Annex B – Comparison of Schedules 1 to 3 to the Bill with the Data Protection Act 1998
892 The processing conditions and exemptions from general personal data rights found in the 1998 Act and the statutory instruments made under the 1998 Act are largely replicated in the Bill with appropriate modification to make them compatible with the GDPR. This table shows where broadly equivalent provision to the Bill can be found in the existing law, and where the provision in the Bill is new.
|
Bill provision |
Equivalent under Data Protection Act 1998 ("the 1998 Act") or comment (if Bill provision is new) |
|---|---|
|
Paragraph 1 of Schedule 1 – Enable processing of special categories of personal data for employment law, social security law and social protection law. |
Paragraph 2 of Schedule 3 to the 1998 Act (employment law only). The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. Accordingly, there is a need to create a small number of new exemptions to allow existing data processing (in this case relating to social security law and social protection law) to continue. |
|
Paragraph 2 of Schedule 1 – Enable processing of special categories of personal data for health or social care. |
Paragraph 8 of Schedule 3 to the 1998 Act (particularly in respect of health care). Processing for social care has previously been undertaken under a number of related legal bases, but has since been named explicitly in the GDPR. The Bill adopts the same approach. |
|
Paragraph 3 of Schedule 1 – Enable processing of special categories of personal data for public health. |
Public health is regarded as a form of ‘medical purpose’ under paragraph 8 of Schedule 3 to the 1998 Act, but has since been given its own more specific category in the GDPR. The Bill adopts the same approach. |
|
Paragraph 4 of Schedule 1 – Enable processing of special categories of personal data for research. |
Paragraph 8 of Schedule 3 to the 1998 Act (medical research only). Paragraph 9 of the Schedule to The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417), made under paragraph 10 of Schedule 3 to the 1998 Act. |
|
Paragraph 6 of Schedule 1 – Enable processing of special categories of personal data for statutory and government purposes. |
Paragraph 7 of Schedule 3 to the 1998 Act. |
|
Paragraph 7 of Schedule 1 – Enable processing of special categories of personal data for administration of justice or for the exercise of a function of either House of Parliament. |
Paragraph 7 of Schedule 3 to the 1998 Act. |
|
Paragraph 8 of Schedule 1 – Enable processing of special categories of personal data for equality of opportunity or treatment. |
Paragraph 9 of Schedule 3 to the 1998 Act, and paragraph 7 of the Schedule to SI 2000/417. The Bill provision consolidates these, and provides a new exemption for processing of data for identifying or keeping under review the existence or absence of equality of opportunity or treatment between people of different sexual orientation. |
|
Paragraph 9 of Schedule 1 – Enable processing of special categories of personal data for preventing or detecting unlawful acts. |
Paragraph 1 of the Schedule to SI 2000/417. |
|
Paragraph 10 of Schedule 1 – Enable processing of special categories of personal data for protecting members of the public against dishonesty etc. |
Paragraph 2 of the Schedule to SI 2000/417. |
|
Paragraph 11 of Schedule 1 – Enable disclosure of special categories of personal data in connection with unlawful acts of dishonesty etc. with a view to publication for journalism etc. |
Paragraph 3 of the Schedule to SI 2000/417. |
|
Paragraph 12 of Schedule 1 – Enable processing of special categories of personal data for preventing fraud. |
Paragraph 7A of Schedule 3 to the 1998 Act. |
|
Paragraph 13 of Schedule 1 – Enable processing of special categories of personal data for suspicion of terrorist financing or money laundering. |
Paragraph 7B of Schedule 3 to the 1998 Act. |
|
Paragraph 14 of Schedule 1 – Enable processing of special categories of personal data for confidential counselling. |
Paragraph 4 of the Schedule to SI 2000/417. |
|
Paragraph 15 of Schedule 1 – Enable processing of for an insurance purpose where necessary for reasons of substantial public interest. |
Paragraph 5 of the Schedule to SI 2000/417. The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. Accordingly, there is a need to create a small number of new exemptions to allow existing data processing to continue. The provision for insurance is more extensive than under the 1998 Act because of the complexity of the insurance market. |
|
Paragraph 16 of Schedule 1 – Enable processing of special categories of personal data for occupational pensions. |
Paragraph 5 of the Schedule to SI 2000/417. |
|
Paragraph 17 of Schedule 1 – Enable processing of data revealing political opinions for political parties. |
