A bill to Make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.
Be it enacted by the King’s most Excellent Majesty, by and with the advice and consent of the Lords Spiritual and Temporal, and Commons, in this present Parliament assembled, and by the authority of the same, as follows:—
Part 1 — Data protection¶
Definitions¶
1 Information relating to an identifiable living individual¶
, and(and see section 3A for provision about when information relates to an identifiable living individual).
(3A) An individual is identifiable from information “directly” if the individual can be identified without the use of additional information. (3B) An individual is identifiable from information “indirectly” if the individual can be identified only with the use of additional information.
3A Information relating to an identifiable living individual
(1) For the purposes of this Act, information being processed is information relating to an identifiable living individual only in cases described in subsections (2) and (3). (2) The first case is where the living individual is identifiable (as described in section 3(3)) by the controller or processor by reasonable means at the time of the processing. (3) The second case is where the controller or processor knows, or ought reasonably to know, that— (a) another person will, or is likely to, obtain the information as a result of the processing, and (b) the living individual will be, or is likely to be, identifiable (as described in section 3(3)) by that person by reasonable means at the time of the processing. (4) The reference in subsection (3)(a) to obtaining the information as a result of the processing includes obtaining the information as a result of the controller or processor carrying out the processing without implementing appropriate technical and organisational measures to mitigate the risk of the information being obtained by persons with whom the controller or processor does not intend to share the information. (5) For the purposes of this section, an individual is identifiable by a person “by reasonable means” if the individual is identifiable by the person by any means that the person is reasonably likely to use. (6) For the purposes of subsection (5), whether a person is reasonably likely to use a means of identifying an individual is to be determined taking into account, among other things— (a) the time, effort and costs involved in identifying the individual by that means, and (b) the technology and other resources available to the person.
,(1A) an individual is identifiable from information “directly” if the individual can be identified without the use of additional information; (1B) an individual is identifiable from information “indirectly” if the individual can be identified only with the use of additional information;
, and(5) pseudonymisation means the processing of personal data in such a manner that it becomes information relating to a living individual who is only indirectly identifiable; but personal data is only pseudonymised if the additional information needed to identify the individual is kept separately and is subject to technical and organisational measures to ensure that the personal data is not information relating to an identified or directly identifiable living individual;
2 Section 3A of the 2018 Act (information relating to an identifiable living individual) applies for the purposes of this Regulation as it applies for the purposes of that Act (and, as so applied, the references in that section to section 3(3) of that Act are to be read as references to Article 4(1)(1) of this Regulation).
2 Meaning of research and statistical purposes¶
In Article 4 of the UK GDPR (definitions), after paragraph 2 (inserted by section 1 of this Act) insert—3. References in this Regulation to the processing of personal data for the purposes of scientific research (including references to processing for “scientific research purposes”) are references to processing for the purposes of any research that can reasonably be described as scientific, whether publicly or privately funded and whether carried out as a commercial or non-commercial activity. 4. Such references— (a) include processing for the purposes of technological development or demonstration, fundamental research or applied research, so far as those activities can reasonably be described as scientific, but (b) only include processing for the purposes of a study in the area of public health that can reasonably be described as scientific where the study is conducted in the public interest. 5. References in this Regulation to the processing of personal data for the purposes of historical research (including references to processing for “historical research purposes”) include processing for the purposes of genealogical research. 6. References in this Regulation to the processing of personal data for statistical purposes are references to processing for statistical surveys or for the production of statistical results where— (a) the information that results from the processing is aggregate data that is not personal data, and (b) the controller does not use the personal data processed, or the information that results from the processing, in support of measures or decisions with respect to a particular data subject to whom the personal data relates.
3 Consent to processing for the purposes of scientific research¶
7. A data subject’s consent is to be treated as falling within the definition of “consent” in point (11) of paragraph 1 if— (a) it does not fall within that definition because (and only because) the consent is given to the processing of personal data for the purposes of an area of scientific research, (b) at the time the consent is sought, it is not possible to identify fully the purposes for which personal data is to be processed, (c) seeking consent in relation to the area of scientific research is consistent with generally recognised ethical standards relevant to the area of research, and (d) so far as the intended purposes of the processing allow, the data subject is given the opportunity to consent only to processing for part of the research. 8. References in this Regulation to consent given for a specific purpose (however expressed) include consent described in paragraph 7.
4 Consent to law enforcement processing¶
(1A) “Consent” of the data subject to the processing of personal data means a freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of the personal data (and see section 40A).
.(aa) section 40A makes provision about processing carried out in reliance on the consent of the data subject,
40A Conditions for consent
(1) This section is about processing of personal data that is carried out in reliance on the consent of the data subject. (2) The controller must be able to demonstrate that the data subject consented to the processing. (3) If the data subject’s consent is given in writing as part of a document which also concerns other matters, the request for consent must be made— (a) in a manner which clearly distinguishes the request from the other matters, (b) in an intelligible and easily accessible form, and (c) in clear and plain language. (4) Any part of a document described in subsection (3) which constitutes an infringement of this Part is not binding. (5) The data subject may withdraw the consent at any time (but the withdrawal of consent does not affect the lawfulness of processing in reliance on the consent before its withdrawal). (6) Processing may only be carried out in reliance on consent if— (a) before the consent is given, the controller or processor informs the data subject of the right to withdraw it, and (b) it is as easy for the data subject to withdraw the consent as to give it. (7) When assessing whether consent is freely given, account must be taken of, among other things, whether the provision of a service is conditional on consent to the processing of personal data that is not necessary for the provision of that service.
Data protection principles¶
5 Lawfulness of processing¶
, and(ea) processing is necessary for the purposes of a recognised legitimate interest;
5. For the purposes of paragraph 1(ea), processing is necessary for the purposes of a recognised legitimate interest only if it meets a condition in Annex 1. 6. The Secretary of State may by regulations amend Annex 1 by— (a) adding or varying provisions, or (b) omitting provisions added by regulations made under this paragraph. 7. The Secretary of State may only make regulations under paragraph 6 where the Secretary of State considers it appropriate to do so having regard to, among other things— (a) the interests and fundamental rights and freedoms of data subjects which require protection of personal data, and (b) where relevant, the need to provide children with special protection with regard to their personal data. 8. Regulations under paragraph 6 are subject to the affirmative resolution procedure. 9. For the purposes of paragraph 1(f), examples of types of processing that may be processing that is necessary for the purposes of a legitimate interest include— (a) processing that is necessary for the purposes of direct marketing, (b) intra-group transmission of personal data (whether relating to clients, employees or other individuals) where that is necessary for internal administrative purposes, and (c) processing that is necessary for the purposes of ensuring the security of network and information systems. 10. In paragraph 9— intra-group transmission means transmission between members of a group of undertakings or between members of a group of institutions affiliated to a central body; security of network and information systems has the same meaning as in the Network and Information Systems Regulations 2018 (S.I. 2018/506) (see regulation 1(3)(g)).
6 The purpose limitation¶
3. For the avoidance of doubt, processing is not lawful by virtue only of being processing in a manner that is compatible with the purposes for which the personal data was collected.
Article 8APurpose limitation: further processing
1. This Article is about the determination, for the purposes of Article 5(1)(b) (purpose limitation), of whether processing of personal data by or on behalf of a controller for a purpose (a “new purpose”) other than the purpose for which the controller collected the data (“the original purpose”) is processing in a manner compatible with the original purpose. 2. In making the determination, a person must take into account, among other things— (a) any link between the original purpose and the new purpose; (b) the context in which the personal data was collected, including the relationship between the data subject and the controller; (c) the nature of the personal data, including whether it is a special category of personal data (see Article 9) or personal data related to criminal convictions and offences (see Article 10); (d) the possible consequences of the intended processing for data subjects; (e) the existence of appropriate safeguards (for example, encryption or pseudonymisation). 3. Processing of personal data for a new purpose is to be treated as processing in a manner compatible with the original purpose where— (a) the data subject consents to the processing of personal data for the new purpose and the new purpose is specified, explicit and legitimate, (b) the processing is carried out in accordance with Article 84B— (i) for the purposes of scientific research or historical research, (ii) for the purposes of archiving in the public interest, or (iii) for statistical purposes, (c) the processing is carried out for the purposes of ensuring that processing of personal data complies with Article 5(1) or demonstrating that it does so, (d) the processing meets a condition in Annex 2, or (e) the processing is necessary to safeguard an objective listed in Article 23(1)(c) to (j) and is authorised by an enactment or rule of law. 4. Where the controller collected the personal data based on Article 6(1)(a) (data subject’s consent), processing for a new purpose is only processing in a manner compatible with the original purpose if— (a) it falls within paragraph 3(a) or (c), or (b) it falls within paragraph 3(d) or (e) and the controller cannot reasonably be expected to obtain the data subject’s consent. 5. The Secretary of State may by regulations amend Annex 2 by— (a) adding or varying provisions, or (b) omitting provisions added by regulations made under this paragraph. 6. The Secretary of State may only make regulations under paragraph 5 adding a case to Annex 2 where the Secretary of State considers that processing in that case is necessary to safeguard an objective listed in Article 23(1)(c) to (j). 7. Regulations under paragraph 5 may make provision identifying processing by any means, including by reference to the controller, the data subject, the personal data or the provision of Article 6(1) relied on for the purposes of the processing. 8. Regulations under paragraph 5 are subject to the affirmative resolution procedure.
Special categories of personal data¶
7 Elected representatives responding to requests¶
In paragraph 23 of Schedule 1 to the 2018 Act (special categories of personal data: elected representatives responding to requests), in sub-paragraph (4), for “fourth day after” substitute “period of 30 days beginning with the day after”.Data subjects’ rights¶
8 Vexatious or excessive requests by data subjects¶
Article 12AVexatious or excessive requests
1. Paragraph 2 applies where a request from a data subject under any of Articles 15 to 22 or 34 is vexatious or excessive. 2. The controller may— (a) charge a reasonable fee for dealing with the request (see section 12 of the 2018 Act), or (b) refuse to act on the request. 3. In any proceedings where there is an issue as to whether a request is vexatious or excessive, it is for the controller to show that it is. 4. Whether a request is vexatious or excessive must be determined having regard to the circumstances of the request, including (so far as relevant)— (a) the nature of the request, (b) the relationship between the data subject and the controller, (c) the resources available to the controller, (d) the extent to which the request repeats a previous request made by the data subject to the controller, (e) how long ago any previous request was made, and (f) whether the request overlaps with other requests made by the data subject to the controller. 5. Examples of requests that may be vexatious include requests that— (a) are intended to cause distress, (b) are not made in good faith, or (c) are an abuse of process.
,(A1) Subsection (1) applies where a request from a data subject under section 45, 46, 47 or 50 is vexatious or excessive (see section 204A).
,(4A) The Secretary of State may by regulations— (a) require controllers of a description specified in the regulations to produce and publish guidance about the fees that they charge in accordance with subsection (1)(a), and (b) specify what the guidance must include.
(6) If, in reliance on subsection (1)(b), the controller does not take action on the request, the controller must inform the data subject of— (a) the reasons for not doing so, and (b) the data subject’s right to lodge a complaint with the Commissioner. (7) The controller must comply with subsection (6)— (a) without undue delay, and (b) in any event, before the end of the applicable time period (as to which see section 54).
,(2A) A controller is not obliged to provide information under this section in response to a request that is vexatious or excessive (see section 204A).
(11A) In any proceedings where there is an issue as to whether a request is vexatious or excessive, it is for the controller to show that it is.
204A Vexatious or excessive
(1) For the purposes of this Act, whether a request is vexatious or excessive must be determined having regard to the circumstances of the request, including (so far as relevant)— (a) the nature of the request, (b) the relationship between the person making the request (the “sender”) and the person receiving it (the “recipient”), (c) the resources available to the recipient, (d) the extent to which the request repeats a previous request made by the sender to the recipient, (e) how long ago any previous request was made, and (f) whether the request overlaps with other requests made by the sender to the recipient. (2) For the purposes of this Act, examples of requests that may be vexatious include requests that— (a) are intended to cause distress, (b) are not made in good faith, or (c) are an abuse of process.
.excessive
“vexatious
9 Time limits for responding to requests by data subjects¶
, and(a)
(b) delay dealing with the request until the identity is confirmed.
Article 12BMeaning of “applicable time period”
1. In Article 12, “the applicable time period” means the period of one month beginning with the relevant time, subject to paragraph 3. 2. “The relevant time” means the latest of the following— (a) when the controller receives the request in question; (b) when the controller receives the information (if any) requested in connection with a request under Article 12(6); (c) when the fee (if any) charged in connection with the request under Article 12A is paid. 3. The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. 4. A notice under paragraph 3 must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay. 5. Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under Article 15 relates— (a) the controller may ask the data subject to provide the further information, and (b) the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards— (i) the applicable time period, or (ii) the period described in paragraph 4(a). 6. An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.
, and(3A) The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. (3B) A notice under subsection (3A) must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay. (3C) Where the controller reasonably requires further information in order to identify the information or processing activities to which a request under section 45(1) relates— (a) the controller may ask the data subject to provide the further information, and (b) the period beginning with the day on which the controller makes the request and ending with the day on which the controller receives the information does not count towards— (i) the applicable time period, or (ii) the period described in subsection (3B)(a). (3D) An example of a case in which a controller may reasonably require further information is where the controller processes a large amount of information concerning the data subject.
, andthe applicable time period means the period of one month beginning with the relevant time, subject to subsection (14A);
(14A) The controller may, by giving notice to the data subject, extend the applicable time period by two further months where that is necessary by reason of— (a) the complexity of requests made by the data subject, or (b) the number of such requests. (14B) A notice under subsection (14A) must— (a) be given before the end of the period of one month beginning with the relevant time, and (b) state the reasons for the delay.
10 Information to be provided to data subjects¶
5. Paragraph 3 does not apply to the extent that— (a) the controller intends to further process the personal data— (i) for (and only for) the purposes of scientific or historical research, the purposes of archiving in the public interest or statistical purposes, and (ii) in accordance with Article 84B, and (b) providing the information is impossible or would involve a disproportionate effort. 6. For the purposes of paragraph 5(b), whether providing information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing.
(e) providing the information is impossible or would involve a disproportionate effort, or (f) the obligation referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of the processing for which the personal data are intended.
6. For the purposes of paragraph 5(e), whether providing information would involve a disproportionate effort depends on, among other things, the number of data subjects, the age of the personal data and any appropriate safeguards applied to the processing. 7. A controller relying on paragraph 5(e) or (f) must take appropriate measures to protect the data subject’s rights, freedoms and legitimate interests, including by making the information available publicly.
11 Data subjects’ rights to information: legal professional privilege exemption¶
.Data subject’s rights to information
45A Exemption from sections 44 and 45: legal professional privilege
(1) Sections 44(2) and 45(1) do not require the controller to give the data subject— (a) information in respect of which a claim to legal professional privilege or, in Scotland, confidentiality of communications could be maintained in legal proceedings, or (b) information in respect of which a duty of confidentiality is owed by a professional legal adviser to a client of the adviser. (2) A controller relying on the exemption in subsection (1) must inform the data subject in writing without undue delay of— (a) the decision to rely on the exemption, (b) the reason for the decision, (c) the data subject’s right to make a request to the Commissioner under section 51, (d) the data subject’s right to lodge a complaint with the Commissioner under section 165, and (e) the data subject’s right to apply to a court under section 167. (3) Subsection (2)(a) and (b) do not apply to the extent that complying with them would— (a) undermine a claim described in subsection (1)(a), or (b) conflict with a duty described in subsection (1)(b). (4) The controller must— (a) record the reason for a decision to rely on the exemption in subsection (1), and (b) if requested to do so by the Commissioner, make the record available to the Commissioner. (5) The reference in subsection (1) to sections 44(2) and 45(1) includes sections 35 to 40 so far as their provisions correspond to the rights and obligations provided for in sections 44(2) and 45(1).
,(ba) relies on the exemption from sections 44(2) and 45(1) in section 45A (legal professional privilege),
,(aa) where subsection (1)(ba) applies, request the Commissioner to check that the controller was entitled to rely on the exemption;
, and(aa) where subsection (1)(ba) applies, whether the Commissioner is satisfied that the controller was entitled to rely on the exemption;
Automated decision-making¶
12 Automated decision-making¶
Section 4A Automated individual decision-making
Article 22AAutomated processing and significant decisions
1. For the purposes of Articles 22B and 22C— (a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and (b) a decision is a significant decision, in relation to a data subject, if— (i) it produces a legal effect for the data subject, or (ii) it has a similarly significant effect for the data subject. 2. When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling. Article 22BRestrictions on automated decision-making
1. A significant decision based entirely or partly on special categories of personal data referred to in Article 9(1) may not be taken based solely on automated processing, unless one of the following conditions is met. 2. The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent. 3. The second condition is that— (a) the decision is— (i) necessary for entering into, or performing, a contract between the data subject and a controller, or (ii) required or authorised by law, and (b) point (g) of Article 9(2) applies. 4. A significant decision may not be taken based solely on automated processing if the processing of personal data carried out by, or on behalf of, the decision-maker for the purposes of the decision is carried out entirely or partly in reliance on Article 6(1)(ea). Article 22CSafeguards for automated decision-making
1. Where a significant decision taken by or on behalf of a controller in relation to a data subject is— (a) based entirely or partly on personal data, and (b) based solely on automated processing, the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with paragraph 2 and any regulations under Article 22D(4).2. The safeguards must consist of or include measures which— (a) provide the data subject with information about decisions described in paragraph 1 taken in relation to the data subject; (b) enable the data subject to make representations about such decisions; (c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions; (d) enable the data subject to contest such decisions. Article 22DFurther provision about automated decision-making
1. The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(a), there is, or is not, to be taken to be meaningful human involvement in the taking of a decision in cases described in the regulations. 2. The Secretary of State may by regulations provide that, for the purposes of Article 22A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant effect for the data subject. 3. Regulations under paragraph 1 or 2 may amend Article 22A. 4. The Secretary of State may by regulations make further provision about the safeguards required under Article 22C(1), including provision about what is, or is not, to be taken to satisfy a requirement under Article 22C(1) or (2). 5. Regulations under paragraph 4 may amend Article 22C— (a) by adding or varying safeguards, and (b) by omitting provision added by regulations under that paragraph. 6. Regulations under this Article are subject to the affirmative resolution procedure.
50A Automated processing and significant decisions
(1) For the purposes of sections 50B and 50C— (a) a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision, and (b) a decision is a significant decision, in relation to a data subject, if— (i) it produces an adverse legal effect for the data subject, or (ii) it has a similarly significant adverse effect for the data subject. (2) When considering whether there is meaningful human involvement in the taking of a decision, a person must consider, among other things, the extent to which the decision is reached by means of profiling. 50B Restrictions on automated decision-making using sensitive personal data
(1) A significant decision based entirely or partly on sensitive personal data may not be taken based solely on automated processing, unless one of the following conditions is met. (2) The first condition is that the decision is based entirely on processing of personal data to which the data subject has given explicit consent. (3) The second condition is that the decision is required or authorised by law. 50C Safeguards for automated decision-making
(1) Subject to subsection (3), where a significant decision taken by or on behalf of a controller in relation to a data subject is— (a) based entirely or partly on personal data, and (b) based solely on automated processing, the controller must ensure that safeguards for the data subject’s rights, freedoms and legitimate interests are in place which comply with subsection (2) and any regulations under section 50D(4).(2) The safeguards must consist of or include measures which— (a) provide the data subject with information about decisions described in subsection (1) taken in relation to the data subject; (b) enable the data subject to make representations about such decisions; (c) enable the data subject to obtain human intervention on the part of the controller in relation to such decisions; (d) enable the data subject to contest such decisions. (3) Subsections (1) and (2) do not apply in relation to a significant decision if— (a) exemption from those provisions is required for a reason listed in subsection (4), (b) the controller reconsiders the decision as soon as reasonably practicable, and (c) there is meaningful human involvement in the reconsideration of the decision. (4) Those reasons are— (a) to avoid obstructing an official or legal inquiry, investigation or procedure; (b) to avoid prejudicing the prevention, detection, investigation or prosecution of criminal offences or the execution of criminal penalties; (c) to protect public security; (d) to safeguard national security; (e) to protect the rights and freedoms of others. (5) When considering whether there is meaningful human involvement in the reconsideration of a decision, a person must consider, among other things, the extent to which the conclusion reached on reconsideration is reached by means of profiling. 50D Further provision about automated decision-making
(1) The Secretary of State may by regulations provide that, for the purposes of sections 50A(1)(a) and 50C(3)(c), there is, or is not, to be taken to be meaningful human involvement in the taking or reconsideration of a decision in cases described in the regulations. (2) The Secretary of State may by regulations provide that, for the purposes of section 50A(1)(b)(ii), a description of decision is, or is not, to be taken to have a similarly significant adverse effect for the data subject. (3) Regulations under subsection (1) or (2) may amend section 50A. (4) The Secretary of State may by regulations make further provision about the safeguards required under section 50C(1), including provision about what is, or is not, to be taken to satisfy a requirement under section 50C(1) or (2). (5) Regulations under subsection (4) may amend section 50C— (a) by adding or varying safeguards, and (b) by omitting provision added by regulations under that subsection. (6) Regulations under this section are subject to the affirmative resolution procedure.
(4) For the purposes of this section and section 97, a decision is based on entirely automated processing if the decision-making process does not include an opportunity for a human being to accept, reject or influence the decision.
