Data Protection Bill (HL Bill 66)

Data Protection BillPage 90

responsible for compliance with the provision of the data protection legislation
that is contravened.

(5) In this section, “damage” includes financial loss, distress and other adverse
effects, whether or not material.

5Offences relating to personal data

161 Unlawful obtaining etc of personal data

(1) It is an offence for a person knowingly or recklessly—

(a) to obtain or disclose personal data without the consent of the controller,

(b) to procure the disclosure of personal data to another person without
10the consent of the controller, or

(c) after obtaining personal data, to retain it without the consent of the
person who was the controller in relation to the personal data when it
was obtained.

(2) It is a defence for a person charged with an offence under subsection (1) to
15prove that the obtaining, disclosing, procuring or retaining—

(a) was necessary for the purposes of preventing or detecting crime,

(b) was required or authorised by an enactment, by a rule of law or by the
order of a court, or

(c) in the particular circumstances, was justified as being in the public
20interest.

(3) It is also a defence for a person charged with an offence under subsection (1) to
prove that—

(a) the person acted in the reasonable belief that the person had a legal
right to do the obtaining, disclosing, procuring or retaining, or

(b) 25the person acted in the reasonable belief that the person would have
had the consent of the controller if the controller had known about the
obtaining, disclosing, procuring or retaining and the circumstances of
it.

(4) It is an offence for a person to sell personal data if the person obtained the data
30in circumstances in which an offence under subsection (1) was committed.

(5) It is an offence for a person to offer to sell personal data if the person—

(a) has obtained the data in circumstances in which an offence under
subsection (1) was committed, or

(b) subsequently obtains the data in such circumstances.

(6) 35For the purposes of subsection (5), an advertisement indicating that personal
data is or may be for sale is an offer to sell the data.

(7) In this section—

(a) references to the consent of a controller do not include the consent of a
person who is a controller by virtue of Article 28(10) of the GDPR or
40section 57(8) or 103(3) of this Act (processor to be treated as controller
in certain circumstances);

(b) where there is more than one controller, such references are references
to the consent of one or more of them.

Data Protection BillPage 91

162 Re-identification of de-identified personal data

(1) It is an offence for a person knowingly or recklessly to re-identify information
that is de-identified personal data without the consent of the controller
responsible for de-identifying the personal data.

(2) 5For the purposes of this section—

(a) personal data is “de-identified” if it has been processed in such a
manner that it can no longer be attributed, without more, to a specific
data subject;

(b) a person “re-identifies” information if the person takes steps which
10result in the information no longer being de-identified within the
meaning of paragraph (a).

(3) It is a defence for a person charged with an offence under subsection (1) to
prove that the re-identification—

(a) was necessary for the purposes of preventing or detecting crime,

(b) 15was required or authorised by an enactment, by a rule of law or by the
order of a court, or

(c) in the particular circumstances, was justified as being in the public
interest.

(4) It is also a defence for a person charged with an offence under subsection (1) to
20prove that the person acted in the reasonable belief that —

(a) the person—

(i) is the data subject to whom the information relates,

(ii) had the consent of that data subject, or

(iii) would have had such consent if the data subject had known
25about the re-identification and the circumstances of it, or

(b) the person—

(i) is the controller responsible for de-identifying the personal
data,

(ii) had the consent of that controller, or

(iii) 30would have had such consent if that controller had known
about the re-identification and the circumstances of it.

(5) It is an offence for a person knowingly or recklessly to process personal data
that is information that has been re-identified where the person does so—

(a) without the consent of the controller responsible for de-identifying the
35personal data, and

(b) in circumstances in which the re-identification was an offence under
subsection (1).

(6) It is a defence for a person charged with an offence under subsection (5) to
prove that the processing—

(a) 40was necessary for the purposes of preventing or detecting crime,

(b) was required or authorised by an enactment, by a rule of law or by the
order of a court, or

(c) in the particular circumstances, was justified as being in the public
interest.

