Data Protection Bill (HL Bill 66)
PART 7 continued
Contents page 1-9 10-19 20-29 30-39 40-49 50-59 60-69 70-79 80-89 90-99 100-109 110-119 120-129 130-139 140-149 150-159 160-169 170-179 180-189 190-199 200-203 Last page
Data Protection BillPage 100
176 Prosecution
(1)
In England and Wales, proceedings for an offence under this Act may be
instituted only—
(a) by the Commissioner, or
(b) 5by or with the consent of the Director of Public Prosecutions.
(2)
In Northern Ireland, proceedings for an offence under this Act may be
instituted only—
(a) by the Commissioner, or
(b)
by or with the consent of the Director of Public Prosecutions for
10Northern Ireland.
(3)
Subject to subsection (4), summary proceedings for an offence under section
163 (alteration etc of personal data to prevent disclosure) may be brought
within the period of 6 months beginning with the day on which the prosecutor
first knew of evidence that, in the prosecutor’s opinion, was sufficient to bring
15the proceedings.
(4)
Such proceedings may not be brought after the end of the period of 3 years
beginning with the day on which the offence was committed.
(5)
A certificate signed by or on behalf of the prosecutor and stating the day on
which the 6 month period described in subsection (3) began is conclusive
20evidence of that fact.
(6)
A certificate purporting to be signed as described in subsection (5) is to be
treated as so signed unless the contrary is proved.
(7)
In relation to proceedings in Scotland, section 136(3) of the Criminal Procedure
(Scotland) Act 1995 (deemed date of commencement of proceedings) applies
25for the purposes of this section as it applies for the purposes of that section.
177 Liability of directors etc
(1) Subsection (2) applies where—
(a) an offence under this Act has been committed by a body corporate, and
(b)
it is proved to have been committed with the consent or connivance of
30or to be attributable to neglect on the part of—
(i)
a director, manager, secretary or similar officer of the body
corporate, or
(ii) a person who was purporting to act in such a capacity.
(2)
The director, manager, secretary, officer or person, as well as the body
35corporate, is guilty of the offence and liable to be proceeded against and
punished accordingly.
(3)
Where the affairs of a body corporate are managed by its members, subsections
(1) and (2) apply in relation to the acts and omissions of a member in
connection with the member’s management functions in relation to the body
40as if the member were a director of the body corporate.
(4) Subsection (5) applies where—
(a)
an offence under this Act has been committed by a Scottish partnership,
and
Data Protection BillPage 101
(b)
the contravention in question is proved to have occurred with the
consent or connivance of, or to be attributable to any neglect on the part
of, a partner.
(5)
The partner, as well as the partnership, is guilty of the offence and liable to be
5proceeded against and punished accordingly.
178 Recordable offences
(1)
The National Police Records (Recordable Offences) Regulations 2000
(S.I. 2000/1139) have effect as if the offences under the following provisions
were listed in the Schedule to the Regulations—
(a) 10section 117;
(b) section 127;
(c) section 139;
(d) section 161;
(e) section 162;
(f) 15section 163;
(g) section 171;
(h) paragraph 15 of Schedule 15.
(2)
Regulations under section 27(4) of the Police and Criminal Evidence Act 1984
(recordable offences) may repeal subsection (1).
179 20Guidance about PACE codes of practice
(1)
The Commissioner must produce and publish guidance about how the
Commissioner proposes to perform the duty under section 67(9) of the Police
and Criminal Evidence Act 1984 (duty to have regard to codes of practice
under that Act when investigating offences and charging offenders) in
25connection with offences under this Act.
(2) The Commissioner—
(a) may alter or replace the guidance, and
(b) must publish any altered or replacement guidance.
(3)
The Commissioner must consult the Secretary of State before publishing
30guidance under this section (including any altered or replacement guidance).
(4)
The Commissioner must arrange for guidance under this section (including
any altered or replacement guidance) to be laid before Parliament.
The Tribunal
180 Disclosure of information to the Tribunal
(1)
35No enactment or rule of law prohibiting or restricting the disclosure of
information precludes a person from providing the First-tier Tribunal or the
Upper Tribunal with information necessary for the discharge of its functions
under—
(a) the data protection legislation, or
(b) 40the information regulations.
Data Protection BillPage 102
(2)
In this section, “the information regulations” has the same meaning as in
section 126.
181 Proceedings in the First-tier Tribunal: contempt
(1) This section applies where—
(a)
5a person does something, or fails to do something, in relation to
proceedings before the First-tier Tribunal—
(i) on an appeal under section 25, 77, 109 or 154, or
(ii) for an order under section 157, and
(b)
if those proceedings were proceedings before a court having power to
10commit for contempt, the act or omission would constitute contempt of
court.
(2) The First-tier Tribunal may certify the offence to the Upper Tribunal.
(3) Where an offence is certified under subsection (2), the Upper Tribunal may—
(a) inquire into the matter, and
(b)
15deal with the person charged with the offence in any manner in which
it could deal with the person if the offence had been committed in
relation to the Upper Tribunal.
(4)
Before exercising the power under subsection (3)(b), the Upper Tribunal
must—
(a)
20hear any witness who may be produced against or on behalf of the
person charged with the offence, and
(b) hear any statement that may be offered in defence.
182 Tribunal Procedure Rules
(1) Tribunal Procedure Rules may make provision for regulating—
(a)
25the exercise of the rights of appeal conferred by section 25, 77, 109 or
154, and
(b)
the exercise of the rights of data subjects under section 157, including
their exercise by a representative body.
(2)
In relation to proceedings involving the exercise of those rights, Tribunal
30Procedure Rules may make provision about—
(a)
securing the production of material used for the processing of personal
data, and
(b)
the inspection, examination, operation and testing of equipment or
material used in connection with the processing of personal data.