Obligations of controllers and processors¶
13 General obligations¶
14 Removal of requirement for representatives for controllers etc outside the UK¶
15 Senior responsible individual¶
.Section 1A Senior responsible individual
Article 27ADesignation of senior responsible individual
1. This Article and Articles 27B and 27C apply to a controller or processor that— (a) is a public body, or (b) carries out processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, other than a court or tribunal acting in its judicial capacity.2. The controller or processor must designate one individual to be its senior responsible individual, subject to paragraph 3(b). 3. Where the controller or processor is an organisation— (a) a designated individual must be part of the organisation’s senior management, and (b) the controller or processor may designate two or more individuals to act jointly as its senior responsible individual where the individuals are employed part-time and share a single role within the organisation’s senior management. 4. The controller or processor must— (a) ensure that the current contact details of the senior responsible individual are publicly available, and (b) send those details to the Commissioner. 5. In this Article, “senior management”, in relation to an organisation, means the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised. Article 27BSenior responsible individual’s tasks
1. The senior responsible individual designated by a controller must be responsible at least for performing the tasks listed in paragraph 2 or securing that they are performed by another person. 2. Those tasks are— (a) monitoring compliance by the controller with the data protection legislation; (b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation; (c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation; (d) organising training for employees of the controller who carry out processing of personal data; (e) dealing with complaints made to the controller in connection with the processing of personal data; (f) dealing with personal data breaches; (g) co-operating with the Commissioner on behalf of the controller; (h) acting as the contact point for the Commissioner on issues relating to processing of personal data. 3. The senior responsible individual designated by a processor must be responsible at least for performing the tasks listed in paragraph 4 or securing that they are performed by another person. 4. Those tasks are— (a) monitoring compliance by the processor with Articles 28, 30A and 32; (b) co-operating with the Commissioner on behalf of the processor; (c) acting as the contact point for the Commissioner on issues relating to processing of personal data. 5. Where the performance of one of its tasks would result in a conflict of interests, the senior responsible individual must secure that the task is performed by another person. 6. In deciding whether one or more of their tasks should be performed by another person (whether alone or jointly with others) and, if so, by whom, the senior responsible individual must consider, among other things— (a) the other person’s professional qualifications and knowledge of the data protection legislation, (b) the resources likely to be available to the other person to carry out the task, and (c) whether the other person is involved in day-to-day processing of personal data for the controller or processor and, if so, whether that affects the person’s ability to perform the task. Article 27CSenior responsible individual’s position
1. A controller or processor must support its senior responsible individual in the performance of the individual’s tasks, including by providing the individual with appropriate resources. 2. A controller or processor must not dismiss or penalise its senior responsible individual for performing the individual’s tasks. 3. Where the senior responsible individual decides that one or more of its tasks should be performed by another person, the controller or processor must ensure that the person— (a) has appropriate resources to perform the task, (b) is not dismissed or penalised by the controller or processor for performing the task, and (c) does not receive instructions about the performance of the task. 4. Paragraph 3(c) does not require the controller or processor to prevent instructions being given by the senior responsible individual or another person performing a task for the senior responsible individual, except where such instructions would involve a conflict of interests. Section 1B Processor etc
.Senior responsible individual
58A Designation of senior responsible individual
(1) This section and sections 58B and 58C apply to all controllers and processors other than a court, or other judicial authority, acting in its judicial capacity. (2) The controller or processor must designate one individual to be its senior responsible individual. (3) Where the controller or processor is an organisation— (a) a designated individual must be part of the organisation’s senior management, and (b) the controller or processor may designate two or more individuals to act jointly as its senior responsible individual where the individuals are employed part-time and share a single role within the organisation’s senior management. (4) The controller or processor must— (a) ensure that the current contact details of the senior responsible individual are publicly available, and (b) send those details to the Commissioner. (5) In this section, “senior management”, in relation to an organisation, means the individuals who play significant roles in the making of decisions about how the whole or a substantial part of its activities are to be managed or organised. 58B Tasks of the senior responsible individual
(1) The senior responsible individual designated by a controller must be responsible at least for performing the tasks listed in subsection (2) or securing that they are performed by another person. (2) Those tasks are— (a) monitoring compliance by the controller with the data protection legislation; (b) ensuring that the controller develops, implements, reviews and updates measures to ensure its compliance with the data protection legislation; (c) informing and advising the controller, any processor engaged by the controller and employees of the controller who carry out processing of personal data of their obligations under the data protection legislation; (d) organising training for employees of the controller who carry out processing of personal data; (e) dealing with complaints made to the controller in connection with the processing of personal data; (f) dealing with personal data breaches; (g) co-operating with the Commissioner on behalf of the controller; (h) acting as the contact point for the Commissioner on issues relating to processing of personal data. (3) The senior responsible individual designated by a processor must be responsible at least for performing the tasks listed in subsection (4) or securing that they are performed by another person. (4) Those tasks are— (a) monitoring compliance by the processor with sections 59, 61A and 66; (b) co-operating with the Commissioner on behalf of the processor; (c) acting as the contact point for the Commissioner on issues relating to processing of personal data. (5) Where the performance of one of its tasks would result in a conflict of interests, the senior responsible individual must secure that the task is performed by another person. (6) In deciding whether one or more of their tasks should be performed by another person (whether alone or jointly with others), and, if so, by whom, the senior responsible individual must consider, among other things— (a) the other person’s professional qualifications and knowledge of the data protection legislation, (b) the resources likely to be available to the other person to carry out the task, and (c) whether the other person is involved in day-to-day processing of personal data for the controller or processor and, if so, whether that affects the person’s ability to perform the task. 58C Senior responsible individual’s position
(1) A controller or processor must support its senior responsible individual in the performance of the individual’s tasks, including by providing the individual with appropriate resources. (2) A controller or processor must not dismiss or penalise its senior responsible individual for performing the individual’s tasks. (3) Where its senior responsible individual decides that one or more of its tasks should be performed by another person, the controller or processor must ensure that the person— (a) has appropriate resources to perform the task, (b) is not dismissed or penalised by the controller or processor for performing the task, and (c) does not receive instructions about the performance of the task. (4) Subsection (3)(c) does not require the controller or processor to prevent instructions being given by the senior responsible individual or another person performing a task for the senior responsible individual, except where such instructions would involve a conflict of interests. Processor etc
16 Duty to keep records¶
.Section 1C Records and co-operation with the Commissioner
Article 30ARecords of processing of personal data
1. In this Article— (a) paragraphs 2 to 4, 8 and 9 apply to a controller that carries out processing of personal data which, taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of individuals, and (b) paragraphs 5 to 9 apply to a processor that carries out such processing. 2. The controller must maintain appropriate records of processing of personal data carried out by or on behalf of the controller. 3. The controller’s records must include at least the following information about the personal data in respect of which the controller is for the time being a controller— (a) where the personal data is (including information about any personal data that is outside the United Kingdom), (b) the purposes for which the controller is processing the personal data, (c) the categories of person with whom the controller has shared, or intends to share, the personal data (including persons who are in third countries or international organisations), (d) how long the controller intends to retain the personal data, (e) whether the personal data includes special categories of personal data referred to in Article 9(1) and, if so, which categories, and (f) whether the personal data includes personal data relating to criminal convictions and offences or related security measures referred to in Article 10(1) and, if so, which types of such data. 4. Where possible, the controller’s records must include information about how it ensures that personal data is secure. 5. The processor must maintain appropriate records of its processing of personal data. 6. The processor’s records must include at least the following information about the personal data in respect of which it is for the time being a processor— (a) the name and contact details of each controller on behalf of which the processor is acting, and (b) where the personal data is (including information about any personal data that is outside the United Kingdom). 7. Where possible, the processor’s records must include information about how it ensures that personal data is secure. 8. A controller or processor must make the records maintained under this Article available to the Commissioner on request. 9. In deciding what is appropriate for the purposes of this Article, a controller or processor must take into account, among other things— (a) the nature, scope, context and purposes of processing carried out by or on behalf of the controller or by the processor, (b) the risks for the rights and freedoms of individuals arising from that processing, including the likelihood of risks arising and their severity, and (c) the resources available to the controller or processor.
.Records and co-operation with the Commissioner
61A Records of processing of personal data
(1) Each controller must maintain appropriate records of processing of personal data carried out by or on behalf of the controller. (2) The controller’s records must include at least the following information about the personal data in respect of which the controller is for the time being a controller— (a) where the personal data is (including information about any personal data that is outside the United Kingdom), (b) the purposes for which the controller is processing the personal data, (c) the categories of person with whom the controller has shared, or intends to share, the personal data (including persons who are in third countries or international organisations), (d) how long the controller intends to retain the personal data, and (e) whether the personal data includes personal data described in section 35(8) and, if so, which types of such data. (3) Where possible, the controller’s records must include information about how it ensures that personal data is secure. (4) Each processor must maintain appropriate records of its processing of personal data. (5) The processor’s records must include at least the following information about the personal data in respect of which it is for the time being a processor— (a) the name and contact details of each controller on behalf of which the processor is acting, and (b) where the personal data is (including information about any personal data that is outside the United Kingdom). (6) Where possible, the processor’s records must include information about how it ensures that personal data is secure. (7) A controller or processor must make the records maintained under this section available to the Commissioner on request. (8) In deciding what is appropriate for the purposes of this section, a controller or processor must take into account, among other things— (a) the nature, scope, context and purposes of processing carried out by or on behalf of the controller or by the processor, (b) the risks for the rights and freedoms of individuals arising from that processing, including the likelihood of risks arising and their severity, and (c) the resources available to the controller or processor.
17 Logging of law enforcement processing¶
In section 62 of the 2018 Act (logging of law enforcement processing)—18 Assessment of high risk processing¶
,7. The controller must produce a document recording compliance with this Article which includes at least— (a) a summary of the purposes of the processing, (b) an assessment of whether the processing is necessary for those purposes, (c) an assessment of the risks to individuals referred to in paragraph 1, and (d) a description of how the controller proposes to mitigate those risks.
.(k) produce and publish a document containing examples of types of processing which the Commissioner considers are likely to result in a high risk to the rights and freedoms of individuals (for the purposes of Articles 27A, 30A and 35);
.Risk assessment and prior consultation
(3) The controller must produce a document recording compliance with this section which includes at least— (a) a summary of the purposes of the processing, (b) an assessment of whether the processing is necessary for those purposes, (c) an assessment of the risks to the rights and freedoms of individuals referred to in subsection (1), and (d) a description of how the controller proposes to mitigate those risks.
19 Consulting the Commissioner prior to processing¶
20 General processing and codes of conduct¶
In Article 41 of the UK GDPR (monitoring of approved codes of conduct)—4A. If the action taken by a body under paragraph 4 consists of suspending or excluding a controller or processor from the code, the body must inform the Commissioner, giving reasons for taking that action.
21 Law enforcement processing and codes of conduct¶
(e) makes provision about codes of conduct (see section 68A).
(4) Adherence to a code of conduct approved under section 68A may be used by a controller as a means of demonstrating compliance with the requirements of this Part.
(7A) Adherence to a code of conduct approved under section 68A may be used by a processor as a means of demonstrating sufficient guarantees as described in subsection (2).
(3) Adherence to a code of conduct approved under section 68A may be used by a controller or processor as a means of demonstrating compliance with subsection (1).
Codes of conduct
68A Codes of conduct
(1) The Commissioner must encourage expert public bodies to produce codes of conduct intended to contribute to compliance with this Part. (2) Under subsection (1), the Commissioner must, among other things, encourage the production of codes which take account of the specific features of the various processing sectors. (3) For the purposes of this section— (a) “public body” means a body or other person whose functions are, or include, functions of a public nature, and (b) a public body is “expert” if, in the Commissioner’s opinion, the body has the knowledge and experience needed to produce a code of conduct described in subsection (1). (4) A code of conduct described in subsection (1) may, for example, make provision with regard to— (a) lawful and fair processing; (b) the collection of personal data; (c) the information provided to the public and to data subjects; (d) the exercise of the rights of data subjects; (e) the measures and procedures referred to in sections 56, 57 and 62; (f) the notification of personal data breaches to the Commissioner and the communication of personal data breaches to data subjects; (g) the transfer of personal data to third countries or international organisations; (h) out-of-court proceedings and other dispute resolution procedures for resolving disputes between controllers and data subjects with regard to processing. (5) The Commissioner must encourage expert public bodies to submit codes of conduct described in subsection (1) to the Commissioner in draft. (6) Where an expert public body does so, the Commissioner must— (a) provide the body with an opinion on whether the code correctly reflects the requirements of this Part, (b) decide whether to approve the code, and (c) if the code is approved, register and publish the code. (7) Subsections (5) and (6) apply in relation to amendments of a code of conduct that is for the time being approved under this section as they apply in relation to a code.
22 Obligations of controllers and processors: consequential amendments¶
Schedule 4 contains amendments consequential on this group of sections.International transfers of personal data¶
23 Transfers of personal data to third countries and international organisations¶
Safeguards for processing for research etc purposes¶
24 Safeguards for processing for research etc purposes¶
CHAPTER 8A — Safeguards for processing for research, archiving or statistical purposes
Article 84AResearch, archives and statistics
1. This Chapter makes provision about the processing of personal data— (a) for the purposes of scientific research or historical research, (b) for the purposes of archiving in the public interest, or (c) for statistical purposes. 2. Those purposes are referred to in this Chapter as “RAS purposes”. Article 84BAdditional requirements when processing for RAS purposes
1. Personal data may only be processed for RAS purposes if— (a) the processing consists of the collection of the personal data (whether from the data subject or otherwise), (b) the processing is carried out in order to convert the personal data into information which can be processed in a manner which does not permit the identification of a living individual, or (c) without the processing, the RAS purposes cannot be fulfilled. 2. For the purposes of paragraph 1, processing permits the identification of a living individual only in cases described in section 3A(2) and (3) of the 2018 Act (information relating to an identifiable living individual). 3. Processing of personal data for RAS purposes must be carried out subject to appropriate safeguards for the rights and freedoms of the data subject. Article 84CAppropriate safeguards
1. This Article makes provision about when the requirement under Article 84B(3) for processing of personal data to be carried out subject to appropriate safeguards is satisfied. 2. The requirement is not satisfied if the processing is likely to cause substantial damage or substantial distress to a data subject to whom the personal data relates. 3. The requirement is not satisfied if the processing is carried out for the purposes of measures or decisions with respect to a particular data subject to whom the personal data relates, except where the purposes for which the processing is carried out include the purposes of approved medical research. 4. The requirement is only satisfied if the safeguards include technical and organisational measures for the purpose of ensuring respect for the principle of data minimisation (see Article 5(1)(c)), such as, for example, pseudonymisation. 5. In this Article— approved medical research means medical research carried out by a person who has approval to carry out that research from— (a) a research ethics committee recognised or established by the Health Research Authority under Chapter 2 of Part 3 of the Care Act 2014, or (b) a body appointed by any of the following for the purpose of assessing the ethics of research involving individuals— (i) the Secretary of State, the Scottish Ministers, the Welsh Ministers or a Northern Ireland department; (ii) a relevant NHS body; (iii) United Kingdom Research and Innovation or a body that is a Research Council for the purposes of the Science and Technology Act 1965; (iv) an institution that is a research institution for the purposes of Chapter 4A of Part 7 of the Income Tax (Earnings and Pensions) Act 2003 (see section 457 of that Act); relevant NHS body means— (a) an NHS trust or NHS foundation trust in England, (b) an NHS trust or Local Health Board in Wales, (c) a Health Board or Special Health Board constituted under section 2 of the National Health Service (Scotland) Act 1978, (d) the Common Services Agency for the Scottish Health Service, or (e) any of the health and social care bodies in Northern Ireland falling within paragraphs (b) to (e) of section 1(5) of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1 (N.I.)). Article 84DAppropriate safeguards: further provision
1. The Secretary of State may by regulations make further provision about when the requirement for appropriate safeguards under Article 84B(3) is satisfied. 2. The power under this Article includes power to amend Article 84C by adding, varying or omitting provision, except that it does not include power— (a) to vary or omit paragraph 1 of that Article, or (b) to omit any of paragraphs 2 to 4 of that Article. 3. Regulations under this Article are subject to the affirmative resolution procedure.
25 Section 24: consequential provision¶
,(ba) Chapter 8A (safeguards for processing for research, archiving or statistical purposes);
National security¶
26 National security exemption¶
.(zi) Article 77 (right to lodge a complaint with the Commissioner);
78A National security exemption
(1) A provision mentioned in subsection (2) does not apply to personal data processed for law enforcement purposes if exemption from the provision is required for the purposes of safeguarding national security. (2) The provisions are— (a) Chapter 2 of this Part (principles), except for the provisions listed in subsection (3); (b) Chapter 3 of this Part (rights of the data subject); (c) in Chapter 4 of this Part— (i) section 67 (notification of personal data breach to the Commissioner); (ii) section 68 (communication of personal data breach to the data subject); (d) Chapter 5 of this Part (transfers of personal data to third countries etc), except for the provisions listed in subsection (4); (e) in Part 5— (i) section 119 (inspection in accordance with international obligations); (ii) in Schedule 13 (other general functions of the Commissioner), paragraphs 1(1)(a) and (g) and 2; (f) in Part 6— (i) sections 142 to 154 and Schedule 15 (Commissioner’s notices and powers of entry and inspection); (ii) sections 170 to 173 (offences relating to personal data); (g) in Part 7, section 187 (representation of data subjects). (3) The provisions of Chapter 2 of this Part (principles) which are excepted from the list in subsection (2) are— (a) section 35(1) (the first data protection principle) so far as it requires processing of personal data to be lawful; (b) section 35(2) to (5) (lawfulness of processing and restrictions on sensitive processing); (c) section 42 (safeguards: sensitive processing); (d) Schedule 8 (conditions for sensitive processing). (4) The provisions of Chapter 5 of this Part (transfers of personal data to third countries etc) which are excepted from the list in subsection (2) are— (a) the following provisions of section 73— (i) subsection (1)(a) (conditions for transfer), so far as it relates to the condition in subsection (2) of that section, and subsection (2) (transfer must be necessary for a law enforcement purpose); (ii) subsections (1)(d), (5) and (6) (conditions for transfer of personal data originally made available by a member State); (b) section 78 (subsequent transfers).
,(3A) Subject to subsection (5), a certificate signed by a Minister of the Crown certifying that exemption from all or any of the provisions listed in section 78A(2) is, or at any time was, required in relation to any personal data for the purposes of safeguarding national security is conclusive evidence of that fact.
,(a) may identify the personal data to which it applies by means of a general description, and (b) ”
.(ca) in Part 3 of this Act, section 78A, and
Intelligence services¶
27 Joint processing by intelligence services and competent authorities¶
,(A1) This Part— (a) applies to processing of personal data by an intelligence service, and (b) applies to processing of personal data by a qualifying competent authority where the processing is the subject of a designation notice that is for the time being in force (see sections 82A to 82E).
, and(2A) In this Part— competent authority has the same meaning as in Part 3; qualifying competent authority means a competent authority specified or described in regulations made by the Secretary of State.
(4) Regulations under this section are subject to the affirmative resolution procedure.
82A Designation of processing by a qualifying competent authority
(1) For the purposes of this Part, the Secretary of State may give a notice designating processing of personal data by a qualifying competent authority (a “designation notice”) where— (a) an application for designation of the processing is made in accordance with this section, and (b) the Secretary of State considers that designation of the processing is required for the purposes of safeguarding national security. (2) The Secretary of State may only designate processing by a qualifying competent authority that is carried out by the authority as a joint controller with at least one intelligence service. (3) The Secretary of State may not designate processing by a qualifying competent authority that consists of the transfer of personal data to— (a) a country or territory outside the United Kingdom, or (b) an international organisation. (4) A designation notice must— (a) specify or describe the processing and qualifying competent authority that are designated, and (b) be given to the applicants for the designation (and see also section 82D). (5) An application for designation of processing of personal data by a qualifying competent authority must be made jointly by— (a) the qualifying competent authority, and (b) the intelligence service with which the processing is to be carried out. (6) An application may be made in respect of more than one qualifying competent authority and in respect of processing with more than one intelligence service. (7) The application must— (a) describe the processing, including the intended purposes and means of processing, and (b) explain why the applicants consider that designation is required for the purposes of safeguarding national security. (8) Before giving a designation notice, the Secretary of State must consult the Commissioner. (9) In this section, “joint controller”, in relation to processing of personal data, means a controller whose responsibilities for compliance with this Part in relation to the processing are determined in an arrangement under section 104. 82B Duration of designation notice
(1) A designation notice must state when it comes into force. (2) A designation notice ceases to be in force at the earliest of the following times— (a) at the end of the period of 5 years beginning with the day on which it comes into force; (b) (if relevant) at the end of a shorter period specified in the notice; (c) when the notice is withdrawn under section 82C. (3) The Secretary of State may give a further designation notice in respect of processing that is, or has been, the subject of a previous designation notice. 82C Review and withdrawal of designation notice
(1) Subsections (2) to (4) apply where processing is the subject of a designation notice for the time being in force. (2) A person who applied for the designation of the processing must notify the Secretary of State without undue delay if the person considers that the designation is no longer required for the purposes of safeguarding national security. (3) A person who applied for the designation of the processing must, on a request from the Secretary of State, provide— (a) a description of the processing that is being, or is intended to be, carried out in reliance on the notice, and (b) an explanation of why the person considers that designation of the processing continues to be required for the purposes of safeguarding national security. (4) The Secretary of State must at least annually— (a) review each designation notice that is for the time being in force, and (b) consider whether designation of the processing which is the subject of the notice continues to be required for the purposes of safeguarding national security. (5) The Secretary of State— (a) may withdraw a designation notice by giving a further notice (a “withdrawal notice”) to the persons who applied for the designation, and (b) must give a withdrawal notice if the Secretary of State considers that designation of some or all of the processing to which the notice applies is no longer required for the purposes of safeguarding national security (whether as a result of a review required under subsection (4) or otherwise). (6) A withdrawal notice must— (a) withdraw the designation notice completely, and (b) state when it comes into force. (7) In determining when a withdrawal notice required under subsection (5)(b) comes into force, the Secretary of State must consider— (a) the desirability of the processing ceasing to be designated as soon as possible, and (b) where relevant, the time needed to effect an orderly transition to new arrangements for the processing of personal data. 82D Records of designation notices
(1) Where the Secretary of State gives a designation notice— (a) the Secretary of State must send a copy of the notice to the Commissioner, and (b) the Commissioner must publish a record of the notice. (2) The record must contain— (a) the Secretary of State’s name, (b) the date on which the notice was given, (c) the date on which the notice ceases to have effect (if not previously withdrawn), and (d) subject to subsection (3), the rest of the text of the notice. (3) The Commissioner must not publish the text, or a part of the text, of the notice if— (a) the Secretary of State has determined that publishing the text or that part of the text— (i) would be against the interests of national security, (ii) would be contrary to the public interest, or (iii) might jeopardise the safety of any person, and (b) the Secretary of State has notified the Commissioner of that determination. (4) The Commissioner must keep the record of the notice available to the public while the notice is in force. (5) Where the Secretary of State gives a withdrawal notice, the Secretary of State must send a copy of the notice to the Commissioner. 82E Appeal against designation notice
(1) A person directly affected by a designation notice may appeal to the Tribunal against the notice. (2) If, on an appeal under this section, the Tribunal finds that, applying the principles applied by a court on an application for judicial review, the Secretary of State did not have reasonable grounds for giving the notice, the Tribunal may— (a) allow the appeal, and (b) quash the notice.