(7) 45It is also a defence for a person charged with an offence under subsection (5) to
prove that the person acted in the reasonable belief that—

(a) the processing was lawful, or

Data Protection BillPage 92

(b) the person—

(i) had the consent of the controller responsible for de-identifying
the personal data, or

(ii) would have had such consent if that controller had known
5about the processing and the circumstances of it.

(8) In this section—

(a) references to the consent of a controller do not include the consent of a
person who is a controller by virtue of Article 28(10) of the GDPR or
section 57(8) or 103(3) of this Act (processor to be treated as controller
10in certain circumstances);

(b) where there is more than one controller, such references are references
to the consent of one or more of them.

163 Alteration etc of personal data to prevent disclosure

(1) Subsection (3) applies where—

(a) 15a request has been made in exercise of a data subject access right, and

(b) the person making the request would have been entitled to receive
information in response to that request.

(2) In this section, “data subject access right” means a right under—

(a) Article 15 of the GDPR (right of access by the data subject);

(b) 20Article 20 of the GDPR (right to data portability);

(c) section 43 of this Act (law enforcement processing: right of access by the
data subject);

(d) section 92 of this Act (intelligence services processing: right of access by
the data subject).

(3) 25It is an offence for a person listed in subsection (4) to alter, deface, block, erase,
destroy or conceal information with the intention of preventing disclosure of
all or part of the information that the person making the request would have
been entitled to receive.

(4) Those persons are—

(a) 30the controller, and

(b) a person who is employed by the controller, an officer of the controller
or subject to the direction of the controller.

(5) It is a defence for a person charged with an offence under subsection (3) to
prove that—

(a) 35the alteration, defacing, blocking, erasure, destruction or concealment
of the information would have occurred in the absence of a request
made in exercise of a data subject access right, or

(b) the person acted in the reasonable belief that the person making the
request was not entitled to receive the information in response to the
40request.

The special purposes

164 The special purposes

(1) In this Part, “the special purposes” means one or more of the following—

Data Protection BillPage 93

(a) the purposes of journalism;

(b) academic purposes;

(c) artistic purposes;

(d) literary purposes.

(2) 5In this Part, “special purposes proceedings” means legal proceedings against a
controller or processor under section 158 (including proceedings on an
application under Article 79 of the GDPR) which relate, wholly or partly, to
personal data processed for the special purposes.

(3) The Commissioner may make a written determination, in relation to the
10processing of personal data, that—

(a) the personal data is not being processed only for the special purposes;

(b) the personal data is not being processed with a view to the publication
by a person of journalistic, academic, artistic or literary material which
has not previously been published by the controller;

(c) 15carrying out the processing in compliance with a provision of the data
protection legislation specified in the determination, is not
incompatible with the special purposes.

(4) The Commissioner must give written notice of the determination to the
controller and the processor.

(5) 20The notice must provide information about the rights of appeal under section
154.

(6) The determination does not take effect until one of the following conditions is
satisfied—

(a) the period for the controller or the processor to appeal against the
25determination has ended without an appeal having been brought, or

(b) an appeal has been brought against the determination and—

(i) the appeal and any further appeal in relation to the
determination has been decided or has otherwise ended, and

(ii) the time for appealing against the result of the appeal or further
30appeal has ended without another appeal having been brought.

165 Provision of assistance in special purposes proceedings

(1) An individual who is a party, or prospective party, to special purposes
proceedings may apply to the Commissioner for assistance in those
proceedings.

(2) 35As soon as practicable after receiving an application under subsection (1), the
Commissioner must decide whether, and to what extent, to grant it.

(3) The Commissioner must not grant the application unless, in the
Commissioner’s opinion, the case involves a matter of substantial public
importance.

(4) 40If the Commissioner decides not to provide assistance, the Commissioner
must, as soon as reasonably practicable, notify the applicant of the decision,
giving reasons for the decision.

(5) If the Commissioner decides to provide assistance, the Commissioner must—

(a) as soon as reasonably practicable, notify the applicant of the decision,
45stating the extent of the assistance to be provided, and

Data Protection BillPage 94

(b) secure that the person against whom the proceedings are, or are to be,
brought is informed that the Commissioner is providing assistance.