Paragraph 8 of the Schedule to SI 2000/417. |
|
Paragraph 18 of Schedule 1 – Enable processing of special categories of personal data for elected representatives responding to requests. |
Paragraphs 1 to 4 to the Schedule of the Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 (SI 2002/2905), made under paragraph 10 of Schedule 3 to the 1998 Act. |
|
Paragraph 19 of Schedule 1 – Enable processing of special categories of personal data for disclosure to elected representatives. |
Paragraphs 5 and 6 to the Schedule of SI 2002/2905. |
|
Paragraph 20 of Schedule 1 – Enable processing of special categories of personal data for informing elected representatives about prisoners. |
The Data Protection (Processing of Sensitive Personal Data) Order 2009 (SI 2009/1811), made under paragraph 10 of Schedule 3 to the 1998 Act. |
|
Paragraph 21 of Schedule 1 – Enable processing of special categories of personal data where the processing consists of the publication of a judgment or other decision of a court or tribunal. |
The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. Accordingly, there is a need to create a small number of new exemptions to allow existing data processing (in this case relating to the publication of judgments) to continue. |
|
Paragraph 22 of Schedule 1 – Enable processing of special categories of personal data for anti-doping purposes in sport. Paragraph 23 of Schedule 1 – Enable processing of special categories of personal data that is necessary for the purposes of measures designed to protect the integrity of a sport or sporting event. |
The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. Accordingly, there is a need to create a small number of new exemptions to allow existing data processing (in this case relating to athletes who take or are suspected of taking banned substances, or to maintain the integrity of sport) to continue. |
|
Paragraph 24 of Schedule 1 – Enable processing of criminal conviction data where data subject has consented. Paragraph 25 of Schedule 1 – Enable processing of criminal conviction data for protecting individual’s vital interests. Paragraph 26 of Schedule 1 – Enable processing of criminal conviction data for processing by not-for-profit bodies. Paragraph 27 of Schedule 1 – Enable processing of criminal conviction data for personal data in the public domain. Paragraph 28 of Schedule 1 – Enable processing of personal data relating to criminal convictions etc. necessary for the purpose of legal proceedings; obtaining legal advice; or establishing, exercising or defending legal rights. Paragraph 29 of Schedule 1 – Enable processing of criminal conviction data for legal claims and judicial acts. |
Article 10 of the GDPR requires processing of criminal convictions data to either be undertaken under the control of official authority or with appropriate safeguards provided for in law. The Bill replicates the position under the DPA 1998 by applying to criminal convictions data the same conditions as apply to special categories of data. More specifically, paragraphs 22 to 26 of Schedule 1 mirror the processing conditions provided in Articles 9(2)(a) and (c) to (f) of the GDPR respectively. |
|
Paragraph 30 of Schedule 1 – Enable processing of criminal conviction data for administration of accounts used in commission of indecency offences involving children. |
The Data Protection (Processing of Sensitive Personal Data) Order 2006 (SI 2006/2068). |
|
Paragraphs 2 and 3 of Schedule 2 – Exemptions from data rights for crime and taxation matters. |
Section 29 of the 1998 Act. |
|
Paragraph 4 of Schedule 2 – Exemptions from data rights for immigration matters. |
The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. In general, the Government feels that these should apply to processing for immigration purposes and has acted to ensure GDPR standards apply accordingly. However, it is appropriate that where a particular right or obligation conflicts with the ability of the Government to secure the UK’s borders, the latter should take precedence. |
|
Paragraph 5 of Schedule 2 – Exemptions from data rights for information required to be disclosed by law etc or in connection with legal proceedings. |
Sections 34 and 35 of the 1998 Act. |
|
Paragraphs 7 to 9 of Schedule 2 – Exemptions from data rights for functions designed to protect the public as well as to enable regulatory functions. |
Section 31 of the 1998 Act. |
|
Paragraph 11 of Schedule 2 – Exemptions from data rights for parliamentary privilege. |
Section 35A of the 1998 Act. |
|
Paragraph 12 of Schedule 2 – Exemptions from data rights for judicial appointments, judicial independence and judicial proceedings. |
Paragraph 3 of Schedule 7 to the 1998 Act (judicial appointments only).