28 Joint processing: consequential amendments¶
(1A) This Part does not apply to processing to which Part 4 applies by virtue of a designation notice (see section 82A).
,(A1) For the purposes of this Part— (a) an intelligence service is the “controller” in relation to the processing of personal data if it satisfies subsection (1) alone or jointly with others, and (b) a qualifying competent authority is the “controller” in relation to the processing of personal data that is the subject of a designation notice that is for the time being in force if the authority satisfies subsection (1) jointly with others.
, and(2A) “Designation notice” has the meaning given in section 82A.
(6A) “Withdrawal notice” has the meaning given in section 82C.
at the appropriate places insert—
“designation notice (in Part 4)
section 84”;
“qualifying competent authority (in Part 4)
section 82”;
“withdrawal notice (in Part 4)
section 84”.
Information Commissioner’s role¶
29 Duties of the Commissioner in carrying out functions¶
Duties in carrying out functions
120A Principal objective
It is the principal objective of the Commissioner, in carrying out functions under the data protection legislation—(a) to secure an appropriate level of protection for personal data, having regard to the interests of data subjects, controllers and others and matters of general public interest, and (b) to promote public trust and confidence in the processing of personal data. 120B Duties in relation to functions under the data protection legislation
In carrying out functions under the data protection legislation, the Commissioner must have regard to such of the following as appear to the Commissioner to be relevant in the circumstances—(a) the desirability of promoting innovation; (b) the desirability of promoting competition; (c) the importance of the prevention, investigation, detection and prosecution of criminal offences; (d) the need to safeguard public security and national security. 120C Strategy
(1) The Commissioner must prepare a strategy for carrying out the Commissioner’s functions under the data protection legislation in accordance with the Commissioner’s duties under— (a) sections 120A and 120B, (b) section 108 of the Deregulation Act 2015 (exercise of regulatory functions: economic growth), and (c) section 21 of the Legislative and Regulatory Reform Act 2006 (exercise of regulatory functions: principles). (2) The Commissioner must— (a) review the strategy from time to time, and (b) revise the strategy as appropriate. (3) The Commissioner must publish the strategy and any revised strategy. 120D Duty to consult other regulators
(1) The Commissioner must, at such times as the Commissioner considers appropriate, consult the persons mentioned in subsection (2) about how the manner in which the Commissioner exercises functions under the data protection legislation may affect economic growth, innovation and competition. (2) The persons are— (a) such persons exercising regulatory functions as the Commissioner considers appropriate; (b) such other persons as the Commissioner considers appropriate. (3) In this section, “regulatory function” has the meaning given by section 111 of the Deregulation Act 2015.
(1A) In connection with the Commissioner’s functions under the data protection legislation, the report must contain (among other things)— (a) a review of what the Commissioner has done during the reporting period to comply with the duties under— (i) sections 120A and 120B, (ii) section 108 of the Deregulation Act 2015, and (iii) section 21 of the Legislative and Regulatory Reform Act 2006, including a review of the operation of the strategy prepared and published under section 120C;(b) a review of what the Commissioner has done during the reporting period to comply with the duty under section 120D. (1B) In subsection (1A), “the reporting period” means the period to which the report relates.
30 Strategic priorities¶
Strategic priorities
120E Designation of statement of strategic priorities
(1) The Secretary of State may designate a statement as the statement of strategic priorities for the purposes of this Part if the requirements set out in section 120H are satisfied. (2) The statement of strategic priorities is a statement prepared by the Secretary of State that sets out the strategic priorities of His Majesty’s government relating to data protection. (3) The Secretary of State must publish the statement of strategic priorities (including any amended statement following a review under section 120G) in whatever manner the Secretary of State considers appropriate. (4) In this Part, “the statement of strategic priorities” means the statement for the time being designated under subsection (1). 120F Duties of the Commissioner in relation to strategic priorities
(1) The Commissioner must have regard to the statement of strategic priorities when carrying out functions under the data protection legislation. (2) But the duty in subsection (1) does not apply when the Commissioner is carrying out functions in relation to a particular person, case or investigation. (3) Where the Secretary of State designates a statement as the statement of strategic priorities (including any amended statement following a review under section 120G), the Commissioner must— (a) explain in writing how the Commissioner will have regard to the statement when carrying out functions under the data protection legislation, and (b) publish a copy of that explanation. (4) The duty in subsection (3) must be complied with— (a) within the period of 40 days beginning with the day of the designation, or (b) within whatever longer period the Secretary of State may allow. (5) In calculating the period of 40 days mentioned in subsection (4)(a), no account is to be taken of— (a) Saturdays or Sundays, (b) Christmas Day or Good Friday, or (c) a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom. (6) For a further duty of the Commissioner in relation to the statement of strategic priorities, see section 139(1A)(c). 120G Review of designated statement
(1) The Secretary of State must review the statement of strategic priorities if a period of 3 years has elapsed since the relevant time. (2) The “relevant time”, in relation to the statement of strategic priorities, means— (a) the time when the statement was first designated under section 120E, or (b) if later, the time when a review of the statement under this section last took place. (3) A review under subsection (1) must take place as soon as reasonably practicable after the end of the 3 year period. (4) The Secretary of State may review the statement of strategic priorities at any other time if— (a) a Parliamentary general election has taken place since the relevant time, (b) a significant change in the policy of His Majesty’s government relating to data protection has occurred since the relevant time, or (c) the Parliamentary requirement in relation to an amended statement was not met on the last review (see subsection (12)). (5) For the purposes of subsection (4)(b), a significant change in the policy of the government relating to data protection has occurred only if— (a) the change was not anticipated by the Secretary of State at the relevant time, and (b) if the change had been so anticipated, it appears to the Secretary of State likely that the statement would have been different in a material way. (6) On a review under this section, the Secretary of State may— (a) amend the statement (including by replacing the whole or part of the statement with new content), (b) leave the statement as it is, or (c) withdraw the statement’s designation as the statement of strategic priorities. (7) A statement amended under subsection (6)(a) has effect only if the Secretary of State designates the amended statement as the statement of strategic priorities under section 120E (and the requirements set out in section 120H apply in relation to any such designation). (8) Where the designation of a statement is withdrawn under subsection (6)(c), the Secretary of State must publish notice of the withdrawal in whatever manner the Secretary of State considers appropriate. (9) For the purposes of this section, corrections of clerical or typographical errors are not to be treated as amendments of the statement. (10) The designation of a statement as the statement of strategic priorities ceases to have effect upon a subsequent designation of an amended statement as the statement of strategic priorities in accordance with subsection (7). (11) For the purposes of subsection (2)(b), a review of a statement takes place— (a) in the case of a decision on the review to amend the statement under subsection (6)(a)— (i) at the time when the amended statement is designated as the statement of strategic priorities under section 120E, or (ii) if the amended statement is not so designated, at the time when the amended statement was laid before Parliament under section 120H(1); (b) in the case of a decision on the review to leave the statement as it is under subsection (6)(b), at the time when that decision is taken. (12) For the purposes of subsection (4)(c), the Parliamentary requirement in relation to an amended statement was not met on the last review if— (a) on the last review of the statement of strategic priorities to be held under this section, an amended statement was laid before Parliament under section 120H(1), but (b) the amended statement was not designated because within the period mentioned in section 120H(2) either House of Parliament resolved not to approve it. 120H Parliamentary procedure
(1) Before the Secretary of State designates a statement as the statement of strategic priorities, the Secretary of State must lay the statement before Parliament. (2) The Secretary of State must then wait until the end of the 40-day period and may not designate the statement if, within that period, either House of Parliament resolves not to approve it. (3) “The 40-day period” means— (a) if the statement is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or (b) if the statement is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days. (4) In calculating the 40-day period, no account is to be taken of any whole days that fall within a period during which Parliament is dissolved or prorogued or during which both Houses are adjourned for more than 4 days.
(c) a review of how the Commissioner has had regard to the statement of strategic priorities during the reporting period.
In the Table in section 206 (index of defined expressions), at the appropriate place insert—
“statement of strategic priorities (in Part 5)
31 Codes of practice for the processing of personal data¶
124A Other codes of practice
(1) The Commissioner must prepare appropriate codes of practice giving guidance as to good practice in the processing of personal data if required to do so by regulations made by the Secretary of State. (2) Regulations under this section— (a) must describe the personal data or processing to which the code of practice is to relate, and (b) may describe the persons or classes of person to whom it is to relate. (3) Where a code under this section is in force, the Commissioner may prepare amendments of the code or a replacement code. (4) Before preparing a code or amendments under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate— (a) trade associations; (b) data subjects; (c) persons who appear to the Commissioner to represent the interests of data subjects. (5) A code under this section may include transitional provision or savings. (6) Regulations under this section are subject to the negative resolution procedure. (7) In this section— good practice in the processing of personal data means such practice in the processing of personal data as appears to the Commissioner to be desirable having regard to the interests of data subjects and others, including compliance with the requirements of the data protection legislation; trade association includes a body representing controllers or processors.
, and(5) If the Commissioner is prevented by subsection (3) from issuing a code that is not a replacement code, the Commissioner must prepare another version of the code.
32 Codes of practice: panels and impact assessments¶
In the 2018 Act, after section 124A (inserted by section 31 of this Act) insert—124B Panels to consider codes of practice
(1) This section applies where a code is prepared under section 121, 122, 123, 124 or 124A, subject to subsection (11). (2) The Commissioner must establish a panel of individuals to consider the code. (3) The panel must consist of— (a) individuals the Commissioner considers have expertise in the subject matter of the code, and (b) individuals the Commissioner considers— (i) are likely to be affected by the code, or (ii) represent persons likely to be affected by the code. (4) Before the panel begins to consider the code, the Commissioner must— (a) publish the code in draft, and (b) publish a statement that— (i) states that a panel has been established to consider the code, (ii) identifies the members of the panel, (iii) explains the process by which they were selected, and (iv) explains the reasons for their selection. (5) Where at any time it appears to the Commissioner that a member of the panel is not willing or able to serve as a member of the panel, the Commissioner may select another individual to be a member of the panel. (6) Where the Commissioner selects an individual to be a member of the panel under subsection (5), the Commissioner must publish a statement that— (a) identifies the member of the panel, (b) explains the process by which the member was selected, and (c) explains the reasons for the member’s selection. (7) The Commissioner must make arrangements— (a) for the members of the panel to consider the code with one another (whether in person or otherwise), and (b) for the panel to prepare and submit to the Commissioner a report on the code within such reasonable period as is determined by the Commissioner. (8) If the panel submits to the Commissioner a report on the code within the period determined by the Commissioner, the Commissioner must as soon as reasonably practicable— (a) make any alterations to the code that the Commissioner considers appropriate in the light of the report, and (b) publish— (i) the code in draft, (ii) the report or a summary of it, and (iii) in a case where a recommendation in the report to alter the code has not been accepted by the Commissioner, an explanation of why it has not been accepted. (9) The Commissioner may pay remuneration and expenses to the members of the panel. (10) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections, subject to subsection (11). (11) The Secretary of State may by regulations provide that this section does not apply, or applies with modifications, in the case of a code or amendments of a code that— (a) is prepared under section 124A, and (b) is specified in the regulations. (12) Regulations under this section are subject to the negative resolution procedure. 124C Impact assessments for codes of practice
(1) Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must carry out and publish an assessment of— (a) who would be likely to be affected by the code, and (b) the effect the code would be likely to have on them. (2) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections.
33 Codes of practice: approval by the Secretary of State¶
124D Approval by Secretary of State of codes of practice
(1) Where a code is prepared under section 121, 122, 123, 124 or 124A, the Commissioner must submit the final version to the Secretary of State. (2) Within the period of 40 days beginning with the day on which the code is submitted to the Secretary of State, the Secretary of State must decide whether to approve the code. (3) If the Secretary of State approves the code, the Secretary of State must lay the code before Parliament. (4) If the Secretary of State does not approve the code, the Secretary of State must— (a) give a statement to the Commissioner that— (i) states that the Secretary of State does not approve the code, and (ii) explains the reasons why the Secretary of State does not approve the code, and (b) publish the statement. (5) If the Secretary of State does not approve the code, the Commissioner must— (a) revise the code in the light of the statement given by the Secretary of State, and (b) submit the revised code to the Secretary of State. (6) If the Commissioner submits a revised code to the Secretary of State, subsections (2) to (5) and this subsection apply again. (7) This section applies in relation to amendments prepared under section 121, 122, 123, 124 or 124A as it applies in relation to codes prepared under those sections. (8) In calculating the period of 40 days mentioned in subsection (2), no account is to be taken of— (a) Saturdays or Sundays, (b) Christmas Day or Good Friday, or (c) a day which is a bank holiday under the Banking and Financial Dealings Act 1971 in any part of the United Kingdom.
,(1) This section applies where a code is laid before Parliament under section 124D.
34 Vexatious or excessive requests made to the Commissioner¶
,(A1) This section makes provision about cases in which a request made to the Commissioner, to which the Commissioner is required or authorised to respond under the data protection legislation, is vexatious or excessive (see section 204A).
,(1A) In subsection (1)— (a) the reference in paragraph (a) to charging a reasonable fee is, in a case in which section 134 is relevant, a reference to doing so under that section, and (b) paragraph (b) is not to be read as implying anything about whether the Commissioner may refuse to act on requests that are neither vexatious nor excessive.
(5) Article 57(3) of the UK GDPR (performance of Information Commissioner’s tasks generally to be free of charge for data subject) has effect subject to this section.
35 Analysis of performance¶
In the 2018 Act, after section 139 insert—139A Analysis of performance
(1) The Commissioner must prepare and publish an analysis of the Commissioner’s performance using key performance indicators. (2) The analysis must be prepared and published at least annually. (3) In this section, “key performance indicators” means factors by reference to which the Commissioner’s performance can be measured most effectively.
.Documents and notices
Enforcement¶
36 Power of the Commissioner to require documents¶
37 Power of the Commissioner to require a report¶
,(j) make arrangements for an approved person to prepare a report on a specified matter; (k) provide to the Commissioner a report prepared in pursuance of such arrangements.
,(3A) An assessment notice that requires a controller or processor to make arrangements for an approved person to prepare a report may require the arrangements to include specified terms as to— (a) the preparation of the report; (b) the contents of the report; (c) the form in which the report is to be provided; (d) the date by which the report is to be completed.
, and(11A) Where the Commissioner gives an assessment notice that requires the controller or processor to make arrangements for an approved person to prepare a report, the controller or processor is liable for the payment of the approved person’s remuneration and expenses under the arrangements.
.approved person, in relation to a report, means a person approved to prepare the report in accordance with section 146A;
146A Assessment notices: approval of person to prepare report etc
(1) This section applies where an assessment notice requires a controller or processor to make arrangements for an approved person to prepare a report. (2) The controller or processor must, within such period as is specified in the assessment notice, nominate to the Commissioner a person to prepare the report. (3) If the Commissioner is satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor approve the nominated person to prepare the report. (4) If the Commissioner is not satisfied that the nominated person is a suitable person to prepare the report, the Commissioner must by written notice to the controller or processor— (a) inform the controller or processor that the Commissioner has decided not to approve the nominated person to prepare the report, (b) inform the controller or processor of the reasons for that decision, and (c) approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so. (5) If the controller or processor does not nominate a person within the period specified in the assessment notice, the Commissioner must by written notice to the controller or processor approve a person who the Commissioner is satisfied is a suitable person to prepare the report to do so. (6) It is the duty of the controller or processor to give the person approved to prepare the report all such assistance as the person may reasonably require to prepare the report.
(c) has failed to comply with a duty imposed on the person by section 146A(6).
.(aa) provision specifying factors to be considered in determining whether to give an assessment notice to a person that imposes a requirement of a sort mentioned in section 146(2)(j); (ab) provision about the factors the Commissioner may take into account when determining the suitability of a person to prepare a report of a sort mentioned in section 146(2)(j);
38 Interview notices¶
Interview notices
148A Interview notices
(1) This section applies where the Commissioner suspects that a controller or processor— (a) has failed or is failing as described in section 149(2), or (b) has committed or is committing an offence under this Act. (2) For the purpose of investigating the suspected failure or offence, the Commissioner may, by written notice (an “interview notice”), require an individual within subsection (3) to— (a) attend at a place specified in the notice, and (b) answer questions with respect to any matter relevant to the investigation. (3) An individual is within this subsection if the individual— (a) is the controller or processor, (b) is or was at any time employed by, or otherwise working for, the controller or processor, or (c) is or was at any time concerned in the management or control of the controller or processor. (4) An interview notice must specify the time at which the individual must attend at the specified place and answer questions (but see the restrictions in subsections (6) and (7)). (5) An interview notice must— (a) indicate the nature of the suspected failure or offence that is the subject of the investigation, (b) provide information about the consequences of failure to comply with the notice, and (c) provide information about the rights under sections 162 and 164 (appeals etc). (6) An interview notice may not require an individual to attend at the specified place and answer questions before the end of the period within which an appeal can be brought against the notice. (7) If an appeal is brought against an interview notice, the individual to whom the notice is given need not attend at the specified place and answer questions pending the determination or withdrawal of the appeal. (8) If an interview notice— (a) states that, in the Commissioner’s opinion, it is necessary for the individual to attend at the specified place and answer questions urgently, and (b) gives the Commissioner’s reasons for reaching that opinion, subsections (6) and (7) do not apply but the notice must not require the individual to attend at the specified place and answer questions before the end of the period of 24 hours beginning when the notice is given.(9) The Commissioner may cancel or vary an interview notice by written notice to the individual to whom it was given. 148B Interview notices: restrictions
(1) An interview notice does not require an individual to answer questions to the extent that requiring the person to do so would involve an infringement of the privileges of either House of Parliament. (2) An interview notice does not require an individual to answer questions in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client, and (b) in connection with the giving of legal advice to the client with respect of obligations, liabilities or rights under the data protection legislation. (3) An interview notice does not require an individual to answer questions in respect of a communication which is made— (a) between a professional legal adviser and the adviser’s client or between such an adviser or client and another person, (b) in connection with or in contemplation of proceedings under or arising out of the data protection legislation, and (c) for the purposes of such proceedings. (4) In subsections (2) and (3), references to the client of a professional legal adviser include references to a person acting on behalf of the client. (5) An interview notice does not require an individual to answer questions if doing so would, by revealing evidence of the commission of an offence, expose the individual to proceedings for that offence. (6) The reference to an offence in subsection (5) does not include an offence under— (a) this Act; (b) section 5 of the Perjury Act 1911 (false statements made otherwise than on oath); (c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act 1995 (false statements made otherwise than on oath); (d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/1714 (N.I. 19)) (false statutory declarations and other false unsworn statements). (7) A statement made by an individual in response to an interview notice may not be used in evidence against that individual on a prosecution for an offence under this Act (other than an offence under section 148C) unless in the proceedings— (a) in giving evidence the individual provides information inconsistent with the statement, and (b) evidence relating to the statement is adduced, or a question relating to it is asked, by that individual or on that individual’s behalf. (8) The Commissioner may not give an interview notice with respect to the processing of personal data for the special purposes. (9) The Commissioner may not give an interview notice to an individual for the purpose of investigating a suspected failure or offence if the controller or processor suspected of the failure or offence is— (a) a body specified in section 23(3) of the Freedom of Information Act 2000 (bodies dealing with security matters), or (b) the Office for Standards in Education, Children’s Services and Skills in so far as it is a controller or processor in respect of information processed for the purposes of functions exercisable by His Majesty’s Chief Inspector of Education, Children’s Services and Skills by virtue of section 5(1)(a) of the Care Standards Act 2000. 148C False statements made in response to interview notices
It is an offence for an individual, in response to an interview notice—(a) to make a statement which the individual knows to be false in a material respect, or (b) recklessly to make a statement which is false in a material respect.