(6) The assistance that may be provided by the Commissioner includes—

(a) paying costs in connection with the proceedings, and

(b) 5indemnifying the applicant in respect of liability to pay costs, expenses
or damages in connection with the proceedings.

(7) In England and Wales or Northern Ireland, the recovery of expenses incurred
by the Commissioner in providing an applicant with assistance under this
section (as taxed or assessed in accordance with rules of court) is to constitute
10a first charge for the benefit of the Commissioner—

(a) on any costs which, by virtue of any judgment or order of the court, are
payable to the applicant by any other person in respect of the matter in
connection with which the assistance is provided, and

(b) on any sum payable to the applicant under a compromise or settlement
15arrived at in connection with that matter to avoid, or bring to an end,
any proceedings.

(8) In Scotland, the recovery of such expenses (as taxed or assessed in accordance
with rules of court) is to be paid to the Commissioner, in priority to other
debts—

(a) 20out of any expenses which, by virtue of any judgment or order of the
court, are payable to the applicant by any other person in respect of the
matter in connection with which the assistance is provided, and

(b) out of any sum payable to the applicant under a compromise or
settlement arrived at in connection with that matter to avoid, or bring
25to an end, any proceedings.

166 Staying special purposes proceedings

(1) In any special purposes proceedings before a court or tribunal, if the controller
or processor claims, or it appears to the court or tribunal, that any personal data
to which the proceedings relate—

(a) 30is being processed only for the special purposes,

(b) is being processed with a view to the publication by any person of
journalistic, academic, literary or artistic material, and

(c) has not previously been published by the controller,

the court or tribunal must stay the proceedings.

(2) 35In considering, for the purposes of subsection (1)(c), whether material has
previously been published, publication in the immediately preceding 24 hours
is to be ignored.

(3) Under subsection (1), the court or tribunal must stay the proceedings until
either of the following conditions is met—

(a) 40a determination of the Commissioner under section 164 with respect to
the personal data or the processing takes effect;

(b) where the proceedings were stayed on the making of a claim, the claim
is withdrawn.

Data Protection BillPage 95

Jurisdiction of courts

167 Jurisdiction

(1) The jurisdiction conferred on a court by the provisions listed in subsection (2)
is exercisable—

(a) 5in England and Wales, by the High Court or the county court,

(b) in Northern Ireland, by the High Court or a county court, and

(c) in Scotland, by the Court of Session or the sheriff,

subject to subsection (3).

(2) Those provisions are—

(a) 10section 145 (enforcement notices and processing for the special
purposes);

(b) section 149 (penalty notices and processing for the special purposes);

(c) section 158 and Article 79 of the GDPR (compliance orders);

(d) sections 159 and 160 and Article 82 of the GDPR (compensation).

(3) 15In relation to the processing of personal data to which Part 4 applies, the
jurisdiction is exercisable only by the High Court or, in Scotland, the Court of
Session.

Definitions

168 Interpretation of Part 6

20In this Part—

  • “assessment notice” has the meaning given in section 140;

  • “certification provider” has the meaning given in section 16;

  • “the data protection principles” means the principles listed in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    25section 32(1) of this Act, and

    (c)

    section 83(1) of this Act;

  • “enforcement notice” has the meaning given in section 142;

  • “information notice” has the meaning given in section 137;

  • “penalty notice” has the meaning given in section 148;

  • 30“penalty variation notice” has the meaning given in Schedule 16;

  • “representative”, in relation to a controller or processor, means a person
    designated by the controller or processor under Article 27 of the GDPR
    to represent the controller or processor with regard to the controller’s
    or processor’s obligations under the GDPR.

35Part 7 Supplementary and final provision

Regulations under this Act

169 Regulations and consultation

(1) Regulations under this Act are to be made by statutory instrument.

Data Protection BillPage 96

(2) The Secretary of State must consult the Commissioner before making
regulations under this Act, other than regulations made under—

(a) section 21;

(b) section 28;

(c) 5section 190;

(d) section 191;

(e) section 192;

(f) paragraph 13 or 24 of Schedule 2.