The Bill sets new standards for protecting personal data, in accordance with the GDPR. These are, on the whole, more stringent than under the 1998 Act. Accordingly, there is a need to create a small number of new exemptions to allow existing data processing (in this case relating to judicial independence and judicial proceedings) to continue. |
|
Paragraph 13 of Schedule 2 – Exemptions from data rights for Crown honours, dignities and appointments. |
Paragraph 4 of Schedule 7 to the 1998 Act and The Data Protection (Crown Appointments) Order 2000 (SI 2000/416). |
|
Paragraphs 14 and 15 of Schedule 2 – Exemptions from data rights for information provided by third parties. |
Sections 7(4), (5), (6) and 8(7) of the 1998 Act. |
|
Paragraph 17 of Schedule 2 – Exemptions from data rights for legal professional privilege. |
Paragraph 10 of Schedule 7 to the 1998 Act. |
|
Paragraph 18 of Schedule 2 – Exemptions from data rights for self incrimination. |
Paragraph 11 of Schedule 7 to the 1998 Act. |
|
Paragraph 19 of Schedule 2 – Exemptions from data rights for corporate finance. |
Paragraph 6 of Schedule 7 to the 1998 Act and The Data Protection (Corporate Finance Exemption) Order 2000 (SI 2000/184). |
|
Paragraph 20 of Schedule 2 – Management forecasts. |
Paragraph 5 of Schedule 7 to the 1998 Act. |
|
Paragraph 21 of Schedule 2 – Negotiations. |
Paragraph 7 of Schedule 7 to the 1998 Act. |
|
Paragraph 22 of Schedule 2 – Confidential references. |
Paragraph 1 of Schedule 7 to the 1998 Act. |
|
Paragraph 23 of Schedule 2 – Exam scripts. |
Paragraphs 8 and 9 of Schedule 7 to the 1998 Act. |
|
Paragraph 24 of Schedule 2 – Journalistic, academic, artistic and literary purposes. |
Section 32 of the 1998 Act and The Data Protection (Designated Codes of Practice) (No. 2) Order 2000 (SI 2000/1864). |
|
Paragraph 25 of Schedule 2 – Research and statistics. |
Section 33 of the 1998 Act. |
|
Paragraph 26 of Schedule 2 – Archiving in the public interest. |
Section 33 of the 1998 Act. Archiving is regarded as a form of ‘historical research’ under section 33 of the 1998 Act, but has since been given its own more specific category in the GDPR. The Bill adopts the same approach, with the exemptions afforded to those archiving in the public interest also being updated to account for changes in data subjects’ underlying rights. |
|
Paragraph 3 of Schedule 3 – health data processed by a court. |
Articles 4(1) and (2) of The Data Protection (Subject Access Modification) (Health) Order 2000 (SI 2000/413). |
|
Paragraph 4 of Schedule 3 – health data where disclosure would be contrary to the data subject’s wishes. |
Articles 5(3) and (4) of SI 2000/413. |
|
Paragraph 5 of Schedule 3 – health data – harm. |
Articles 5(1) and (2) and 7(1) and (2) of SI 2000/413. |
|
Paragraph 6 of Schedule 3 – health data – prior opinion of health professional. |
Articles 6(1) and (2) and 7(3) of SI 2000/413. |
|
Paragraph 8 of Schedule 3 – social work data. |
Paragraph 1 of Schedule to The Data Protection (Subject Access Modification) (Social Work) Order 2000 (SI 2000/415). |
|
Paragraph 9 of Schedule 3 – social work data processed by a court. |
Paragraph 2 of Schedule to SI 2000/415. |
|
Paragraph 10 of Schedule 3 – social work data – expectations and wishes. |
Article 5(3) and (4) of SI 2000/415. |
|
Paragraph 11 of Schedule 3 – social work data – serious harm. |
Article 5(1) and (2) of SI 2000/415. |
|
Paragraph 12 of Schedule 3 – social work data – prior opinion of Principal Reporter. |
Article 6 of SI 2000/415. |
|
Paragraph 14 of Schedule 3 – education general exemptions (England and Wales). |
Paragraphs 2 to 4A of Schedule 11 to the 1998 Act. |
|
Paragraph 15 of Schedule 3 – education general exemptions (Scotland). |
Paragraphs 5 and 6 of Schedule 11 to the 1998 Act. |
|
Paragraph 16 of Schedule 3 – education general exemptions (NI). |
Paragraphs 7 and 8 of Schedule 11 to the 1998 Act. |
|
Paragraph 18 of Schedule 3 – education data processed by a court. |
Articles 4(1) and (2) of The Data Protection (Subject Access Modification) (Education) Order 2000 (SI 2000/414). |
|
Paragraph 19 of Schedule 3 – education data – serious harm. |
Article 5(1) of SI 2000/414. |
|
Paragraph 20 of Schedule 3 – education data – prior opinion of Principal Reporter. |
Article 6 of SI 2000/414. |
|
Paragraph 21 of Schedule 3 – child abuse data. |
Article 5(2) to (5) of 2000/414 |