, and(ba) interview notices,
(5A) In relation to interview notices, the guidance must include— (a) provision specifying factors to be considered in determining whether to give an interview notice to an individual; (b) provision about the circumstances in which the Commissioner would consider it appropriate to give an interview notice to an individual in reliance on section 148A(8) (urgent cases); (c) provision about the circumstances in which the Commissioner would consider it appropriate to vary the place or time specified in an interview notice at the request of the individual to whom the notice is given; (d) provision about the nature of interviews carried out in accordance with an interview notice; (e) provision about how the Commissioner will determine how to proceed if an individual does not comply with an interview notice.
.(ba) an interview notice;
.(ba) in relation to an interview notice, a statement under section 148A(8)(a),
In section 206 (index of defined expressions), at the appropriate place, insert—
“interview notice (in Part 6)
section 181”.
, andInterview notices
3A (1) Sub-paragraph (2) applies where the Commissioner gives an interview notice to an individual during a relevant period. (2) If the interview notice— (a) states that, in the Commissioner’s opinion, it is necessary for the individual to comply with a requirement in the notice for the purposes of the relevant review, and (b) gives the Commissioner’s reasons for reaching that opinion, subsections (6) and (7) of section 148A do not apply but the notice must not require the individual to comply with the requirement before the end of the period of 24 hours beginning when the notice is given.(3) During a relevant period, section 148B has effect as if for subsection (8) there were substituted— (8) The Commissioner may not give an individual an interview notice with respect to the processing of personal data for the special purposes unless a determination under section 174 with respect to the data or the processing has taken effect.
39 Penalty notices¶
,(A1) This paragraph applies where the Commissioner gives a notice of intent to a person. (A2) Within the period of 6 months beginning with the day the notice is given, or as soon as reasonably practicable thereafter, the Commission must give to the person— (a) a penalty notice, or (b) written notice that the Commissioner has decided not to give a penalty notice to the person.
(e) provision about the circumstances in which the Commissioner would consider it necessary to comply with the duty in paragraph 4(A2) of Schedule 16 after the period of 6 months mentioned in that paragraph.
40 Annual report on regulatory action¶
(2A) The report under this section may include the annual report under section 161A.
161A Annual report on regulatory action
(1) The Commissioner must produce and publish an annual report containing the information described in subsections (2) to (5). (2) The report must include the following information about UK GDPR investigations— (a) the number of investigations begun, continued or completed by the Commissioner during the reporting period, (b) the different types of act and omission that were the subject matter of the investigations, (c) the enforcement powers exercised by the Commissioner in the reporting period in connection with the investigations, (d) the duration of investigations that ended in the reporting period, and (e) the different types of outcome in investigations that ended in that period. (3) The report must include information about the enforcement powers exercised by the Commissioner in the reporting period in connection with— (a) processing of personal data by a competent authority for any of the law enforcement purposes, and (b) processing of personal data to which Part 4 applies. (4) The information included in the report in accordance with subsections (2) and (3) must include information about— (a) the number of penalty notices given in the reporting period that were given more than 6 months after the notice of intent was given under paragraph 2 of Schedule 16, and (b) the reasons why that happened. (5) The report must include a review of how the Commissioner had regard to the guidance published under section 160 when exercising the Commissioner’s enforcement powers as described in subsections (2)(c) and (3). (6) In this section— enforcement powers means the powers under— (a) Article 58(1)(c) and (d) and (2)(a) and (b) of the UK GDPR, (b) sections 142 to 159 of this Act, (c) paragraph 2(a), (b) and (c) of Schedule 13 to this Act, (d) Schedules 15 and 16 to this Act; the law enforcement purposes has the meaning given in section 31 of this Act; the reporting period means the period to which the report relates; UK GDPR investigation means an investigation required under Article 57(1)(h) of the UK GDPR (investigations on the application of the UK GDPR).
41 Complaints to controllers¶
164A Complaints by data subjects to controllers
(1) A data subject may make a complaint to the controller if the data subject considers that, in connection with personal data relating to the data subject, there is an infringement of the UK GDPR or Part 3 of this Act. (2) A controller must facilitate the making of complaints under this section by taking steps such as providing a complaint form which can be completed electronically and by other means. (3) If a controller receives a complaint under this section, the controller must acknowledge receipt of the complaint within the period of 30 days beginning with the day on which it is received. (4) If a controller receives a complaint under this section, the controller must without undue delay— (a) take appropriate steps to respond to the complaint, and (b) inform the complainant of the outcome of the complaint. (5) The reference in subsection (4)(a) to taking appropriate steps to respond to the complaint includes— (a) making enquiries into the subject matter of the complaint, to the extent appropriate, and (b) informing the complainant about progress on the complaint. 164B Controllers to notify the Commissioner of the number of complaints
(1) The Secretary of State may by regulations require a controller to notify the Commissioner of the number of complaints made to the controller under section 164A in periods specified or described in the regulations. (2) Regulations under this section may provide that a controller is required to make a notification to the Commissioner in respect of a period only in circumstances specified in the regulations. (3) Regulations under this section may include— (a) provision about a matter listed in subsection (4), or (b) provision conferring power on the Commissioner to determine those matters. (4) The matters are— (a) the form and manner in which a notification must be made, (b) the time at which, or period within which, a notification must be made, and (c) how the number of complaints made to a controller during a period is to be calculated. (5) Regulations under this section are subject to the negative resolution procedure.
42 Power of the Commissioner to refuse to act on certain complaints¶
(5A) Subsection (4) does not apply if the Commissioner refuses to act on the complaint in reliance on section 165A.
165A Power of Commissioner to refuse to act on certain complaints
(1) The Commissioner may refuse to act on a complaint under section 165 if condition A, B or C is met. (2) Condition A is that— (a) the complaint concerns an infringement of the UK GDPR or Part 3 of this Act, and (b) the complaint has not been made to the controller under section 164A. (3) Condition B is that— (a) the complaint has been made to the controller under section 164A, (b) the controller has not finished handling the complaint in accordance with subsection (4) of that section, and (c) the period of 45 days beginning with the day the complaint was made to the controller under that section has not expired. (4) Condition C is that the complaint is vexatious or excessive (see section 204A). (5) In any proceedings where there is an issue as to whether a complaint is vexatious or excessive, it is for the Commissioner to show that it is. (6) If the Commissioner refuses to act on a complaint under section 165, the Commissioner must inform the complainant of— (a) the refusal and the reasons for it, and (b) the right under section 166A. (7) If the Commissioner refuses to act on a complaint under section 165 that does not prevent the complainant making the complaint again. 165B Guidance about responding to complaints and refusing to act
(1) The Commissioner must produce and publish guidance about— (a) how the Commissioner proposes to respond to complaints made under section 165, and (b) how the Commissioner proposes to exercise the discretion conferred by section 165A to refuse to act on a complaint. (2) The Commissioner— (a) may alter or replace guidance produced under this section, and (b) must publish any altered or replacement guidance. (3) Before producing guidance under this section (including any altered or replacement guidance), the Commissioner must consult— (a) the Secretary of State, and (b) such other persons as the Commissioner considers appropriate. (4) The Commissioner must arrange for any guidance under this section (including any altered or replacement guidance) to be laid before Parliament.
(1A) But this section does not apply if the Commissioner refuses to act on the complaint in reliance on section 165A.
166A Appeals against refusal of Commissioner to act on complaint
(1) Where the Commissioner refuses to act on a complaint in reliance on section 165A, the person who made the complaint may appeal to the Tribunal. (2) The Tribunal may review any determination of fact on which the refusal to act was based. (3) If the Tribunal considers— (a) that the refusal to act is not in accordance with the law, or (b) that the Commissioner ought not to have exercised the discretion to refuse to act, the Tribunal must allow the appeal.(4) Otherwise, the Tribunal must dismiss the appeal.
43 Complaints: minor and consequential amendments¶
Schedule 8 contains minor and consequential amendments relating to complaints by data subjects.44 Consequential amendments to the EITSET Regulations¶
, and(ga) section 146A (assessment notices: approval of person to prepare report etc);
.(ia) section 148A (interview notices); (ib) section 148B (interview notices: restrictions); (ic) section 148C (false statements made in response to interview notices);
,(b) subsection (2) has effect as if— (i) for “controller or processor” there were substituted “trust service provider”; (ii) paragraphs (h) and (i) were omitted;
Modification of section 146A (assessment notices: approval of person to prepare report etc)
6A Section 146A has effect as if for “controller or processor” (in each place) there were substituted “trust service provider”.
Modification of section 148A (interview notices)
7A Section 148A has effect as if— (a) in subsection (1)— (i) for “controller or processor” there were substituted “trust service provider”; (ii) in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with the eIDAS requirements”; (iii) in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (b) in subsection (3), for “controller or processor” (in each place) there were substituted “trust service provider”. Modification of section 148B (interview notices: restrictions)
7B (1) Section 148B has effect as if subsections (8) and (9) were omitted. (2) In that section— (a) subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the eIDAS Regulation or the EITSET Regulations”; (b) subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (c) subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”.
Protection of prohibitions, restrictions and data subject’s rights¶
45 Protection of prohibitions, restrictions and data subject’s rights¶
Prohibitions and restrictions etc on processing
183A Protection of prohibitions and restrictions etc on processing
(1) A relevant enactment or rule of law which imposes a duty, or confers a power, to process personal data does not override a requirement under the main data protection legislation relating to the processing of personal data. (2) Subsection (1) does not apply— (a) to a relevant enactment forming part of the main data protection legislation, or (b) to the extent that an enactment makes express provision to the contrary referring to this section or to the main data protection legislation (or a provision of that legislation). (3) Subsection (1) does not prevent a duty or power to process personal data from being taken into account for the purpose of determining whether it is possible to rely on an exception to a requirement under the main data protection legislation that is available where there is such a duty or power. (4) In this section— the main data protection legislation means the data protection legislation other than provision of or made under— (a) Chapter 6 or 8 of the UK GDPR, or (b) Parts 5 to 7 of this Act; relevant enactment means an enactment so far as passed or made on or after the day on which section 45 of the Data Protection and Digital Information Act 2024 comes into force; requirement includes a prohibition or restriction. (5) The reference in subsection (1) to an enactment or rule of law which imposes a duty, or confers a power, to process personal data is a reference to an enactment or rule of law which, directly or indirectly, requires or authorises the processing of personal data, including (for example)— (a) by authorising one person to require another person to process personal data, or (b) by removing restrictions on processing personal data, and the references in subsection (3) to a duty or power are to be read accordingly.
, and(2A) Subsection (1) does not apply— (a) to an enactment contained in, or made under, a provision falling within subsection (2) or (3), or (b) to the extent that an enactment makes express provision to the contrary referring to this section or to a provision falling within subsection (2).
Miscellaneous¶
46 Regulations under the UK GDPR¶
CHAPTER 9A — Regulations
Article 91ARegulations made by Secretary of State
1. This Article makes provision about regulations made by the Secretary of State under this Regulation (“UK GDPR regulations”). 2. Before making UK GDPR regulations, the Secretary of State must consult— (a) the Commissioner, and (b) such other persons as the Secretary of State considers appropriate. 3. Paragraph 2 does not apply to regulations made under Article 49 or 49A where the Secretary of State has made an urgency statement in respect of them. 4. UK GDPR regulations may— (a) make different provision for different purposes; (b) include consequential, supplementary, incidental, transitional, transitory or saving provision. 5. UK GDPR regulations are to be made by statutory instrument. 6. For the purposes of this Regulation, where regulations are subject to “the negative resolution procedure”, the statutory instrument containing the regulations is subject to annulment in pursuance of a resolution of either House of Parliament. 7. For the purposes of this Regulation, where regulations are subject to “the affirmative resolution procedure”, the regulations may not be made unless a draft of the statutory instrument containing them has been laid before Parliament and approved by a resolution of each House of Parliament. 8. For the purposes of this Regulation, where regulations are subject to “the made affirmative resolution procedure”— (a) the statutory instrument containing the regulations must be laid before Parliament after being made, together with the urgency statement in respect of them, and (b) the regulations cease to have effect at the end of the period of 120 days beginning with the day on which the instrument is made, unless within that period the instrument is approved by a resolution of each House of Parliament. 9. In calculating the period of 120 days, no account is to be taken of any whole days that fall within a period during which— (a) Parliament is dissolved or prorogued, or (b) both Houses of Parliament are adjourned for more than 4 days. 10. Where regulations cease to have effect as a result of paragraph 8, that does not— (a) affect anything previously done under the regulations, or (b) prevent the making of new regulations. 11. Any provision that may be included in UK GDPR regulations subject to the negative resolution procedure may be made by regulations made under this Regulation or another enactment that are subject to the affirmative resolution procedure or the made affirmative resolution procedure. 12. A requirement under this Article to consult may be satisfied by consultation before, as well as by consultation after, the provision conferring the power to make regulations comes into force. 13. In this Article, “urgency statement”, in relation to regulations, means a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.
47 Minor amendments¶
Schedule 9 contains minor amendments of the UK GDPR and the 2018 Act.Part 2 — Digital verification services¶
Introductory¶
48 Introductory¶
DVS trust framework¶
49 DVS trust framework¶
DVS register¶
50 DVS register¶
51 Applications for registration¶
52 Fees for registration¶
53 Duty to remove person from the DVS register¶
54 Power to remove person from the DVS register¶
55 Revising the DVS trust framework: top-up certificates¶
Information gateway¶
56 Power of public authority to disclose information to registered person¶
57 Information disclosed by the Revenue and Customs¶
58 Information disclosed by the Welsh Revenue Authority¶
59 Information disclosed by Revenue Scotland¶
60 Code of practice about the disclosure of information¶
Trust mark¶
61 Trust mark for use by registered persons¶
Supplementary¶
62 Power of Secretary of State to require information¶
63 Arrangements for third party to exercise functions¶
64 Report on the operation of this Part¶
Part 3 — Customer data and business data¶
Introductory¶
65 Customer data and business data¶
Data regulations¶
66 Power to make provision in connection with customer data¶
67 Customer data: supplementary¶
68 Power to make provision in connection with business data¶
69 Business data: supplementary¶
70 Decision-makers¶
Enforcement¶
71 Enforcement of data regulations¶
72 Restrictions on powers of investigation etc¶
73 Financial penalties¶
Fees etc and financial assistance¶
74 Fees¶
75 Levy¶
76 Financial assistance¶
Supplementary¶
77 Restrictions on processing and data protection¶
78 Regulations under this Part¶
79 Duty to review regulations¶
80 Repeal of provisions relating to supply of customer data¶
Omit sections 89 to 91 of the Enterprise and Regulatory Reform Act 2013 (supply of customer data).81 Interpretation of this Part¶
In this Part—Part 4 — Other provision about digital information¶
Privacy and electronic communications¶
82 The PEC Regulations¶
In sections 83 to 92, “the PEC Regulations” means the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426).83 Storing information in the terminal equipment of a subscriber or user¶
,(1) Subject to paragraphs (2) to (2D) and (4), a person must not store information, or gain access to information stored, in the terminal equipment of a subscriber or user. (2) Paragraph (1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if the subscriber or user— (a) is provided with clear and comprehensive information about the purpose of the storage or access, and (b) gives consent to the storage or access. (2A) Paragraph (1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if— (a) the person provides an information society service, (b) the sole purpose of the storage or access is to enable the person— (i) to collect information for statistical purposes about how the service is used with a view to making improvements to the service, or (ii) to collect information for statistical purposes about how a website by means of which the service is provided is used with a view to making improvements to the website, (c) any information that the storage or access enables the person to collect is not shared with any other person except for the purpose of enabling that other person to assist with making improvements to the service or website, (d) the subscriber or user is provided with clear and comprehensive information about the purpose of the storage or access, and (e) the subscriber or user is given a simple means of objecting (free of charge) to the storage or access and does not object. (2B) Paragraph (1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if— (a) the person provides an information society service by means of a website, (b) the sole purpose of the storage or access is— (i) to enable the way the website appears or functions when displayed on, or accessed by, the terminal equipment to adapt to the preferences of the subscriber or user, or (ii) to otherwise enable an enhancement of the appearance or functionality of the website when displayed on, or accessed by, the terminal equipment, (c) the subscriber or user is provided with clear and comprehensive information about the purpose of the storage or access, and (d) the subscriber or user is given a simple means of objecting (free of charge) to the storage or access and does not object. (2C) Paragraph (1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if— (a) the sole purpose of the storage or access is to enable software installed in the terminal equipment to be updated, (b) the update is necessary to ensure the security of the terminal equipment, (c) the update will not result in an alteration of a setting affecting the privacy of information stored in the terminal equipment, (d) the subscriber or user is provided with clear and comprehensive information about the purpose of the update, and (e) after the storage or access, the subscriber or user has an opportunity to postpone the update before it takes effect. (2D) Paragraph (1) does not prevent a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user if— (a) the person receives a communication from the terminal equipment, (b) the communication is a request from the subscriber or user for emergency assistance or otherwise indicates that the subscriber or user is in need of emergency assistance, and (c) the sole purpose of the storage or access is to enable the geographical position of the subscriber or user to be ascertained with a view to the emergency assistance being provided.
,(a) it is sufficient for the purposes of paragraph (2) that the requirements of that paragraph are met in respect of the initial use, (b) it is sufficient for the purposes of paragraph (2A) that the requirements of sub-paragraphs (d) and (e) of that paragraph are met in respect of the initial use, and (c) it is sufficient for the purposes of paragraph (2B) that the requirements of sub-paragraphs (c) and (d) of that paragraph are met in respect of the initial use.
(5) For the purposes of paragraph (4)(b), the technical storage of, or access to, information is strictly necessary for the provision of an information society service requested by the subscriber or user if, for example, the storage or access is strictly necessary— (a) to protect information provided in connection with, or relating to, the provision of the service requested, (b) to ensure that the security of the terminal equipment of the subscriber or user is not adversely affected by the provision of the service requested, (c) to prevent or detect fraud in connection with the provision of the service requested, (d) to prevent or detect technical faults in connection with the provision of the service requested, or (e) to enable either of the following things to be done where necessary for the provision of the service requested— (i) automatically authenticating the identity of the subscriber or user, or (ii) maintaining a record of selections made on a website, or information put into a website, by the subscriber or user. (6) In this regulation— (a) a reference to a person storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user includes a reference to the person instigating the storage or access, and (b) a reference, except in paragraph (2A), to gaining access to information stored in the terminal equipment of a subscriber or user includes a reference to collecting or monitoring information automatically emitted by the terminal equipment. (7) In this regulation, “website” includes a mobile application and any other platform by means of which an information society service is provided.
6A Power to provide exceptions to regulation 6(1)
(1) The Secretary of State may by regulations made by statutory instrument— (a) amend these regulations— (i) by adding an exception to the prohibition in regulation 6(1), or (ii) by omitting or varying an exception to that prohibition, and (b) make consequential, supplementary, incidental, transitional, transitory or saving provision, including provision amending these regulations. (2) Regulations under paragraph (1) may make different provision for different purposes. (3) Before making regulations under paragraph (1), the Secretary of State must consult— (a) the Information Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (4) A statutory instrument containing regulations under paragraph (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. 6B Information technology to enable consent to be given, or an objection to be made, automatically
(1) The Secretary of State may by regulations made by statutory instrument provide that a person of a specified description may supply, provide or otherwise make available information technology of a specified description only if the technology meets specified requirements. (2) The power conferred by paragraph (1) is to be exercised only for the purpose of securing that information technology supplied, provided or otherwise made available enables users of the technology to ensure that any consent they wish to give, or any objection they wish to make, to an operator of a website for the purposes of regulation 6 is given or made automatically upon their visiting the website. (3) Regulations under paragraph (1) may make provision conferring functions on the Information Commissioner relating to the enforcement of the regulations. (4) The provision made by reason of paragraph (3) may include provision applying (with or without modification) provisions of the Data Protection Act 2018 relating to enforcement. (5) Regulations under paragraph (1) may— (a) make different provision for different purposes, and (b) make consequential, supplementary, incidental, transitional, transitory or saving provision. (6) Before making regulations under paragraph (1), the Secretary of State must consult— (a) the Information Commissioner, (b) the Competition and Markets Authority, and (c) such other persons as the Secretary of State considers appropriate. (7) A statutory instrument containing regulations under paragraph (1) may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. (8) In this regulation— information technology includes— (a) computers, (b) other devices whose uses include the processing of information by electronic means (“IT devices”), (c) parts, accessories and other equipment made or adapted for use in connection with computers or IT devices, (d) software and code made or adapted for use in connection with computers or IT devices, and (e) networks and other infrastructure (whether physical or virtual) used in connection with other information technology; specified means specified in regulations made under paragraph (1); website includes a mobile application and any other platform by means of which an information society service is provided (and a reference to “an operator” of a website or “visiting” a website is to be read accordingly).
84 Unreceived communications¶
(1A) In the application of these Regulations in relation to— (a) information that is sent but not received, (b) a communication that is transmitted but not received, (c) an electronic mail that is sent but not received, or (d) an unsuccessful attempt to make a call, a reference to the recipient of the information, communication, electronic mail or call is to be read as a reference to the intended recipient.
85 Meaning of “direct marketing”¶
In regulation 2(1) of the PEC Regulations (interpretation), at the appropriate place, insert—.direct marketing means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;
86 Use of electronic mail for direct marketing purposes¶
(3A) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where— (a) the direct marketing is solely for the purpose of furthering a charitable, political or other non-commercial objective of that person; (b) that person obtained the contact details of the recipient of the electronic mail in the course of the recipient expressing an interest in or offering or providing support for the furtherance of that objective or a similar objective; and (c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of their contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where the recipient did not initially refuse the use of the details, at the time of each subsequent communication.