(3) Regulations under this Act may—

(a) 10make different provision for different purposes;

(b) include consequential, supplementary, incidental, transitional,
transitory or saving provision.

(4) Where regulations under this Act are subject to “the affirmative resolution
procedure” the regulations may not be made unless a draft of the statutory
15instrument containing them has been laid before Parliament and approved by
a resolution of each House of Parliament.

(5) Where regulations under this Act are subject to “the negative resolution
procedure” the statutory instrument containing the regulations is subject to
annulment in pursuance of a resolution of either House of Parliament.

(6) 20Any provision that may be included in regulations under this Act subject to the
negative resolution procedure may be made by regulations subject to the
affirmative resolution procedure.

(7) A requirement under a provision of this Act to consult may be satisfied by
consultation before, as well as by consultation after, the provision comes into
25force.

Changes to the Data Protection Convention

170 Power to reflect changes to the Data Protection Convention

(1) The Secretary of State may by regulations make such provision as the Secretary
of State considers necessary or appropriate in connection with an amendment
30of, or an instrument replacing, the Data Protection Convention which has
effect, or is expected to have effect, in the United Kingdom,

(2) The power under subsection (1) includes power—

(a) to add to or otherwise amend the Commissioner’s functions, and

(b) to amend this Act.

(3) 35Regulations under this section are subject to the affirmative resolution
procedure.

Rights of the data subject

171 Prohibition of requirement to produce relevant records

(1) It is an offence for a person (“P1”) to require another person to provide P1 with,
40or give P1 access to, a relevant record in connection with—

(a) the recruitment of an employee by P1,

Data Protection BillPage 97

(b) the continued employment of a person by P1, or

(c) a contract for the provision of services to P1.

(2) It is an offence for a person (“P2”) to require another person to provide P2 with,
or give P2 access to, a relevant record if—

(a) 5P2 is involved in the provision of goods, facilities or services to the
public or a section of the public, and

(b) the requirement is a condition of providing or offering to provide
goods, facilities or services to the other person or to a third party.

(3) It is a defence for a person charged with an offence under subsection (1) or (2)
10to prove that imposing the requirement—

(a) was required or authorised by an enactment, by a rule of law or by the
order of a court, or

(b) in the particular circumstances, was justified as being in the public
interest.

(4) 15The imposition of the requirement referred to in subsection (1) or (2) is not to
be regarded as justified as being in the public interest on the ground that it
would assist in the prevention or detection of crime, given Part 5 of the Police
Act 1997 (certificates of criminal records etc).

(5) In subsections (1) and (2), the references to a person who requires another
20person to provide or give access to a relevant record include a person who asks
another person to do so—

(a) knowing that, in the circumstances, it would be reasonable for the other
person to feel obliged to comply with the request, or

(b) being reckless as to whether, in the circumstances, it would be
25reasonable for the other person to feel obliged to comply with the
request,

and the references to a “requirement” in subsections (3) and (4) are to be
interpreted accordingly.

(6) In this section—

  • 30“employment” means any employment, including—

    (a)

    work under a contract for services or as an office-holder,

    (b)

    work under an apprenticeship,

    (c)

    work experience as part of a training course or in the course of
    training for employment, and

    (d)

    35voluntary work,

    and “employee” is to be interpreted accordingly;

  • “relevant record” has the meaning given in Schedule 17 and references to
    a relevant record include—

    (a)

    a part of such a record, and

    (b)

    40a copy of, or of part of, such a record.

172 Avoidance of certain contractual terms relating to health records

(1) A term or condition of a contract is void in so far as it purports to require an
individual to supply another person with a record which—

(a) consists of the information contained in a health record, and

(b) 45has been or is to be obtained by a data subject in the exercise of a data
subject access right.

Data Protection BillPage 98

(2) A term or condition of a contract is also void in so far as it purports to require
an individual to produce such a record to another person.

(3) The references in subsections (1) and (2) to a record include a part of a record
and a copy of all or part of a record.

