. Proceedings in the First-tier Tribunal: contempt203. Tribunal Procedure RulesInterpretation (ss. 204-206)204. Meaning of "health professional" and "social work professional"205. General interpretation206. Index of defined expressionsTerritorial application (s. 207)207. Territorial application of this ActGeneral (ss. 208-211)208. Children in Scotland209. Application to the Crown210. Application to Parliament211. Minor and consequential provisionFinal (ss. 212-215)212. Commencement213. Transitional provision214. Extent215. Short titleDraft Schedule A1 Processing in Reliance on Relevant International LawSchedule 1 Special categories of personal data and criminal convictions etc dataSchedule 1, Part 1 Conditions relating to employment, health and research etc (paras. 1-4)Schedule 1, Part 2 Substantial public interest conditions (paras. 5-28)Schedule 1, Part 3 Additional conditions relating to criminal convictions etc (paras. 29-37)Schedule 1, Part 4 Appropriate policy document and additional safeguards (paras. 38-41)Schedule 2 Exemptions etc from the UK GDPRSchedule 2, Part 1 Adaptations and restrictions as described in Articles 6(3) and 23(1) (paras. 1-5)Schedule 2, Part 2 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 21 and 34 (paras. 6-15)Schedule 2, Part 3 Restriction for the protection of rights of others (paras. 16-17)Schedule 2, Part 4 Restrictions as described in Article 23(1): restrictions of rules in Articles 13 to 15 (paras. 18-25)Schedule 2, Part 5 Exemptions etc for reasons of freedom of expression and information (para. 26)Schedule 2, Part 6 Derogations etc for research, statistics and archiving (paras. 27-28)Schedule 3 Exemptions etc from the UK GDPR: health, social work, education and child abuse dataSchedule 3, Part 1 UK GDPR provisions to be restricted (para. 1)Schedule 3, Part 2 Health data (paras. 2-6)Schedule 3, Part 3 Social work data (paras. 7-12)Schedule 3, Part 4 Education data (paras. 13-20)Schedule 3, Part 5 Child abuse data (para. 21)Schedule 4 Exemptions etc from the UK GDPR: disclosure prohibited or restricted by an enactmentSchedule 5 Accreditation of certification providers: reviews and appealsSchedule 6 The applied GDPR and the applied Chapter 2Schedule 6, Part 1 Modifications to the GDPR (paras. 1-72)Schedule 6, Part 2 Modifications to Chapter 2 of Part 2 (paras. 73-75)Schedule 7 Competent AuthoritiesSchedule 8 Conditions for sensitive processing under Part 3Schedule 9 Conditions for processing under Part 4Schedule 10 Conditions for sensitive processing under Part 4Schedule 11 Other exemptions under Part 4Schedule 12 The information CommissionerDraft Schedule 12A The information commissionSchedule 13 Other general functions of the CommissionerSchedule 14 Co-operation and mutual assistanceSchedule 14, Part 1 Law Enforcement Directive (paras. 1-5)Schedule 14, Part 2 Data Protection Convention (paras. 6-10)Schedule 15 Powers of entry and inspectionSchedule 16 PenaltiesSchedule 17 Review of processing of personal data for the purposes of journalismSchedule 18 Relevant recordsSchedule 19 Minor and consequential amendmentsSchedule 19, Part 1 Amendments of primary legislation (paras. 1-227)Schedule 19, Part 2 Amendments of other legislation (paras. 228-429)Schedule 19, Part 3 Modifications (paras. 430-432)Schedule 19, Part 4 Supplementary (paras. 433-434)Schedule 20 Transitional provision etcSchedule 20, Part 1 General (para. 1)Schedule 20, Part 2 Rights of data subjects (paras. 2-11)Schedule 20, Part 3 The UK GDPR and Part 2 of this Act (paras. 12-13)Schedule 20, Part 4 Law enforcement and intelligence services processing (paras. 14-16)Schedule 20, Part 5 National security certificates (paras. 17-18)Schedule 20, Part 6 The Information Commissioner (paras. 19-28)Schedule 20, Part 7 Enforcement etc under the 1998 Act (paras. 29-43)Schedule 20, Part 8 Enforcement etc under this Act (paras. 44-46)Schedule 20, Part 9 Other enactments (paras. 47-61)Schedule 21 Further transitional provision etcSchedule 21, Part 1 Interpretation (para. 1)Schedule 21, Part 2 Continuation of existing acts etc (paras. 2-3)Schedule 21, Part 3 Transfers to third countries and international organisations (paras. 4-12)Schedule 21, Part 4 Repeal of provisions in Chapter 3 of Part 2 (paras. 13-14)Schedule 21, Part 5 The Information Commissioner (para. 15)Schedule 21, Part 6 Enforcement (paras. 16-17)
Page Overview
Document Overview
Tools
Print / Export
Notification
Bookmark
Share / Source link
3. Terms relating to the processing of personal data
DRAFT Text amended Schedule 11 Further minor provision about data protection of the Data (Use and Access) Bill [HL] (updated 17 December 2024)
DRAFT Text inserted 106 Regulations under the UK GDPR of the Data (Use and Access) Bill [HL] (updated 17 December 2024)
DRAFT Subsection inserted 115 The Information Commission of the Data (Use and Access) Bill [HL] (updated 17 December 2024)
DRAFT Subsection omitted 116 Abolition of the office of Information Commissioner of the Data (Use and Access) Bill [HL] (updated 17 December 2024)
(1) This section defines some terms used in this Act.
(2) "Personal data" means any information relating to an identified or identifiable living individual (subject to subsection (14)(c)).
(3) "Identifiable living individual" means a living individual who can be identified, directly or indirectly, in particular by reference to - (a) an identifier such as a name, an identification number, location data or an online identifier, or(b) one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.