87 Direct marketing for the purposes of democratic engagement¶
88 Meaning of expressions in section 87¶
This is the table referred to in the definitions of “candidate” and “elected representative” in subsection (1)—
Elected representative
Candidate for election as an elected representative
section 118A of the Representation of the People Act 1983
article 84(2) of the National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
article 80(1) of the Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
section 118A of the Representation of the People Act 1983, as applied by the Northern Ireland Assembly (Elections) Order 2001 (S.I. 2001/2599)
section 118A of the Representation of the People Act 1983
section 118A of the Representation of the People Act 1983, as applied by the Local Authorities (Mayoral Elections) (England and Wales) Regulations 2007 (S.I. 2007/1024)
section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67)
section 118A of the Representation of the People Act 1983
section 118A of the Representation of the People Act 1983
section 118A of the Representation of the People Act 1983
section 118A of the Representation of the People Act 1983
section 130(3A) of the Electoral Law Act (Northern Ireland) 1962 (c. 14 (N.I.))
article 3 of the Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
89 Duty to notify the Commissioner of unlawful direct marketing¶
26A Duty to notify Commissioner of unlawful direct marketing
(1) A provider of a public electronic communications service must notify the Commissioner of any reasonable grounds the provider has for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the course of using the service. (2) A provider of a public electronic communications network must notify the Commissioner of any reasonable grounds the provider has for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the course of using the network or using a public electronic communications service provided by means of the network. (3) A notification under this regulation must be given within the period of 28 days beginning with the day on which the reasonable grounds for suspicion come to the attention of the provider. (4) “Direct marketing regulations” means regulations 19 to 22. 26B Fixed penalty for failure to comply with regulation 26A
(1) If a provider of a public electronic communications service or public electronic communications network fails to comply with regulation 26A, the Commissioner may issue a fixed monetary penalty notice in respect of the failure. (2) The amount of a fixed monetary penalty under this regulation shall be £1,000. (3) Before serving a fixed monetary penalty notice, the Commissioner must serve the provider with a notice of intent. (4) The notice of intent must— (a) state the name and address of the provider; (b) state the nature of the failure; (c) state the amount of the fixed monetary penalty; (d) include a statement informing the provider of the opportunity to discharge liability for the fixed monetary penalty; (e) indicate the date on which the Commissioner proposes to serve the fixed monetary penalty notice; and (f) inform the provider that the provider may make written representations in relation to the proposal to serve a fixed monetary penalty notice within the period of 21 days beginning with the day the notice of intent is served. (5) A provider may discharge liability for the fixed monetary penalty if the provider pays to the Commissioner the amount of £800 within the period of 21 days beginning with the day the notice of intent is served. (6) The Commissioner may not serve a fixed monetary penalty notice until the period within which representations may be made has expired. (7) The fixed monetary penalty notice must state— (a) the name and address of the provider; (b) details of the notice of intent served on the provider; (c) whether there have been any written representations; (d) details of any early payment discounts; (e) the grounds on which the Commissioner imposes the fixed monetary penalty; (f) the date by which the fixed monetary penalty is to be paid; and (g) details of, including the time limit for, the provider’s right of appeal against the imposition of the fixed monetary penalty. (8) A provider on whom a fixed monetary penalty notice is served may appeal to the Tribunal against the issue of the fixed monetary penalty notice. (9) Any sum received by the Commissioner by virtue of this regulation must be paid into the Consolidated Fund. (10) In England and Wales, the fixed monetary penalty is recoverable— (a) if the county court so orders, as if it were payable under an order of that court; (b) if the High Court so orders, as if it were payable under an order of that court. (11) In Scotland, the fixed monetary penalty may be enforced in the same manner as an extract registered decree arbitral bearing a warrant for execution issued by the sheriff court of any sheriffdom in Scotland. (12) In Northern Ireland, the fixed monetary penalty is recoverable— (a) if a county court so orders, as if it were payable under an order of that court; (b) if the High Court so orders, as if it were payable under an order of that court. (13) The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5). (14) Regulations under paragraph (13) may make transitional provision. (15) Before making regulations under paragraph (13), the Secretary of State must consult— (a) the Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (16) A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. 26C Guidance in relation to regulation 26A
(1) The Commissioner must produce and publish guidance about what may constitute reasonable grounds for suspecting that a person is contravening or has contravened any of the direct marketing regulations in the course of using a public electronic communications service or public electronic communications network. (2) The Commissioner may— (a) alter and replace guidance produced under this regulation, and (b) must publish any altered or replacement guidance. (3) Before producing guidance under this regulation (including any altered or replacement guidance), the Commissioner must consult— (a) the Secretary of State, (b) OFCOM, (c) providers of public electronic communications networks, (d) providers of public electronic communications services, and (e) such other persons as the Commissioner considers appropriate. (4) The Commissioner must have regard to guidance under this regulation in determining whether to issue a fixed monetary penalty notice under regulation 26B. (5) “Direct marketing regulations” means regulations 19 to 22.
(12) In Northern Ireland, the penalty is recoverable— (a) if a county court so orders, as if it were payable under an order of that court; (b) if the High Court so orders, as if it were payable under an order of that court.
18A Direct marketing
(1) Regulations 19 to 26C make provision about direct marketing. (2) See also section 87 of the Data Protection and Digital Information Act 2024 (which provides for regulations to make exceptions to regulations 19 to 24).
90 Commissioner’s enforcement powers¶
(13) The Secretary of State may by regulations made by statutory instrument amend this regulation so as to substitute a different amount for the amount for the time being specified in paragraph (2) or (5). (14) Regulations under paragraph (13) may make transitional provision. (15) Before making regulations under paragraph (13), the Secretary of State must consult— (a) the Information Commissioner, and (b) such other persons as the Secretary of State considers appropriate. (16) A statutory instrument containing regulations under this regulation may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
31 Information Commissioner’s enforcement powers
(1) Schedule 1 provides for certain provisions of Parts 5 to 7 of the Data Protection Act 2018 to apply with modifications for the purposes of enforcing these Regulations. (2) In regulations 32 and 33, “enforcement functions” means the functions of the Information Commissioner under those provisions, as applied by that Schedule.
91 Codes of conduct¶
32A Codes of conduct
(1) The Commissioner must encourage representative bodies to produce codes of conduct intended to contribute to compliance with these Regulations. (2) Under paragraph (1), the Commissioner must encourage representative bodies to produce codes which take account of, among other things, the specific features of different sectors. (3) A code of conduct described in paragraph (1) may, for example, make provision with regard to— (a) rights and obligations under these Regulations; (b) out-of-court proceedings and other dispute resolution procedures for resolving disputes arising in connection with these Regulations. (4) The Commissioner must encourage representative bodies to submit codes of conduct described in paragraph (1) to the Commissioner in draft. (5) Where a representative body does so, the Commissioner must— (a) provide the representative body with an opinion on whether the code correctly reflects the requirements of these Regulations, (b) decide whether to approve the code, and (c) if the code is approved, register and publish the code. (6) The Commissioner may only approve a code if, among other things— (a) the code contains a mechanism for monitoring whether persons who undertake to apply the code comply with its provisions, and (b) in relation to persons other than public bodies, the mechanism involves monitoring by a body which is accredited for that purpose by the Commissioner under regulation 32B. (7) In relation to amendments of a code of conduct that is for the time being approved under this regulation— (a) paragraphs (4) and (5) apply as they apply in relation to a code, and (b) the requirements in paragraph (6) must be satisfied by the code as amended. (8) A code of conduct described in paragraph (1) may be contained in the same document as a code of conduct described in Article 40 of the UK GDPR (and a provision contained in such a document may be a provision of both codes). (9) In this regulation— public body has the meaning given in section 7 of the Data Protection Act 2018 (for the purposes of the UK GDPR); representative body means an association or other body representing categories of— (a) communications providers, or (b) other persons engaged in activities regulated by these Regulations; the UK GDPR has the meaning given in section 3(10) of the Data Protection Act 2018. 32B Accreditation of bodies monitoring compliance with codes of conduct
(1) The Commissioner may, in accordance with this regulation, accredit a body for the purpose of monitoring whether persons other than public bodies comply with a code of conduct described in regulation 32A(1). (2) The Commissioner may accredit a body only where the Commissioner is satisfied that the body has— (a) demonstrated its independence, (b) demonstrated that it has an appropriate level of expertise in relation to the subject matter of the code, (c) established procedures which allow it— (i) to assess a person’s eligibility to apply the code, (ii) to monitor compliance with the code, and (iii) to review the operation of the code periodically, (d) established procedures and structures to handle complaints about infringements of the code or about the manner in which the code has been, or is being, implemented by a person, (e) made arrangements to publish information about the procedures and structures described in sub-paragraph (d), and (f) demonstrated that it does not have a conflict of interest. (3) The Commissioner must prepare and publish guidance about how the Commissioner proposes to take decisions about accreditation under this regulation. (4) A body accredited under this regulation in relation to a code must take appropriate action where a person infringes the code. (5) If the action taken by a body under paragraph (4) consists of suspending or excluding a person from the code, the body must inform the Commissioner, giving reasons for taking that action. (6) The Commissioner must revoke the accreditation of a body under this regulation if the Commissioner considers that the body— (a) no longer meets the requirements for accreditation, or (b) has failed, or is failing, to comply with paragraph (4) or (5). (7) In this regulation, “public body” has the same meaning as in regulation 32A. 32C Effect of codes of conduct
Adherence to a code of conduct approved under regulation 32A may be used by a person as a means of demonstrating compliance with these Regulations.
(a) the Commissioner’s enforcement functions, or (b) the Commissioner’s functions under regulation 32A or 32B (codes of conduct).
92 Pre-commencement consultation¶
Trust services¶
93 The eIDAS Regulation¶
In sections 94 to 97, “the eIDAS Regulation” means Regulation (EU) No. 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market.94 Recognition of EU conformity assessment bodies¶
In Chapter 3 of the eIDAS Regulation (trust services), after Article 24A insert—Article 24BRecognition of EU conformity assessment bodies
For the purposes of Articles 20(1), 21 and 24(1)(d), a body is to be treated as if it were a conformity assessment body in relation to a description of trust services provider (and trust service) if it is a conformity assessment body in relation to that description of provider (and service) for the purposes of the equivalent EU law.
95 Removal of recognition of EU standards etc¶
96 Recognition of overseas trust products¶
Section 9 Recognition of overseas trust services
Article 45ALegal effects of overseas electronic signatures etc
1. The Secretary of State may by regulations provide that, for the purposes of Articles 25(2), 35(2), 41(2) and 43(2), an overseas trust product of a specified description is to be treated as qualified. 2. In this Article— overseas, in relation to a trust product, means provided by a person established in a country or territory outside the United Kingdom; specified means specified by regulations under this Article; trust product means an electronic signature, an electronic seal, an electronic time stamp or an electronic registered delivery service. 3. The Secretary of State may not make regulations under this Article specifying a description of overseas trust product unless satisfied that the reliability of such a product is at least equivalent to the reliability of a comparable trust product that is qualified. 4. When making regulations under this Article in relation to a description of overseas trust product, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of product and related trust services. Article 45BOverseas signatures and seals in public service
1. The Secretary of State may by regulations provide that an overseas electronic signature of a specified description is to be treated— (a) for the purposes of Article 27(1), as an advanced electronic signature that complies with the Implementing Decision; (b) for the purposes of Article 27(2), as an advanced electronic signature based on a qualified certificate for electronic signature, or a qualified signature, that complies with the Implementing Decision. 2. The Secretary of State may by regulations provide that an overseas electronic seal of a specified description is to be treated— (a) for the purposes of Article 37(1), as an advanced electronic seal that complies with the Implementing Decision; (b) for the purposes of Article 37(2), as an advanced electronic seal based on a qualified certificate for electronic seal, or a qualified seal, that complies with the Implementing Decision. 3. In this Article— the Implementing Decision means Commission Implementing Decision (EU) 2015/1506 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies; overseas, in relation to an electronic signature or electronic seal, means provided by a person established in a country or territory outside the United Kingdom; specified means specified by regulations made under this Article. 4. The Secretary of State may not make regulations under point (a) or (b) of paragraph 1 or point (a) or (b) of paragraph 2 specifying a description of overseas electronic signature or overseas electronic seal unless satisfied that the reliability of such a signature or seal is at least equivalent to the reliability of a signature or seal described in that point. 5. When making regulations under this Article in relation to a description of overseas electronic signature or overseas electronic seal, the Secretary of State must have regard to (among other things) the law in the other country or territory relevant to that description of signature or seal and related trust services. Article 45CRegulations under this Section
1. Before making regulations under Article 45A or 45B, the Secretary of State must consult the supervisory body. 2. Regulations under Article 45A or 45B— (a) may describe something by (among other things) describing something that meets a condition specified in the regulations or is provided by a person who meets such a condition, and (b) may include a condition referring to (among other things) the law of the other country or territory or a standard or other document, including the law, standard or other document as amended from time to time. 3. Regulations under Article 45A or 45B may— (a) make different provision for different purposes, including for the purposes of different provisions of this Regulation, and (b) include transitional or transitory provision or savings. 4. Regulations under Article 45A or 45B are to be made by statutory instrument. 5. A statutory instrument containing regulations under Article 45A or 45B is subject to annulment in pursuance of either House of Parliament.
97 Co-operation between supervisory authority and overseas authorities¶
3. In this Article— designated means designated by regulations made by the Secretary of State that are in force; overseas authority means a person, or description of person, with functions relating to the regulation or supervision of trust services outside the United Kingdom. 4. Before making regulations under this Article, the Secretary of State must consult the supervisory body. 5. Regulations under this Article may include transitional or transitory provision or savings. 6. Regulations under this Article are to be made by statutory instrument. 7. A statutory instrument containing regulations under this Article is subject to annulment in pursuance of either House of Parliament.
Sharing of information¶
98 Disclosure of information to improve public service delivery to undertakings¶
(b) the assisting of undertakings in connection with any trade, business or charitable purpose.
(13) In this section “undertaking” means— (a) any person, other than a public authority, carrying on a trade or business, whether or not with a view to profit, or (b) any body, or the trustees of a trust, established for charitable purposes only. (14) In this section, in so far as it forms the law in Scotland and Northern Ireland, “charitable purpose” has the same meaning as it has in the law of England and Wales (see section 2 of the Charities Act 2011).
99 Implementation of law enforcement information-sharing agreements¶
100 Meaning of “appropriate national authority”¶
(xiii) section 99 of the Data Protection and Digital Information Act 2024.
Registers of births and deaths¶
101 Form in which registers of births and deaths are to be kept¶
25 Form in which registers are to be kept, etc
(1) Registers of live-births, still-births and deaths must be kept in such form as the Registrar General may reasonably require. (2) The Registrar General may, in particular, require any such register to be kept in a form that secures that any information entered in the register by a registrar— (a) in the case of a register of live-births or of deaths, is available to the superintendent registrar and to the Registrar General immediately after the entry has been made, and (b) in the case of a register of still-births, is available to the Registrar General immediately after the entry has been made. (3) In a case where a register is kept in such form as is mentioned in subsection (2), any information in the register which is available to the superintendent registrar or Registrar General is to be regarded as held by that person (as well as by the registrar) in connection with that person’s functions. (4) The Registrar General— (a) may provide anything which the Registrar General considers appropriate for the registers mentioned in subsection (1) to be kept in the form required under that subsection, and (b) must maintain anything provided under paragraph (a). (5) The Registrar General must also provide the forms required for the purposes of this Act for making certified copies of entries in registers.
102 Provision of equipment and facilities by local authorities¶
In the Registration Service Act 1953, after section 11 insert—11A Provision of equipment and facilities by local authorities
(1) At each register office provided for the superintendent registrar of a district, the council which employs the superintendent registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the superintendent registrar’s functions. (2) At each office and each station for a sub-district of a registrar, the council which employs the registrar shall, subject to the provisions of the local scheme, provide and maintain such equipment or facilities as the Registrar General reasonably considers to be necessary for the performance of the registrar’s functions.
103 Requirements to sign register¶
38B Requirements to sign register
(1) Where any register of births or register of deaths is required to be kept under this Act otherwise than in hard copy form, the Minister may by regulations provide that— (a) a person’s duty under this Act to sign the register at any time is to have effect as a duty to comply with specified requirements at that time, and (b) a person who complies with those requirements is to be treated for the purposes of this Act as having signed the register at that time and, in the case of a duty to sign the register in the presence of the registrar, to have done so in the presence of the registrar, and accordingly, in such a case, the entry in the register is to be taken for the purposes of this Act to have been signed by the person.(2) The provision that may be made by regulations under this section includes, among other things— (a) provision requiring a person to sign something other than the register; (b) provision requiring a person to provide specified evidence of identity in such form and manner as may be specified. (3) In this section “specified” means specified in regulations under this section.
(6) A statutory instrument that contains (whether alone or with other provision) regulations made by the Minister under section 38B may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament.
104 Treatment of existing registers and records¶
105 Minor and consequential amendments¶
Schedule 11 contains minor and consequential amendments.Information standards for health and social care¶
106 Information standards for health and adult social care in England¶
Schedule 12 makes provision about information standards for health and adult social care in England (under Part 9 of the Health and Social Care Act 2012) and information technology.Part 5 — Regulation and oversight¶
Information Commission¶
107 The Information Commission¶
The Information Commission
114A The Information Commission
(1) A body corporate called the Information Commission is established. (2) Schedule 12A makes further provision about the Commission.
(8A) “The Commission” means the Information Commission (see section 114A).
In section 206 (index of defined expressions), in the Table, at the appropriate place insert—
“the Commission
section 3”.
108 Abolition of the office of Information Commissioner¶
109 Transfer of functions to the Information Commission¶
110 Transfer of property etc to the Information Commission¶
Oversight of biometric data¶
111 Oversight of retention and use of biometric material¶
,(1A) In this section, “the Commissioner” means the Investigatory Powers Commissioner (as defined in section 263(1) of the Investigatory Powers Act 2016).
(12) Section 229(6) and (7) of the Investigatory Powers Act 2016 (duty not to act contrary to public interest etc) apply to the exercise of functions under this section and the section 63D functions as they apply to the exercise of functions under that Act. (13) Errors identified by the Commissioner in carrying out functions under this section or the section 63D functions are not relevant errors for the purposes of section 231 of the Investigatory Powers Act 2016 (error reporting). (14) The Commissioner’s annual report under section 234 of the Investigatory Powers Act 2016 must include information about the carrying out of the Commissioner’s functions under this section and the section 63D functions.
(10) In this section, “the Investigatory Powers Commissioner” has the meaning given in section 263(1) of the Investigatory Powers Act 2016.
.the Investigatory Powers Commissioner has the meaning given in section 263(1) of the Investigatory Powers Act 2016;
.the Investigatory Powers Commissioner has the meaning given in section 263(1) of the Investigatory Powers Act 2016,
.(ia) the Investigatory Powers Commissioner (as defined in section 263(1) of the Investigatory Powers Act 2016),
112 Removal of provision for regulation of CCTV etc¶
113 Oversight of biometrics databases¶
, and(a)
(b) a database of fingerprints— (i) taken from a person under a power conferred by this Part of this Act, or (ii) taken by the police, with the consent of the person from whom they were taken, in connection with the investigation of an offence by the police.
(1A) The Board is to be known as the Forensic Information Database Strategy Board.
, and(a) the erasure of personal data from a database listed in subsection (1), (b) ”
(c) the destruction of other material from which biometric data contained in a database listed in subsection (1) is derived.
(10) The Secretary of State may by regulations made by statutory instrument— (a) change the databases which the Board is required to oversee by— (i) adding a database operated for policing purposes which consists entirely or mainly of biometric data, or (ii) removing a database; (b) rename the Board; (c) require or authorise the Board to issue a code of practice or guidance. (11) Regulations under subsection (10) may— (a) amend this section; (b) make different provision for different purposes; (c) make consequential, transitional, transitory or saving provision. (12) A statutory instrument containing regulations under this section may not be made unless a draft of the instrument has been laid before, and approved by a resolution of, each House of Parliament. (13) In this section— biometric data means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of an individual, which allows or confirms the unique identification of that individual, such as facial images or dactyloscopic data; personal data has the same meaning as in the Data Protection Act 2018 (see section 3(2) of that Act).