(4) 5In this section, “data subject access right” means a right under—

(a) Article 15 of the GDPR (right of access by the data subject);

(b) Article 20 of the GDPR (right to data portability);

(c) section 43 of this Act (law enforcement processing: right of access by the
data subject);

(d) 10section 92 of this Act (intelligence services processing: right of access by
the data subject).

173 Representation of data subjects

(1) In relation to the processing of personal data to which the GDPR applies—

(a) Article 80 of the GDPR (representation of data subjects) enables a data
15subject to authorise a body or other organisation which meets the
conditions set out in that Article to exercise certain rights on the data
subject’s behalf, and

(b) a data subject may also authorise such a body or organisation to
exercise the data subject’s rights under Article 82 (right to
20compensation).

(2) In relation to the processing of personal data to which the GDPR does not
apply, a body or other organisation which meets the conditions in subsections
(3) and (4), if authorised to do so by a data subject, may exercise some or all of
the following rights under the following provisions on the data subject’s
25behalf—

(a) section 156(2), (4)(d) and (6)(c) (complaints to the Commissioner);

(b) section 157(2) (orders for the Commissioner to progress complaints);

(c) section 158(1) (compliance orders);

(d) the right to bring judicial review proceedings against the
30Commissioner.

(3) The first condition is that the body or organisation, by virtue of its constitution
or an enactment—

(a) is required (after payment of outgoings) to apply the whole of its
income and any capital it expends for charitable or public purposes,

(b) 35is prohibited from directly or indirectly distributing amongst its
members any part of its assets (otherwise than for charitable or public
purposes), and

(c) has objectives which are in the public interest.

(4) The second condition is that the body or organisation is active in the field of
40protection of data subjects’ rights and freedoms with regard to the protection
of their personal data.

(5) In this Act, references to a “representative body”, in relation to a right of a data
subject, are to a body or other organisation authorised to exercise the right on
the data subject’s behalf under Article 80 of the GDPR or this section.

Data Protection BillPage 99

174 Data subject’s rights and other prohibitions and restrictions

(1) An enactment or rule of law prohibiting or restricting the disclosure of
information, or authorising the withholding of information, does not remove
or restrict the obligations and rights provided for in the provisions listed in
5subsection (2), except as provided by or under the provisions listed in
subsection (3).

(2) The provisions providing obligations and rights are—

(a) Chapter III of the GDPR (rights of the data subject),

(b) Chapter 3 of Part 3 of this Act (law enforcement processing: rights of the
10data subject), and

(c) Chapter 3 of Part 4 of this Act (intelligence services processing: rights
of the data subject).

(3) The provisions providing exceptions are—

(a) in Chapter 2 of Part 2 of this Act (including as applied by Chapter 3 of
15that Part), sections 14 and 15 and Schedules 2, 3 and 4,

(b) in Chapter 3 of Part 2 of this Act, sections 21, 22, 23 and 24,

(c) in Part 3 of this Act, sections 42(4), 43(4) and 46(3), and

(d) in Part 4 of this Act, Chapter 6.

Offences

175 20Penalties for offences

(1) A person who commits an offence under section 117 or 163 or paragraph 15 of
Schedule 15 is liable—

(a) on summary conviction in England and Wales, to a fine;

(b) on summary conviction in Scotland or Northern Ireland, to a fine not
25exceeding level 5 on the standard scale.

(2) A person who commits an offence under section 127, 139, 161, 162 or 171 is
liable—

(a) on summary conviction in England and Wales, to a fine;

(b) on summary conviction in Scotland or Northern Ireland, to a fine not
30exceeding the statutory maximum;

(c) on conviction on indictment, to a fine.

(3) Subsections (4) and (5) apply where a person is convicted of an offence under
section 161 or 171.

(4) The court by or before which the person is convicted may order a document or
35other material to be forfeited, destroyed or erased if—

(a) it has been used in connection with the processing of personal data, and

(b) it appears to the court to be connected with the commission of the
offence,

subject to subsection (5).

(5) 40If a person, other than the offender, who claims to be the owner of the material,
or to be otherwise interested in the material, applies to be heard by the court,
the court must not make an order under subsection (4) without giving the
person an opportunity to show why the order should not be made.