Part 6 — Final provisions¶
114 Power to make consequential amendments¶
115 Regulations¶
116 Interpretation¶
In this Act—117 Financial provision¶
There is to be paid out of money provided by Parliament—118 Extent¶
119 Commencement¶
120 Transitional, transitory and saving provision¶
121 Short title¶
This Act may be cited as the Data Protection and Digital Information Act 2024.Schedules¶
Schedule 11 — Lawfulness of processing: recognised legitimate interests¶
In the UK GDPR, at the end insert—ANNEX 1LAWFULNESS OF PROCESSING: RECOGNISED LEGITIMATE INTERESTS
Disclosure for purposes of processing described in Article 6(1)(e)
1. This condition is met where— (a) the processing is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and (b) the request states that the other person needs the personal data for the purposes of carrying out processing described in Article 6(1)(e) that has a legal basis that satisfies Article 6(3). National security, public security and defence
2. This condition is met where the processing is necessary— (a) for the purposes of safeguarding national security, (b) for the purposes of protecting public security, or (c) for defence purposes. Emergencies
3. This condition is met where the processing is necessary for the purposes of responding to an emergency. 4. In paragraph 3, “emergency” has the same meaning as in Part 2 of the Civil Contingencies Act 2004. Crime
5. This condition is met where the processing is necessary for the purposes of— (a) detecting, investigating or preventing crime, or (b) apprehending or prosecuting offenders. Safeguarding vulnerable individuals
6. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual. 7. In paragraph 6— safeguarding, in relation to a vulnerable individual, means— (a) protecting a vulnerable individual from neglect or physical, mental or emotional harm, or (b) protecting the physical, mental or emotional well-being of a vulnerable individual; vulnerable individual means an individual— (a) aged under 18, or (b) aged 18 or over and at risk. 8. For the purposes of paragraph 7— (a) protection of an individual, or of the well-being of an individual, includes both protection relating to a particular individual and protection relating to a type of individual, and (b) an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual— (i) has needs for care and support, (ii) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and (iii) as a result of those needs is unable to protect themselves against the neglect, harm or risk. Democratic engagement
9. This condition is met where- (a) the processing is carried out for the purposes of democratic engagement, and (b) the data subject is aged 14 or over. 10. For the purposes of paragraph 9, processing is carried out for the purposes of democratic engagement if— (a) the processing— (i) is carried out by an elected representative or a person acting with the authority of such a representative, and (ii) is necessary for the purposes of discharging the elected representative’s functions or for the purposes of the elected representative’s democratic engagement activities, (b) the processing— (i) is carried out by a person or organisation included in a register maintained under section 23 of the Political Parties, Elections and Referendums Act 2000, and (ii) is necessary for the purposes of the person’s or organisation’s democratic engagement activities, for the purposes of assisting an elected representative with their functions or democratic engagement activities or for the purposes of assisting with a candidate’s campaign for election as an elected representative, (c) the processing— (i) is carried out by a candidate for election as an elected representative or a person acting with the authority of such a candidate, and (ii) is necessary for the purposes of the candidate’s campaign for election, (d) the processing— (i) is carried out by a permitted participant in relation to a referendum or a person acting with the authority of such a person, and (ii) is necessary for the purposes of the permitted participant’s campaigning in connection with the referendum, or (e) the processing— (i) is carried out by an accredited campaigner in relation to a recall petition or a person acting with the authority of such a person, and (ii) is necessary for the purposes of the accredited campaigner’s campaigning in connection with the recall petition. 11. In paragraph 10— accredited campaigner has the meaning given in Part 5 of Schedule 3 to the Recall of MPs Act 2015; candidate, in relation to election as an elected representative, has the meaning given by the provision listed in the relevant entry in the second column of the table in paragraph 12; democratic engagement activities means activities whose purpose is to support or promote democratic engagement; elected representative means a person listed in the first column of the table in paragraph 12 and see also paragraphs 13 and 14; permitted participant has the same meaning as in Part 7 of the Political Parties, Elections and Referendums Act 2000 (referendums) (see section 105 of that Act); recall petition has the same meaning as in the Recall of MPs Act 2015 (see section 1(2) of that Act); referendum means a referendum or other poll held on one or more questions specified in, or in accordance with, an enactment. 12. This is the table referred to in paragraph 11—
Elected representative
Candidate for election as an elected representative
(a) a member of the House of Commons section 118A of the Representation of the People Act 1983
(b) a member of the Senedd article 84(2) of the National Assembly for Wales (Representation of the People) Order 2007 (S.I. 2007/236)
(c) a member of the Scottish Parliament article 80(1) of the Scottish Parliament (Elections etc) Order 2015 (S.S.I. 2015/425)
(d) a member of the Northern Ireland Assembly section 118A of the Representation of the People Act 1983, as applied by the Northern Ireland Assembly (Elections) Order 2001 (S.I. 2001/2599)
(e) an elected member of a local authority within the meaning of section 270(1) of the Local Government Act 1972, namely— (i) in England, a county council, a district council, a London borough council or a parish council; (ii) in Wales, a county council, a county borough council or a community council; section 118A of the Representation of the People Act 1983
(f) an elected mayor of a local authority within the meaning of Part 1A or 2 of the Local Government Act 2000 section 118A of the Representation of the People Act 1983, as applied by the Local Authorities (Mayoral Elections) (England and Wales) Regulations 2007 (S.I. 2007/1024)
(g) a mayor for the area of a combined authority established under section 103 of the Local Democracy, Economic Development and Construction Act 2009 section 118A of the Representation of the People Act 1983, as applied by the Combined Authorities (Mayoral Elections) Order 2017 (S.I. 2017/67)
(h) the Mayor of London or an elected member of the London Assembly section 118A of the Representation of the People Act 1983
(i) an elected member of the Common Council of the City of London section 118A of the Representation of the People Act 1983
(j) an elected member of the Council of the Isles of Scilly section 118A of the Representation of the People Act 1983
(k) an elected member of a council constituted under section 2 of the Local Government etc (Scotland) Act 1994 section 118A of the Representation of the People Act 1983
(l) an elected member of a district council within the meaning of the Local Government Act (Northern Ireland) 1972 (c. 9 (N.I.)) section 130(3A) of the Electoral Law Act (Northern Ireland) 1962 (c. 14 (N.I.))
(m) a police and crime commissioner article 3 of the Police and Crime Commissioner Elections Order 2012 (S.I. 2012/1917)
13. For the purposes of the definition of “elected representative” in paragraph 11, a person who is— (a) a member of the House of Commons immediately before Parliament is dissolved, (b) a member of the Senedd immediately before Senedd Cymru is dissolved, (c) a member of the Scottish Parliament immediately before that Parliament is dissolved, or (d) a member of the Northern Ireland Assembly immediately before that Assembly is dissolved, is to be treated as if the person were such a member until the end of the period of 30 days beginning with the day after the day on which the subsequent general election in relation to that Parliament or Assembly is held.14. For the purposes of the definition of “elected representative” in paragraph 11, a person who is an elected member of the Common Council of the City of London and whose term of office comes to an end at the end of the day preceding the annual Wardmotes is to be treated as if the person were such a member until the end of the fourth day after the day on which those Wardmotes are held.
Schedule 22 — Purpose limitation: processing to be treated as compatible with original purpose¶
In the UK GDPR, after Annex 1 (inserted by Schedule 1 to this Act) insert—ANNEX 2PURPOSE LIMITATION: PROCESSING TO BE TREATED AS COMPATIBLE WITH ORIGINAL PURPOSE
Disclosure for purposes of processing described in Article 6(1)(e)
1. This condition is met where— (a) the processing— (i) is necessary for the purposes of making a disclosure of personal data to another person in response to a request from the other person, and (ii) is not carried out by a public authority in the performance of its tasks, and (b) the request states that the other person needs the personal data for the purposes of carrying out processing that— (i) is described in Article 6(1)(e), (ii) has a legal basis that satisfies Article 6(3), and (iii) is necessary to safeguard an objective listed in Article 23(1)(c) to (j). Public security
2. This condition is met where the processing is necessary for the purposes of protecting public security. Emergencies
3. This condition is met where the processing is necessary for the purposes of responding to an emergency. 4. In paragraph 3, “emergency has the same meaning as in Part 2 of the Civil Contingencies Act 2004. Crime
5. This condition is met where the processing is necessary for the purposes of— (a) detecting, investigating or preventing crime, or (b) apprehending or prosecuting offenders. Protection of vital interests of data subjects and others
6. This condition is met where the processing is necessary for the purposes of protecting the vital interests of the data subject or another individual. Safeguarding vulnerable individuals
7. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual. 8. In paragraph 7— safeguarding, in relation to vulnerable individual, means — (a) protecting a vulnerable individual from neglect or physical, mental or emotional harm, or (b) protecting the physical, mental or emotional well-being of a vulnerable individual; vulnerable individual means an individual— (a) aged under 18, or (b) aged 18 or over and at risk. 9. For the purposes of paragraph 8— (a) protection of an individual, or of the well-being of an individual, includes both protection relating to a particular individual and protection relating to a type of individual, and (b) an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual— (i) has needs for care and support, (ii) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and (iii) as a result of those needs is unable to protect themselves against the neglect, harm or risk. Taxation
10. This condition is met where the processing is carried out for the purposes of the assessment or collection of a tax or duty or an imposition of a similar nature. Legal obligations
11. This condition is met where the processing is necessary for the purposes of complying with an obligation of the controller under an enactment, a rule of law or an order of a court or tribunal.
Schedule 33 — Automated decision-making: consequential amendments¶
The UK GDPR¶
.(ba) Article 22B or 22C (restrictions on, and safeguards for, automated decision-making);
The 2018 Act¶
Schedule 44 — Obligations of controllers and processors: consequential amendments¶
The UK GDPR¶
.(11A) “senior responsible individual” means an individual designated as the senior responsible individual of a controller or processor under Article 27A;
The 2018 Act¶
(6A) “Senior responsible individual” means an individual designated as the senior responsible individual of a controller or processor under section 58A.
, and(aa) makes provision for the designation, tasks and position of senior responsible individuals (see sections 58A to 58C); (ab) makes provision about processors (see section 59) and processing under the authority of the controller or processor (see section 60); (ac) makes provision about records (see sections 61A and 62) and co-operation with the Commissioner (see section 63); (ad) makes provision about risk assessment (see section 64) and prior consultation with the Commissioner (see section 65);
(2) In this section, “senior responsible individual” means an individual designated as the senior responsible individual of a controller or processor under Article 27A of the UK GDPR or section 58A of this Act.
.senior responsible individual (in Part 3)
section 33
Schedule 55 — Transfers of personal data to third countries etc: general processing¶
Introduction¶
General principles for transfers¶
Article 44AGeneral principles for transfers
1. A controller or processor may transfer personal data to a third country or an international organisation only if— (a) the condition in paragraph 2 is met, and (b) the transfer is carried out in compliance with the other provisions of this Regulation. 2. The condition is met if the transfer— (a) is approved by regulations under Article 45A that are in force at the time of the transfer, (b) is made subject to appropriate safeguards (see Article 46), or (c) is made in reliance on a derogation for specific situations (see Article 49). 3. A transfer may not be made in reliance on paragraph 2(b) or (c) if, or to the extent that, it would breach a restriction in regulations under Article 49A.
Transfers approved by regulations¶
Article 45ATransfers approved by regulations
1. For the purposes of Article 44A, the Secretary of State may by regulations approve transfers of personal data to— (a) a third country, or (b) an international organisation. 2. The Secretary of State may only make regulations under this Article approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see Article 45B). 3. In making regulations under this Article, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom. 4. Regulations under this Article may, among other things— (a) make provision in relation to a third country or international organisation specified in the regulations or a description of country or organisation; (b) approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations; (c) identify a transfer of personal data by any means, including by reference to— (i) a sector or geographic area within a third country, (ii) the controller or processor, (iii) the recipient of the personal data, (iv) the personal data transferred, (v) the means by which the transfer is made, or (vi) relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time; (d) confer a discretion on a person. 5. Regulations under this Article are subject to the negative resolution procedure. Article 45BThe data protection test
1. For the purposes of Article 45A, the data protection test is met in relation to transfers of personal data to a third country or international organisation if the standard of the protection provided for data subjects with regard to general processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under— (a) this Regulation, (b) Part 2 of the 2018 Act, and (c) Parts 5 to 7 of that Act, so far as relevant to general processing. 2. In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things— (a) respect for the rule of law and for human rights in the country or by the organisation, (b) the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation, (c) arrangements for judicial or non-judicial redress for data subjects in connection with such processing, (d) rules about the transfer of personal data from the country or by the organisation to other countries or international organisations, (e) relevant international obligations of the country or organisation, and (f) the constitution, traditions and culture of the country or organisation. 3. In paragraphs 1 and 2— (a) the references to the protection provided for data subjects are to that protection taken as a whole, (b) the references to general processing are to processing to which this Regulation applies or equivalent types of processing in the third country or by the international organisation (as appropriate), and (c) the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Regulation applies as described in Article 3. 4. When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with Article 45A(4)(b))— (a) the references in paragraphs 1 to 3 to personal data are to be read as references only to personal data likely to be the subject of such transfers, and (b) the reference in paragraph 2(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.
Transfers approved by regulations: monitoring¶
Article 45CTransfers approved by regulations: monitoring
1. The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under Article 45A or to amend or revoke such regulations. 2. Where the Secretary of State becomes aware that the data protection test is no longer met in relation to transfers approved, or of a description approved, in regulations under Article 45A, the Secretary of State must, to the extent necessary, amend or revoke the regulations. 3. Where regulations under Article 45A are amended or revoked in accordance with paragraph 2, the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to improving the protection provided to data subjects with regard to the processing of personal data in the country or by the organisation. 4. The Secretary of State must publish— (a) a list of the third countries and international organisations, and the descriptions of such countries and organisations, which are for the time being approved by regulations under Article 45A as places or persons to which personal data may be transferred, and (b) a list of the third countries and international organisations, and the descriptions of such countries and organisations, which have been but are no longer approved by such regulations. 5. In the case of regulations under Article 45A which approve only certain transfers to a third country or international organisation specified or described in the regulations (in accordance with Article 45A(4)(b)), the lists published under paragraph 4 must specify or describe the relevant transfers.
Transfers subject to appropriate safeguards¶
1A. A transfer of personal data to a third country or an international organisation by a controller or processor is made subject to appropriate safeguards only— (a) in a case in which— (i) safeguards are provided in connection with the transfer as described in paragraph 2 or 3 or regulations made under Article 47A(4), and (ii) the controller or processor, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see paragraph 6), or (b) in a case in which— (i) safeguards are provided in accordance with paragraph 2(a) by an instrument that is intended to be relied on in connection with the transfer or that type of transfer, and (ii) each public body that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see paragraph 6).
6. For the purposes of this Article, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data by the safeguards required under paragraph 1A, and (where relevant) by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under— (a) this Regulation, (b) Part 2 of the 2018 Act, and (c) Parts 5 to 7 of that Act, so far as relevant to processing to which this Regulation applies. 7. For the purposes of paragraph 1A(a)(ii) and (b)(ii), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred. 8. In this Article— (a) references to the protection provided for the data subject are to that protection taken as a whole; (b) “relevant person” means a public body or another person exercising functions of a public nature.
Article 47ATransfers subject to appropriate safeguards: further provision
1. The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations. 2. The Secretary of State must keep under review the standard data protection clauses specified in regulations under paragraph 1 that are for the time being in force. 3. Regulations under paragraph 1 are subject to the negative resolution procedure. 4. The Secretary of State may by regulations make provision about further safeguards that may be relied on for the purposes of Article 46(1A)(a). 5. The Secretary of State may only make regulations under paragraph 4 if the Secretary of State considers that the further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations. 6. Regulations under paragraph 4 may, among other things— (a) make provision by adopting safeguards prepared or published by another person; (b) make provision about ways of providing safeguards which require authorisation from the Commissioner; (c) amend Article 46 by— (i) adding ways of providing safeguards, or (ii) varying or omitting ways of providing safeguards which were added by regulations under this Article. 7. Regulations under paragraph 4 are subject to the affirmative resolution procedure.
Derogations for specific situations¶
4A The Secretary of State may by regulations specify for the purposes of point (d) of paragraph 1— (a) circumstances in which a transfer of personal data to a third country or international organisation is to be taken to be necessary for important reasons of public interest, and (b) circumstances in which a transfer of personal data to a third country or international organisation which is not required by an enactment is not to be taken to be necessary for important reasons of public interest.
7. Regulations under this Article— (a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them; (b) otherwise, are subject to the affirmative resolution procedure. 8. For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.
Public interest restrictions¶
Article 49ARestriction in the public interest
1. The Secretary of State may by regulations restrict the transfer of a category of personal data to a third country or international organisation where— (a) the transfer is not approved by regulations under Article 45A for the time being in force, and (b) the Secretary of State considers the restriction to be necessary for important reasons of public interest. 2. Regulations under this Article— (a) are subject to the made affirmative resolution procedure where the Secretary of State has made an urgency statement in respect of them; (b) otherwise, are subject to the affirmative resolution procedure. 3. For the purposes of this Article, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for the regulations to come into force without delay.
Schedule 66 — Transfers of personal data to third countries etc: law enforcement processing¶
Introduction¶
Overview and interpretation¶
(2) In this Chapter— relevant authority, in relation to a third country, means any person based in a third country that has (in that country) functions comparable to those of a competent authority; relevant international organisation means an international organisation that carries out functions for any of the law enforcement purposes; relevant restricted transfer case means (subject to subsection (3)) a case in which the personal data was originally made available to a competent authority (whether the current controller or a previous controller)— (a) by a relevant authority in a third country or by a relevant international organisation, and (b) subject to a condition (however imposed) that the data is not to be transferred to a third country or international organisation without authorisation from that authority or organisation or another such authority or organisation; overseas authoriser, in connection with a relevant restricted transfer case, means the person whose authorisation is required. (3) In a case in which the personal data was originally made available to a competent authority subject to a condition that only requires authorisation for further transfers in certain circumstances, the case is a relevant restricted transfer case only in those circumstances.
General principles for transfer¶
(c) the transfer is carried out in accordance with the other provisions of this Part, and (d) in a relevant restricted transfer case, the overseas authoriser has authorised the transfer or subsection (5) applies.
(3) Condition 2 is that the transfer— (a) is approved by regulations under section 74AA that are in force at the time of the transfer, (b) is made subject to appropriate safeguards (see section 75), or (c) is based on special circumstances (see section 76).
Transfers approved by regulations¶
74AA Transfers approved by regulations
(1) For the purposes of section 73, the Secretary of State may by regulations approve transfers of personal data to— (a) a third country, or (b) an international organisation. (2) The Secretary of State may only make regulations under this section approving transfers to a third country or international organisation if the Secretary of State considers that the data protection test is met in relation to the transfers (see section 74AB). (3) In making regulations under this section, the Secretary of State may have regard to any matter which the Secretary of State considers relevant, including the desirability of facilitating transfers of personal data to and from the United Kingdom. (4) Regulations under this section may, among other things— (a) make provision by reference to a third country or international organisation specified in the regulations or a description of country or organisation; (b) approve all transfers of personal data to a third country or international organisation or only transfers specified or described in the regulations; (c) identify a transfer of personal data by any means, including by reference to— (i) a sector or geographic area within a third country, (ii) the controller or processor, (iii) the recipient of the personal data, (iv) the personal data transferred, (v) the means by which the transfer is made, or (vi) relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time; (d) confer a discretion on a person. (5) Regulations under this section are subject to the negative resolution procedure. 74AB The data protection test
(1) For the purposes of section 74AA, the data protection test is met in relation to transfers to a third country or international organisation if the standard of the protection provided for data subjects with regard to law enforcement processing of personal data in the country or by the organisation is not materially lower than the standard of the protection provided for data subjects by or under— (a) this Part, and (b) Parts 5 to 7, so far as relevant to law enforcement processing. (2) In considering whether the data protection test is met in relation to transfers of personal data to a third country or international organisation, the Secretary of State must consider, among other things— (a) respect for the rule of law and for human rights in the country or by the organisation, (b) the existence, and powers, of an authority responsible for enforcing the protection of data subjects with regard to the processing of personal data in the country or by the organisation, (c) arrangements for judicial or non-judicial redress for data subjects in connection with such processing, (d) rules about the transfer of personal data from the country or by the organisation to other countries or international organisations, (e) relevant international obligations of the country or organisation, and (f) the constitution, traditions and culture of the country or organisation. (3) In subsections (1) and (2)— (a) the references to the protection provided for data subjects are to that protection taken as a whole, (b) the references to law enforcement processing are to processing by a competent authority for any of the law enforcement purposes or equivalent types of processing in the third country or by the international organisation (as appropriate), and (c) the references to processing of personal data in the third country or by the international organisation are references only to the processing of personal data transferred to the country or organisation by means of processing to which this Act applies as described in section 207(2). (4) When the data protection test is applied only to certain transfers to a third country or international organisation that are specified or described, or to be specified or described, in regulations (in accordance with section 74AA(4)(b))— (a) the references in subsections (1) to (3) to personal data are to be read as references only to personal data likely to be the subject of such transfers, and (b) the reference in subsection (2)(d) to transfer to other countries or international organisations is to be read as including transfer within the third country or international organisation.
Transfers approved by regulations: monitoring¶
Transfers subject to appropriate safeguards¶
(1A) A transfer of personal data to a third country or an international organisation is made subject to appropriate safeguards only if— (a) the controller, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfer or that type of transfer (see subsection (5)), or (b) an appropriate legal instrument binds the intended recipient of the data (see subsection (4)).
(4) For the purposes of this section, a legal instrument is “appropriate”, in relation to a transfer of personal data, if— (a) the instrument is intended to be relied on in connection with the transfer or that type of transfer, (b) at least one competent authority is a party to the instrument, and (c) each competent authority that is a party to the instrument, acting reasonably and proportionately, considers that the data protection test is met in relation to the transfers, or types of transfer, intended to be made in reliance on the instrument (see subsection (5)). (5) For the purposes of this section, the data protection test is met in relation to a transfer, or a type of transfer, of personal data if, after the transfer, the standard of the protection provided for the data subject with regard to that personal data, whether by a binding legal instrument or by other means, would not be materially lower than the standard of the protection provided for the data subject with regard to the personal data by or under— (a) this Part, and (b) Parts 5 to 7, so far as they relate to processing by a competent authority for any of the law enforcement purposes. (6) For the purposes of subsections (1A)(a) and (4)(c), what is reasonable and proportionate is to be determined by reference to all the circumstances, or likely circumstances, of the transfer or type of transfer, including the nature and volume of the personal data transferred. (7) In this section, references to the protection provided for the data subject are to that protection taken as a whole.
Transfers based on special circumstances¶
(A1) A transfer of personal data to a third country or international organisation is based on special circumstances where— (a) it is made in the absence of approval by regulations under section 74AA and of compliance with section 75 (appropriate safeguards), and (b) it is necessary for a special purpose.
(2A) In accordance with the third data protection principle, the amount of personal data transferred in reliance on this section must not be excessive in relation to the special purpose relied on.
Subsequent transfers¶
, and(a)
(b) (subject to subsection (4)) that— (i) the data is not to be so transferred without such authorisation except where subsection (1A) applies, and (ii) where a transfer is made without such authorisation, the UK authoriser must be informed without delay.
(1A) This subsection applies if— (a) the transfer is necessary for the prevention of an immediate and serious threat to the public security or national security of a third country or the United Kingdom, and (b) authorisation from the UK authoriser cannot be obtained in good time.
(4) In a relevant restricted transfer case— (a) the transferring controller must make the transfer subject to the condition described in subsection (1)(a), and (b) the UK authoriser may not authorise a further transfer of personal data under subsection (1)(a) unless the overseas authoriser has authorised the further transfer or subsection (5) applies.
Schedule 77 — Transfers of personal data to third countries etc: consequential and transitional provision¶
Part 1 — Consequential provision¶
The UK GDPR¶
.(sa) provide authorisation required under regulations made under Article 47A;
.(k) to provide authorisation required under regulations made under Article 47A
The 2018 Act¶
(14) For the purposes of this section, an urgency statement is a reasoned statement that the Secretary of State considers it desirable for regulations to come into force without delay.
, and(2) Those provisions are Articles 13(1)(f), 14(1)(f), 45C, 49(1) and 49A(1) of the UK GDPR.
(3) In its application to transfers treated as approved by virtue of paragraph 1, Article 45C(5) of the UK GDPR (transfers approved by regulations: monitoring) has effect as if the reference to Article 45A(4)(b) were omitted.
.(aa) changing references to provision made by regulations under section 17A into references to provision made by regulations made under Article 45A of the UK GDPR;
(2) In its application to transfers treated as approved by virtue of paragraph 10, section 74B(7) (transfers approved by regulations: monitoring) has effect as if the reference to section 74AA(4)(b) were omitted.
Part 2 — Transitional provision¶
The UK GDPR: transfers approved by regulations¶
The UK GDPR: transfers subject to appropriate safeguards¶
The UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses¶
The UK GDPR: transfers necessary for important reasons of public interest¶
The UK GDPR: restrictions on transfers of personal data to third countries and international organisations¶
Part 3 of the 2018 Act (law enforcement processing): transfers approved by regulations¶
Part 3 of the 2018 Act (law enforcement processing): transfers subject to appropriate safeguards¶
Schedule 88 — Complaints: minor and consequential amendments¶
The UK GDPR¶
.(ca) the right to make a complaint to the controller under section 164A of the 2018 Act;
.(da) the right to make a complaint to the controller (see section 164A of the 2018 Act);
.(ea) the right to make a complaint to the controller under section 164A of the 2018 Act;
The 2018 Act¶
, and(da) the existence of the right to make a complaint to the controller (see section 164A);
, and(ca) of the data subject’s right to make a complaint to the controller under section 164A,
, and(ea) the existence of the data subject’s right to make a complaint to the controller (see section 164A);
, and(ca) of the data subject’s right to make a complaint to the controller under section 164A,
.(ca) the data subject’s right to make a complaint to the controller under section 164A,
, and(iia) of the data subject’s right to make a complaint to the controller under section 164A,
, and(ba) of the data subject’s right to make a complaint to the controller under section 164A,
(6) In this section, “request” does not include a complaint under section 165.
(5A) The fifth type of failure is where a controller has failed, or is failing, to comply with section 164A or with regulations under section 164B.
(4A) In relation to an infringement of section 164A or of regulations under section 164B, the maximum amount of the penalty that may be imposed by a penalty notice is the standard maximum amount.
, and(za) the right under section 164A (complaints to the controller);
(1A) For the purposes of this Act, whether a complaint to the Commissioner is vexatious or excessive must be determined having regard to the circumstances of the complaint, including (so far as relevant)— (a) the nature of the complaint, (b) the complainant’s relationship with the person who is the subject of the complaint (“the subject”) and the Commissioner, (c) the resources available to the Commissioner, (d) the extent to which the complaint repeats a previous complaint made by the complainant to the subject or the Commissioner, (e) how long ago any previous complaint was made, and (f) whether the complaint overlaps with other complaints made by the complainant to the subject or the Commissioner.
Schedule 99 — Data protection: minor amendments¶
The UK GDPR¶
.(A4) the data protection legislation has the same meaning as in the 2018 Act (see section 3(9) of that Act);
.(15A) direct marketing means the communication (by whatever means) of advertising or marketing material which is directed to particular individuals;
(29) enactment has the same meaning as in the 2018 Act (see section 205 of that Act); (30) tribunal means any tribunal in which legal proceedings may be brought.
The 2018 Act¶
and includes compliance with the requirements of the data protection legislation;.
.(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),
.(iia) the processing of personal data carried out in preparation for disclosure described in sub-paragraph (i) or (ii),
Schedule 1010 — Privacy and electronic communications: Commissioner’s enforcement powers¶
This is the Schedule to be substituted for Schedule 1 to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426)—Schedule 111 — Information commissioner’s enforcement powers
Provisions applied for enforcement purposes
1 For the purposes of enforcing these Regulations, the following provisions of Parts 5 to 7 of the Data Protection Act 2018 apply with the modifications set out in paragraphs 2 to 30— section 140 (publication by the Commissioner); section 141 (notices from the Commissioner); section 142 (information notices); section 143 (information notices: restrictions); section 144 (false statements made in response to an information notice); section 145 (information orders); section 146 (assessment notices); section 146A (assessment notices: approval of person to prepare report); section 147 (assessment notices: restrictions); section 148 (destroying or falsifying information and documents etc); section 148A (interview notices); section 148B (interview notices: restrictions); section 148C (false statements made in response to interview notices); section 149 (enforcement notices); section 150 (enforcement notices: supplementary); section 152 (enforcement notices: restrictions); section 153 (enforcement notices: cancellation and variation); section 154 and Schedule 15 (powers of entry and inspection); section 155 and Schedule 16 (penalty notices); section 156 (penalty notices: restrictions); section 157 (maximum amount of penalty); section 159 (amount of penalties: supplementary); section 160 (guidance about regulatory action); section 161 (approval of first guidance about regulatory action); section 162 (rights of appeal); section 163 (determination of appeals); section 164 (applications in respect of urgent notices); section 180 (jurisdiction); section 181 (interpretation of Part 6); section 182 (regulations and consultation); section 196 (penalties for offences); section 197(1) and (2) (prosecution); section 198 (liability of directors etc); section 200 (guidance about PACE codes of practice); section 202 (proceedings in the First-tier Tribunal: contempt); section 203 (Tribunal Procedure Rules). General modification of references to the Data Protection Act 2018
2 The provisions listed in paragraph 1 have effect as if— (a) references to the Data Protection Act 2018 or to a Part of that Act were references to the provisions of that Act or that Part as applied by these Regulations; (b) references to a particular provision of that Act were references to that provision as applied by these Regulations. Modification of section 142 (information notices)
3 Section 142 has effect as if— (a) in subsection (1), for paragraphs (a) and (b) there were substituted— ;(a) require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of determining whether that person has complied or is complying with the requirements of the PEC Regulations, (b) require a communications provider to provide the Commissioner with information or documents relating to another person’s use of an electronic communications network or electronic communications service for the purposes of determining whether that other person has complied or is complying with the requirements of the PEC Regulations, or (c) require any person to provide the Commissioner with information or documents that the Commissioner reasonably requires for the purposes of investigating a suspected failure by another person to comply with the requirements of the PEC Regulations. (b) in subsection (2)(a), for “(b)(i) or (b)(ii)” there were substituted “(b) or (c)”; (c) after subsection (8) there were inserted— ;(8A) Subsections (8B) and (8C) apply if an information notice given to a person under subsection (1)(b) or (c) contains— (a) a statement that a duty of confidentiality applies in relation to the notice, and (b) an explanation of the effects of subsections (8B) and (8C). (8B) The person to whom the information notice is given, and any person employed or engaged for the purpose of that person’s business, must not disclose the existence of the notice without reasonable excuse. (8C) Subsection (8B) does not prevent— (a) a disclosure to a person employed or engaged for the purpose of the business of the person to whom the notice is given, (b) a disclosure made with the permission of the Commissioner (whether the permission is contained in the information notice or otherwise), or (c) a disclosure made for the purpose of obtaining legal advice. (d) subsection (10) were omitted. Modification of section 143 (information notices: restrictions)
4 (1) Section 143 has effect as if subsection (1) were omitted. (2) In that section— (a) subsections (3)(b) and (4)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”; (b) subsection (7)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (c) subsection (8) has effect as if for “this Act (other than an offence under section 144)” there were substituted “section 148 or 148C or paragraph 15 of Schedule 15”. Modification of section 145 (information orders)
5 Section 145(2)(b) has effect as if for “section 142(2)(b)” there were substituted “section 142(2)”. Modification of section 146 (assessment notices)
6 Section 146 has effect as if— (a) in subsection (1)— (i) for “a controller or processor” there were substituted “a person within subsection (1A)”; (ii) for “the controller or processor” there were substituted “the person”; (iii) for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”; (b) after subsection (1) there were inserted— ;(1A) A person is within this subsection if the person— (a) is a communications provider, or (b) is engaged in any activity regulated by the PEC Regulations. (c) in subsection (2)— (i) for “controller or processor” there were substituted “person to whom it is given”; (ii) in paragraph (h), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”; (iii) in paragraph (i), for “process personal data on behalf of the controller” there were substituted “are involved in any such activity on behalf of the person to whom the notice is given”; (d) in subsection (3A), for “controller or processor” there were substituted “person”; (e) in subsection (7), for “controller or processor” there were substituted “person to whom the notice is given”; (f) in subsection (8)— (i) in paragraph (a), for “controller or processor” there were substituted “person to whom the notice is given”; (ii) in the words after paragraph (c), for “controller or processor” there were substituted “person”; (g) in subsection (9)— (i) in paragraph (a), for the words from “a controller” to “this Act” there were substituted “the person to whom the notice is given has failed or is failing to comply with the requirements of the PEC Regulations or that an offence under section 144, 148 or 148C or paragraph 15 of Schedule 15”; (ii) in paragraph (d), for “controller or processor” there were substituted “person”; (h) in subsection (10), for “controller or processor” there were substituted “person”; (i) subsection (11) were omitted; (j) in subsection (11A)— (i) for “controller or processor”, in the first place it occurs, there were substituted “person to whom it is given”; (ii) for “controller or processor”, in the second place it occurs, there were substituted “the person”. Modification of section 146A (assessment notices: approval of person to prepare report)
7 Section 146A has effect as if— (a) in subsection (1), for “a controller or processor” there were substituted “a person (“P”)”; (b) in subsection (2), for “The controller or processor” there were substituted “P”; (c) in subsections (3) to (6), for “the controller or processor” (in each place) there were substituted “P”. Modification of section 147 (assessment notices: restrictions)
8 (1) Section 147 has effect as if subsections (5) and (6)(b) were omitted. (2) In that section, subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”. Modification of section 148A (interview notices)
9 (1) Section 148A has effect as if— (a) in subsection (1)— (i) for “a controller or processor” there were substituted “a person”; (ii) in paragraph (a), for “as described in section 149(2)” there were substituted “to comply with a requirement of the PEC Regulations”; (iii) in paragraph (b), for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (b) in subsection (3)— (i) in paragraph (a), for “the controller or processor” there were substituted “the person mentioned in subsection (1)”; (ii) in paragraph (b), for “the controller or processor” there were substituted “that person”; (iii) in paragraph (c), for “the controller or processor” there were substituted “that person”. Modification of section 148B (interview notices: restrictions)
10 (1) Section 148B has effect as if subsections (8) and (9) were omitted. (2) In that section— (a) subsections (2)(b) and (3)(b) have effect as if for “the data protection legislation” there were substituted “the PEC Regulations”; (b) subsection (6)(a) has effect as if for “this Act” there were substituted “section 144, 148 or 148C or paragraph 15 of Schedule 15”; (c) subsection (7) has effect as if for “this Act (other than an offence under section 148C)” there were substituted “section 144 or 148 or paragraph 15 of Schedule 15”. Modification of section 149 (enforcement notices)
11 (1) Section 149 has effect as if subsections (2) to (5A) and (7) to (9) were omitted. (2) In that section— (a) subsection (1) has effect as if— (i) for “as described in subsections (2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”; (ii) for “sections 150 and 151” there were substituted “section 150”; (b) subsection (6) has effect as if the words “given in reliance on subsection (2), (3), (5) or (5A)” were omitted. Modification of section 150 (enforcement notices: supplementary)
12 (1) Section 150 has effect as if subsection (3) were omitted. (2) In that section, subsection (2) has effect as if the words “in reliance on section 149(2)” were omitted. Modification of section 152 (enforcement notices: restrictions)
13 Section 152 has effect as if subsections (1), (2) and (4) were omitted. Modification of Schedule 15 (powers of entry and inspection)
14 (1) Schedule 15 has effect as if paragraph 3 were omitted. (2) Paragraph 1(1) of that Schedule (issue of warrants in connection with non-compliance and offences) has effect as if for paragraph (a) (but not the final “and”) there were substituted— .(a) there are reasonable grounds for suspecting that— (i) a person has failed or is failing to comply with a requirement of the PEC Regulations, or (ii) an offence under section 144, 148, or 148C or paragraph 15 of this Schedule has been or is being committed, (3) Paragraph 2 of that Schedule (issue of warrants in connection with assessment notices) has effect as if— (a) in sub-paragraphs (1) and (2), for “controller or processor” there were substituted “person”; (b) in sub-paragraph (2), for “the data protection legislation” there were substituted “the PEC Regulations”. (4) Paragraph 5 of that Schedule (content of warrants) has effect as if— (a) in sub-paragraph (1)(c), for “the processing of personal data” there were substituted “an activity regulated by the PEC Regulations”; (b) in sub-paragraph (2)(d), for the words from “controller or processor” to the end there were substituted “person mentioned in paragraph 1(1)(a) has failed or is failing to comply with a requirement of the PEC Regulations”; (c) in sub-paragraph (3)(a) and (d)— (i) for “controller or processor” there were substituted “person mentioned in paragraph 2(1)”; (ii) for “the data protection legislation” there were substituted “the requirements of the PEC Regulations”. (5) Paragraph 11 of that Schedule (privileged communications) has effect as if, in sub-paragraphs (1)(b) and (2)(b), for “the data protection legislation” there were substituted “the PEC Regulations”. Modification of section 155 (penalty notices)
15 Section 155 has effect as if— (a) in subsection (1)— (i) in paragraph (a), for “as described in section 149(2), (3), (4), (5) or (5A)” there were substituted “to comply with a requirement of the PEC Regulations”; (ii) after paragraph (c), there were inserted “or (d) has failed to comply with the prohibition in section 142(8B),”; (b) after subsection (1) there were inserted— ;(1A) But the Commissioner may not give a penalty notice to a person in respect of a failure to comply with regulation 5A or 26A of the PEC Regulations. (c) for subsection (2) there were substituted— ;(2) When deciding whether to give a penalty notice to a person and determining the amount of the penalty, the Commission must have regard to the matters listed in subsection (3), so far as relevant. (d) in subsection (3)— (i) for “the controller or processor” (in each place) there were substituted “the person”; (ii) in paragraph (c), for the words from “data subjects” to the end there were substituted “subscribers or users”; (iii) in paragraph (d), for the words “in accordance with section 57, 66, 103 or 107” there were substituted “with a view to securing compliance with the requirements of the PEC Regulations”; (iv) paragraph (g) were omitted; (v) in paragraph (j), the words “or certification mechanism” were omitted; (e) subsection (4) were omitted; (f) after subsection (4) there were inserted— ;(4A) If a penalty notice is given to a body in respect of a failure to comply with any of regulations 19 to 24 of the PEC Regulations, the Commissioner may also give a penalty notice to an officer of the body if the Commissioner is satisfied that the failure— (a) took place with the consent or connivance of the officer, or (b) was attributable to any neglect on the part of the officer. (4B) In subsection (4A)— body means a body corporate or a Scottish partnership; officer, in relation to a body, means— (a) in relation to a body corporate— (i) a director, manager, secretary or other similar officer of the body or any person purporting to act in such capacity, and (ii) where the affairs of the body are managed by its members, a member; or (b) in relation to a Scottish partnership, a partner or any person purporting to act as a partner. (g) subsections (6) to (8) were omitted. Modification of Schedule 16 (penalties)
16 Schedule 16 has effect as if paragraphs 3(2)(b) and 5(2)(b) were omitted. Modification of section 156 (penalty notices: restrictions)
17 (1) Section 156 has effect as if subsections (1), (2), (4)(b) and (5) were omitted. (2) In that section, subsection (3) has effect as if for the words from “controller” to “determined by or” there were substituted “penalty notice to a person who acts”. Modification of section 157 (maximum amount of penalty)
18 Section 157 has effect as if— (a) subsection (1) were omitted; (b) in subsection (2)— (i) for “Part 3 of this Act” there were substituted “the PEC Regulations”; (ii) in paragraph (a), for the words from “section 35” to “or 78” there were substituted “regulation 5, 6, 7, 8, 14, 19, 20, 21, 21A, 21B, 22, 23 or 24”; (c) subsections (3) and (4A) were omitted; (d) after subsection (4A) there were inserted— (4B) In relation to an infringement of section 142(8B) of this Act, the maximum amount of the penalty that may be imposed by a penalty notice is the higher maximum amount. Modification of section 159 (amount of penalties: supplementary)
19 Section 159 has effect as if— (a) in subsection (1), the words “Article 83 of the UK GDPR and” were omitted; (b) in subsection (2), the words “Article 83 of the UK GDPR,” and “and section 158” were omitted. Modification of section 160 (guidance)
20 Section 160 has effect as if, in subsection (4)(f), for “controllers and processors” there were substituted “persons”. Modification of section 162 (rights of appeal)
21 Section 162 has effect as if subsection (4) were omitted. Modification of section 163 (determination of appeals)
22 Section 163 has effect as if subsection (6) were omitted. Modification of section 180 (jurisdiction)
23 (1) Section 180 has effect as if subsections (2)(b), (c), (d) and (e) and (3) were omitted. (2) Subsection (1) of that section has effect as if for “subsections (3) and (4)” there were substituted “subsection (4)”. Modification of section 181 (interpretation of Part 6)
24 Section 181 has effect as if the definition of “certification provider” were omitted. Modification of section 182 (regulations and consultation)
25 Section 182 has effect as if subsections (3), (4), (6), (8) to (12) and (14) were omitted. 26 Subsection (13) of that section has effect as if for “provision comes into force” there were substituted “coming into force of section 90 of the Data Protection and Digital Information Act 2024”. Modification of section 196 (penalties for offences)
27 (1) Section 196 has effect as if subsections (3) to (5) were omitted. (2) In that section— (a) subsection (1) has effect as if the words “section 119 or 173 or” were omitted; (b) subsection (2) has effect as if for “section 132, 144, 148, 148C, 170, 171 or 184” there were substituted “section 144, 148 or 148C”. Modification of section 200 (guidance about PACE codes of practice)
28 Section 200 has effect as if, in subsection (1), for “this Act” there were substituted “section 144, 148 and 148C and paragraph 15 of Schedule 15”. Modification of section 202 (proceedings in the First-tier Tribunal: contempt)
29 Section 202 has effect as if, in subsection (1)(a), for sub-paragraphs (i) and (ii) there were substituted “on an appeal under section 162”. Modification of section 203 (tribunal procedure rules)
30 Section 203 has effect as if— (a) in subsection (1), for paragraphs (a) and (b) there were substituted “the exercise of the rights of appeal conferred by section 162”; (b) in subsection (2)— (i) in paragraph (a), for “the processing of personal data” there were substituted “any activity regulated by the PEC Regulations”; (ii) in paragraph (b), for “the processing of personal data” there were substituted “any such activity”. Interpretation
31 In this Schedule, “the PEC Regulations” means these Regulations.
Schedule 1112 — Registers of births and deaths: minor and consequential amendments¶
Part 1 — Amendments of the Births and Deaths Registration Act 1953¶
(6) In subsection (5) “the relevant register of births”, in relation to the re-registration of the birth of a child, means the register of births in which the entry relating to the child was previously made.
(2A) In this section the “relevant registration officer” for a register means— (a) the registrar of births and deaths for the sub-district for which the register is or has been kept, or (b) the superintendent registrar for the district containing that sub-district.
(5) In this section the “appropriate registration officer”, in relation to a register, means— (a) in the case of a register of live-births or of deaths in hard copy form, the superintendent registrar having custody of the register; (b) in the case of a register of live-births or of deaths not in hard copy form— (i) the registrar of births and deaths for the sub-district for which the register is or has been kept, or (ii) the superintendent registrar for the district containing that sub-district; (c) in the case of a register of still-births, the Registrar General.
Appropriate registration officer has the same meaning as in section 29 of this Act.
(1ZA) The Registrar General shall cause the following indexes to be made and kept in the General Register Office— (a) an index of the entries in the registers kept under section 1 of this Act; (b) an index of the entries in the registers kept under section 15 of this Act.
(1) The superintendent registrar for each district shall cause the following indexes to be made— (a) an index of the entries in the registers of live-births kept for the sub-districts within that district; (b) an index of the entries in the registers of deaths kept for the sub-districts within that district. (1A) The indexes must be kept with the other records of the register office for the district.
32 Obtaining copies of entries from registrars
(1) Any person is entitled to obtain from a registrar for a sub-district, at any time when the registrar’s office is required to be open for the transaction of public business, a copy certified by the registrar of any entry in any register of births or register of deaths kept for that sub-district. (2) But subsection (1) does not apply in relation to any register of still-births except as the registrar may, with the consent of the Registrar General, in any particular case allow.
(1A) In subsection (1) the “appropriate registration officer” means— (a) in the case of a live-birth, the Registrar General, a superintendent registrar or a registrar; (b) in the case of a still-birth— (i) the Registrar General, or (ii) a registrar acting at the time of the registration of the still-birth or with the consent of the Registrar General.
;(aa) to carry out, on request, a search to find out whether any of the registers kept under this Act contains a particular entry;
(4) For the purposes of this Act a register is in hard copy form if it consists of a paper copy or similar form capable of being read with the naked eye.
Part 2 — Amendments of other legislation¶
Registration Service Act 1953¶
.(ba) determining the equipment or facilities to be provided at those offices and stations by the council for the non-metropolitan county or metropolitan district;
Public Records Act 1958¶
Social Security Administration Act 1992¶
(6) The reference in subsection (1) above to a register in the custody of a registrar or superintendent registrar includes, in relation to registers of births or deaths kept under the Births and Deaths Registration Act 1953, a reference to any such register kept for the registrar’s sub-district or (as the case may be) for a sub-district within the superintendent registrar’s district; and references in subsection (3) above to the custodian of the register are to be read accordingly.
Education Act 1996¶
;register means a register of births or register of deaths kept under that Act,
the relevant registrar for a register means— (a) in the case of a register in hard copy form (within the meaning of the Births and Deaths Registration Act 1953), the superintendent registrar having custody of the register; (b) in the case of a register not in hard copy form (within the meaning of that Act)— (i) the registrar of births and deaths for the sub-district for which the register is or has been kept, or (ii) the superintendent registrar for the district containing that sub-district.
Adoption and Children Act 2002¶
Gender Recognition Act 2004¶
.(c) an entry in a register kept under section 1 of the Births and Deaths Registration Act 1953,
(3) “The appropriate Registrar General” means— (a) in relation to a UK birth register entry of which a certified copy is kept by a Registrar General or which is in a register so kept, whichever Registrar General keeps that certified copy or that register; (b) in relation to a UK birth register entry in a register kept under section 1 of the Births and Deaths Registration Act 1953, the Registrar General for England and Wales. (3A) For the purposes of this section each of the following is a Registrar General— (a) the Registrar General for England and Wales; (b) the Registrar General for Scotland; (c) the Registrar General for Northern Ireland.
Presumption of Death Act 2013¶
;(a)
(b) the index kept in the General Register Office of such entries.
Schedule 1213 — Information standards for health and adult social care in England¶
.Powers to publish standards
(e) a relevant IT provider.
,information technology includes— (a) computers, (b) other devices whose uses include the processing of information by electronic means (“IT devices”), (c) parts, accessories and other equipment made or adapted for use in connection with computers or IT devices, (d) software and code made or adapted for use in connection with computers or IT devices, and (e) networks and other infrastructure (whether physical or virtual) used in connection with other information technology; IT service means an information technology service, including any service (whether physical or virtual) which consists of, or is provided in connection with, the development, making available, operation or maintenance of information technology;
relevant IT provider means a person involved in marketing, supplying, providing or otherwise making available— (a) information technology, (b) an IT service, or (c) a service which consists of processing information using information technology, whether for payment or free of charge, but only so far as the technology or service is used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care.
250A Standards relating to information technology
(1) An information standard relating to information technology or IT services may, among other things, make provision about— (a) the design, quality, capabilities or other characteristics of such technology or services; (b) contracts or other arrangements under which such technology or services are marketed, supplied, provided or otherwise made available. (2) An information standard may include technical provision about information technology or IT services, including provision about— (a) functionality; (b) connectivity; (c) interoperability; (d) portability; (e) storage of, and access to, information; (f) security of information. (3) An information standard may make provision by reference to open standards or proprietary standards.
(3) The power under section 250(1) may be exercised by— (a) adopting an information standard prepared or published by another person, including as it has effect from time to time, or (b) making provision by reference to an international agreement or another document, including as it has effect from time to time.
.Compliance with standards
251ZB Notice requesting compliance by relevant IT providers
(1) If the Secretary of State has reasonable grounds to suspect that a relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may give the provider a written notice which— (a) identifies the standard in question, (b) sets out the Secretary of State’s grounds for suspecting that the provider is not complying with the standard, (c) asks the provider to comply with the standard within a period specified in the notice, (d) asks the provider, within a period specified in the notice, to provide evidence to the Secretary of State’s satisfaction that the provider is complying with the standard, and (e) if the Secretary of State considers it appropriate, sets out the steps that the Secretary of State considers the provider must take, within a period specified in the notice, in order to comply with the standard. (2) A period specified for the purposes of subsection (1)(c), (d) or (e) must be a period of at least 28 days beginning with the day on which the notice is given. (3) The Secretary of State may, by giving the relevant IT provider a further written notice, vary or revoke a notice given under subsection (1). 251ZC Public censure of relevant IT providers
(1) If the Secretary of State has reasonable grounds to suspect that a relevant IT provider is not complying with an information standard which applies to the provider, the Secretary of State may publish a statement to that effect. (2) The statement may include the text of a notice given to the provider under section 251ZB. (3) Before publishing a statement under this section, the Secretary of State must give the relevant IT provider— (a) a copy of the terms of the proposed statement, and (b) an opportunity to make representations about the decision to publish a statement and the terms of the statement. (4) If, after considering any representations, the Secretary of State decides to publish the statement, the Secretary of State must inform the relevant IT provider before publishing it. 251ZD Exercise of functions of Secretary of State by other persons
(1) The Secretary of State may— (a) direct a public body to exercise some or all of the functions listed in subsection (3), and (b) give the public body directions about the exercise of those functions, including directions about the processing of information that the body obtains in exercising those functions. (2) The Secretary of State may make arrangements for a person prescribed by regulations under this subsection to exercise some or all of the functions listed in subsection (3). (3) Those functions are— (a) the Secretary of State’s functions under section 251ZA, so far as they relate to relevant IT providers, and (b) the Secretary of State’s functions under section 251ZB. (4) Arrangements under subsection (2) may— (a) provide for the Secretary of State to make payments to the person, and (b) make provision as to the circumstances in which such payments are to be repaid to the Secretary of State. (5) Section 304(9) applies in relation to the power to make arrangements under subsection (2) as it applies to a power of the Secretary of State to give directions under this Act.
Accreditation
251ZE Accreditation of information technology etc
(1) Regulations may make provision for the establishment and operation of a scheme for the accreditation of information technology and IT services so far as used, or intended to be used, in connection with the provision in, or in relation to, England of health care or of adult social care. (2) The regulations may provide for the scheme to be established and operated by a person specified in the regulations (“the operator”). (3) The regulations may, among other things, confer power on the operator— (a) to establish the procedure for accreditation under the scheme, (b) to set the criteria for accreditation under the scheme (“the accreditation criteria”), (c) to keep an accreditation under the scheme under review, and (d) to charge a reasonable fee in respect of an application for accreditation. (4) The regulations may, among other things, make provision requiring the operator— (a) to set some or all of the accreditation criteria by reference to information standards, (b) to publish details of the scheme, including the accreditation criteria, (c) to provide for the review of a decision to refuse an application for accreditation, and (d) to provide advice to applicants for accreditation with a view to ensuring that the accreditation criteria are met.
Schedule 1314 — The Information Commission¶
Schedule 12A to the 2018 Act¶
Schedule 12A15 — The Information Commission
Status
1 (1) The Commission is not to be regarded— (a) as a servant or agent of the Crown, or (b) as enjoying any status, immunity or privilege of the Crown. (2) The Commission’s property is not to be regarded— (a) as property of the Crown, or (b) as property held on behalf of the Crown. Number of members
2 (1) The number of members of the Commission is to be determined by the Secretary of State. (2) That number must not be— (a) less than 3, or (b) more than 14. (3) The Secretary of State may by regulations substitute a different number for the number for the time being specified in sub-paragraph (2)(b). (4) Regulations under this paragraph are subject to the negative resolution procedure. Membership: general
3 (1) The Commission is to consist of— (a) the non-executive members, and (b) the executive members. (2) The non-executive members are— (a) a chair appointed by His Majesty by Letters Patent on the recommendation of the Secretary of State, and (b) such other members as the Secretary of State may appoint. (3) The executive members are— (a) a chief executive appointed by the non-executive members or in accordance with paragraph 24, and (b) such other members, if any, as the non-executive members may appoint. (4) The non-executive members must consult the Secretary of State before appointing the chief executive. (5) The non-executive members must consult the chief executive about whether there should be any executive members within sub-paragraph (3)(b) and, if so, how many there should be. (6) The Secretary of State may by direction set a maximum and a minimum number of executive members. (7) The Commission may appoint one of the non-executive members as a deputy to the chair. Membership: non-executive members to outnumber executive members
4 The Secretary of State must exercise the powers conferred on the Secretary of State by paragraphs 2 and 3 so as to secure that the number of non-executive members of the Commission is, so far as practicable, at all times greater than the number of executive members. Membership: selection on merit etc
5 (1) The Secretary of State may not recommend a person for appointment as the chair of the Commission unless the person has been selected on merit on the basis of fair and open competition. (2) A person may not be appointed as a member of the Commission unless the person has been selected on merit on the basis of fair and open competition. Membership: conflicts of interests
6 (1) Before— (a) recommending a person for appointment as the chair of the Commission, or (b) appointing a person as a non-executive member of the Commission, the Secretary of State must be satisfied that the person does not have a conflict of interest.(2) The Secretary of State must check from time to time that none of the non-executive members has a conflict of interest. (3) The Secretary of State may require a non-executive member to provide whatever information the Secretary of State considers necessary for the purpose of checking that the member does not have a conflict of interest. (4) A non-executive member who is required to provide information under sub-paragraph (3) must provide it within such period as may be specified by the Secretary of State. (5) In this Schedule, “conflict of interest”, in relation to a person, means a financial or other interest which is likely to affect prejudicially the discharge by the person of the person’s functions as a member of the Commission. Tenure of the chair
7 (1) The chair of the Commission holds and vacates office in accordance with the terms of the chair’s appointment, subject to the provisions of this paragraph. (2) The chair must be appointed for a term of not more than 7 years. (3) On the recommendation of the Secretary of State, His Majesty may by Letters Patent extend the term of the chair’s appointment but not so the term as extended is more than 7 years. (4) A person cannot be appointed as the chair more than once. (5) The chair may be relieved from office by His Majesty at the chair’s own request. (6) The chair may be removed from office by His Majesty on an Address from both Houses of Parliament. (7) No motion is to be made in either House of Parliament for such an Address unless the Secretary of State has presented a report to that House stating that the Secretary of State is satisfied that— (a) the chair is guilty of serious misconduct, (b) the chair has a conflict of interest (see paragraph 6(5)), (c) the chair has failed to comply with paragraph 6(4), or (d) the chair is unable, unfit or unwilling to carry out the chair’s functions. Tenure of deputy chair
8 (1) A deputy chair of the Commission may resign that office by giving written notice to the Commission. (2) A deputy chair of the Commission ceases to hold that office on ceasing to be a non-executive member of the Commission. (3) A deputy chair of the Commission may be removed from that office by the Commission. Tenure of the other non-executive members
9 (1) This paragraph applies to a non-executive member of the Commission appointed by the Secretary of State. (2) The member holds and vacates office in accordance with the terms of their appointment, subject to the provisions of this paragraph. (3) The member must be appointed for a term of not more than 7 years. (4) The Secretary of State may extend the term of the member’s appointment but not so that the term as extended is more than 7 years. (5) The Secretary of State may not appoint the member as a non-executive member of the Commission on a subsequent occasion. (6) The member may resign from office by giving written notice to the Secretary of State and the Commission. (7) The Secretary of State may remove the member from office by written notice if satisfied that— (a) the member is guilty of serious misconduct, (b) the member has a conflict of interest (see paragraph 6(5)), (c) the member has failed to comply with paragraph 6(4), or (d) the member is unable, unfit or unwilling to carry out the member’s functions. (8) At the time of removing the member from office the Secretary of State must make public the decision to do so. (9) The Secretary of State must— (a) give the member a statement of reasons for the removal, and (b) if asked to do so by the member, publish the statement. Remuneration and pensions of non-executive members
10 (1) The Commission may pay to the non-executive members of the Commission such remuneration and allowances as the Secretary of State may determine. (2) The Commission may pay, or make provision for paying, to or in respect of the non-executive members of the Commission, such sums by way of pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the Secretary of State may determine. (3) The Commission may make a payment to a person of such amount as the Secretary of State may determine where— (a) the person ceases to be a non-executive member of the Commission otherwise than on the expiry of the person’s term of office, and (b) it appears to the Secretary of State that there are special circumstances which make it appropriate for the person to receive compensation. Executive members: terms and conditions
11 (1) The executive members of the Commission are to be employees of the Commission. (2) The executive members are to be employed by the Commission on such terms and conditions, including those as to remuneration, as the non-executive members of the Commission may determine. (3) The Commission must— (a) pay to or in respect of the executive members of the Commission such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of office) as the non-executive members of the Commission may determine, and (b) provide and maintain for them such pension schemes (whether contributory or not) as the non-executive members of the Commission may determine. Other staff: appointment, terms and conditions
12 (1) The Commission may— (a) appoint other employees, and (b) make such other arrangements for the staffing of the Commission as it considers appropriate. (2) In appointing an employee, the Commission must have regard to the principle of selection on merit on the basis of fair and open competition. (3) Employees appointed by the Commission are to be appointed on such terms and conditions, including those as to remuneration, as the Commission may determine. (4) The Commission may— (a) pay to or in respect of those employees such pensions, allowances or gratuities (including pensions, allowances or gratuities paid by way of compensation in respect of loss of employment) as the Commission may determine, and (b) provide and maintain for them such pension schemes (whether contributory or not) as the Commission may determine. Committees
13 (1) The Commission may establish committees. (2) A committee of the Commission may consist of or include persons who are neither members nor employees of the Commission. (3) But a committee of the Commission to which functions are delegated under paragraph 14(1)(c) must include at least one person who is either a member or an employee of the Commission. (4) Where a person who is neither a member nor an employee of the Commission is a member of a committee of the Commission, the Commission may pay to that person such remuneration and expenses as it may determine. Delegation of functions
14 (1) The Commission may delegate any of its functions to— (a) a member of the Commission, (b) an employee of the Commission, or (c) a committee of the Commission. (2) A function is delegated under sub-paragraph (1) to the extent and on the terms that the Commission determines. (3) A committee of the Commission may delegate any function delegated to it to a member of the committee. (4) A function is delegated under sub-paragraph (3) to the extent and on the terms that the committee determines. (5) The power of a committee of the Commission to delegate a function, and to determine the extent and terms of the delegation, is subject to the Commission’s power to direct what a committee established by it may and may not do. (6) The delegation of a function by the Commission or a committee of the Commission under this paragraph does not prevent the Commission or the committee from exercising that function. Advice from committees
15 The Commission may require a committee of the Commission to give the Commission advice about matters relating to the discharge of the Commission’s functions. Proceedings
16 (1) The Commission may make arrangements for regulating— (a) its own procedure, and (b) the procedure of a committee of the Commission. (2) The non-executive members of the Commission may by majority make arrangements for regulating the procedure for the carrying out of the separate functions which are conferred on them under this Schedule. (3) Arrangements under this paragraph may include arrangements as to quorum and the making of decisions by a majority. (4) The Commission must publish arrangements which it makes under this paragraph. (5) This paragraph is subject to paragraph 18. Records of proceedings
17 The Commission must make arrangements for the keeping of proper records of— (a) its proceedings, (b) the proceedings of a committee of the Commission, (c) the proceedings at a meeting of the non-executive members of the Commission, (d) anything done by a member or employee of the Commission under paragraph 14(1), and (e) anything done by a member of a committee of the Commission under paragraph 14(3). Disqualification for acting in relation to certain matters
18 (1) This paragraph applies if— (a) a member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the Commission, (b) a non-executive member of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the non-executive members, or (c) a member of a committee of the Commission has a direct or indirect interest in a matter falling to be considered at a meeting of the committee. (2) The member with the interest must declare it. (3) The declaration must be recorded in the minutes of the meeting. (4) The member with the interest may not take part in a discussion or decision at the meeting relating to the matter, unless— (a) in the case of a meeting of the Commission, the other members of the Commission who are present have resolved unanimously that the interest is to be disregarded, (b) in the case of a meeting of the non-executive members, the other non-executive members who are present have so resolved, or (c) in the case of a meeting of a committee, the other members of the committee who are present have so resolved in the manner authorised by the Commission. (5) In giving authorisation for the purposes of sub-paragraph (4)(c), the Commission must secure that a resolution for those purposes does not allow a member to take part in a discussion or decision at a meeting of a committee to which functions are delegated under paragraph 14(1)(c) unless the number of other members of the committee in favour of the resolution— (a) is not less than two thirds of those who are both present and entitled to vote on the resolution, and (b) is not less than its quorum. (6) For the purposes of this paragraph, a notification given at or sent to a meeting of the Commission that a person— (a) is a member of a company or firm, and (b) is to be regarded as interested in any matter involving that company or firm, is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the Commission, of the non-executive members or of a committee.(7) For the purposes of this paragraph, a notification given at or sent to a meeting of the non-executive members of the Commission or of a committee of the Commission that— (a) a person is a member of a company or firm, and (b) is to be regarded as interested in any matter involving that company or firm, is to be regarded as compliance with sub-paragraph (2) in relation to any such matter for the purposes of that meeting and subsequent meetings of the non-executive members or (as the case may be) of the committee.(8) A notification described in sub-paragraph (6) or (7) remains in force until it is withdrawn. (9) A person required to make a declaration for the purposes of this paragraph in relation to any meeting— (a) is not required to attend the meeting, but (b) is to be taken to have complied with the requirements of this paragraph if the person takes reasonable steps to secure that notice of the person’s interest is read out, and taken into consideration, at the meeting in question. Validity of proceedings
19 (1) The validity of proceedings of the Commission, of the non-executive members of the Commission or of a committee of the Commission is not affected by— (a) a vacancy in the membership of the Commission or of the committee, (b) a defect in the appointment of a member of the Commission, (c) a failure of the Secretary of State to comply with the requirements of paragraph 4, or (d) a failure to comply with arrangements under paragraph 16 or with a requirement under paragraph 18. (2) Nothing in sub-paragraph (1)(d) validates proceedings of a meeting which is inquorate unless it is inquorate by reason only of a matter within sub-paragraph (1)(b) or (c). Money
20 The Secretary of State may make payments to the Commission. Fees etc and other sums
21 (1) All fees, charges, penalties and other sums received by the Commission in carrying out its functions are to be paid to the Secretary of State. (2) Sub-paragraph (1) does not apply where the Secretary of State otherwise directs. (3) Any sums received by the Secretary of State under this paragraph are to be paid into the Consolidated Fund. Accounts
22 (1) The Commission must keep proper accounts and proper records in relation to them. (2) The Commission must prepare a statement of accounts in respect of each financial year in the form specified by the Secretary of State. (3) The Commission must send a copy of each statement of accounts to the Secretary of State and the Comptroller and Auditor General before the end of August next following the financial year to which the statement relates. (4) The Comptroller and Auditor General must— (a) examine, certify and report on the statement of accounts, and (b) send a copy of the certified statement and the report to the Secretary of State. (5) The Secretary of State must lay before Parliament each document received under sub-paragraph (4)(b). (6) In this paragraph “financial year” means— (a) the period beginning with the date on which the Commission is established and ending with the 31 March following that date, and (b) each successive period of 12 months. Authentication of seal and presumption of authenticity of documents
23 (1) The application of the Commission’s seal must be authenticated by the signature of— (a) the chair of the Commission, or (b) another person authorised for that purpose by the Commission. (2) A document purporting to be duly executed under the Commission’s seal or signed on its behalf— (a) is to be received in evidence, and (b) is to be taken to be executed or signed in that way, unless the contrary is shown. (3) This paragraph does not extend to Scotland. Transitional provision: interim chief executive
24 (1) The first chief executive of the Commission is to be appointed by the chair of the Commission. (2) Before making the appointment the chair must consult the Secretary of State. (3) The appointment must be for a term of not more than 2 years. (4) The chair may extend the term of the appointment but not so the term as extended is more than 2 years. (5) For the term of appointment, the person appointed under sub-paragraph (1) is “the interim chief executive”. (6) Until the expiry of the term of appointment, the powers conferred on the non-executive members by paragraph 11(2) and (3) are exercisable in respect of the interim chief executive by the chair (instead of by the non-executive members). (7) In sub-paragraphs (5) and (6), the references to the term of appointment are to the term of appointment described in sub-paragraph (3), including any extension of the term under sub-paragraph (4). Interpretation
25 In this Schedule— (a) references to pensions, allowances or gratuities include references to any similar benefits provided on death or retirement, and (b) references to the payment of pensions, allowances or gratuities to or in respect of a person include references to the making of payments towards the provision of pensions, allowances or gratuities to be paid to or in respect of a person.