35Definitions
183 Meaning of “health professional” and “social work professional”
(1) In this Act, “health professional” means any of the following—
(a) a registered medical practitioner;
(b) a registered nurse or midwife;
(c)
40a registered dentist within the meaning of the Dentists Act 1984 (see
section 53 of that Act);
Data Protection BillPage 103
(d)
a registered dispensing optician or a registered optometrist within the
meaning of the Opticians Act 1989 (see section 36 of that Act);
(e)
a registered osteopath with the meaning of the Osteopaths Act 1993
(see section 41 of that Act);
(f)
5a registered chiropractor within the meaning of the Chiropractors Act
1994 (see section 43 of that Act);
(g)
a person registered as a member of a profession to which the Health
and Social Work Professions Order 2001 (S.I. 2002/254) for the time
being extends, other than the social work profession in England;
(h)
10a registered pharmacist or a registered pharmacy technician within the
meaning of the Pharmacy Order 2010 (S.I. 2010/231) (see Article 3 of
that Order);
(i)
a registered person within the meaning of the Pharmacy (Northern
Ireland) Order 1976 (S.I. 1976/1213 (N.I. 22)) (see Article 2 of that
15Order);
(j) a child psychotherapist;
(k) a scientist employed by a health service body as head of a department.
(2) In this Act, “social work professional” means any of the following—
(a)
a person registered as a social worker in England in the register
20maintained under the Health and Social Work Professions Order 2001
(S.I. 2002/254);
(b)
a person registered as a social worker in the register maintained by
Social Care Wales under section 80 of the Regulation and Inspection of
Social Care (Wales) Act 2016 (anaw 2);
(c)
25a person registered as a social worker in the register maintained by the
Scottish Social Services Council under section 44 of the Regulation of
Care (Scotland) Act 2001 (2001 asp 82001 asp 8);
(d)
a person registered as a social worker in the register maintained by the
Northern Ireland Social Care Council under section 3 of the Health and
30Personal Social Services Act (Northern Ireland) 2001 (c. 3 (N.I.)).
(3)
In subsection (1)(a) “registered medical practitioner” includes a person who is
provisionally registered under section 15 or 21 of the Medical Act 1983 and is
engaged in such employment as is mentioned in subsection (3) of that section.
(4) In subsection (1)(k) “health service body” means any of the following—
(a)
35the Secretary of State in relation to the exercise of functions under
section 2A or 2B of, or paragraph 7C, 8 or 12 of Schedule 1 to, the
National Health Service Act 2006;
(b)
a local authority in relation to the exercise of functions under section 2B
or 111 of, or any of paragraphs 1 to 7B or 13 of Schedule 1 to, the
40National Health Service Act 2006;
(c)
a National Health Service trust first established under section 25 of the
National Health Service Act 2006;
(d)
a Special Health Authority established under section 28 of the National
Health Service Act 2006;
(e) 45an NHS foundation trust;
(f) the National Institute for Health and Care Excellence;
(g) the Health and Social Care Information Centre;
(h)
a National Health Service trust first established under section 5 of the
National Health Service and Community Care Act 1990;
Data Protection BillPage 104
(i)
a Local Health Board established under section 11 of the National
Health Service (Wales) Act 2006;
(j)
a National Health Service trust first established under section 18 of the
National Health Service (Wales) Act 2006;
(k)
5a Special Health Authority established under section 22 of the National
Health Service (Wales) Act 2006;
(l)
a Health Board within the meaning of the National Health Service
(Scotland) Act 1978;
(m)
a Special Health Board within the meaning of the National Health
10Service (Scotland) Act 1978;
(n)
a National Health Service trust first established under section 12A of
the National Health Service (Scotland) Act 1978;
(o)
the managers of a State Hospital provided under section 102 of the
National Health Service (Scotland) Act 1978;
(p)
15the Regional Health and Social Care Board established under section 7
of the Health and Social Care (Reform) Act (Northern Ireland) 2009 (c. 1
(N.I));
(q)
a special health and social care agency established under the Health
and Personal Social Services (Special Agencies) (Northern Ireland)
20Order 1990 (S.I. 1990/247 (N.I. 3));
(r)
a Health and Social Care trust established under Article 10 of the Health
and Personal Social Services (Northern Ireland) Order 1991 (S.I. 1991/
194 (N.I. 1)).
184 Other definitions
25In this Act—
-
“biometric data” means personal data resulting from specific technical
processing relating to the physical, physiological or behavioural
characteristics of an individual, which allows or confirms the unique
identification of that individual, such as facial images or dactyloscopic
30data; -
“data concerning health” means personal data relating to the physical or
mental health of an individual, including the provision of health care
services, which reveals information about his or her health status; -
“enactment” includes—
(a)35an enactment passed or made after this Act,
(b)an enactment comprised in subordinate legislation,
(c)an enactment comprised in, or in an instrument made under, a
Measure or Act of the National Assembly for Wales,(d)an enactment comprised in, or in an instrument made under, an
40Act of the Scottish Parliament, and(e)an enactment comprised in, or in an instrument made under,
Northern Ireland legislation; -
“genetic data” means personal data relating to the inherited or acquired
genetic characteristics of an individual which gives unique information
45about the physiology or the health of that individual and which results,
in particular, from an analysis of a biological sample from the
individual in question; -
“government department” includes—
(a)a part of the Scottish Administration;
Data Protection BillPage 105
(b)a Northern Ireland department;
(c)the Welsh Government;
(d)a body or authority exercising statutory functions on behalf of
the Crown; -
5“health record” means a record which—
(a)consists of data concerning health, and
(b)has been made by or on behalf of a health professional in
connection with the diagnosis, care or treatment of the
individual to whom the data relates; -
10“inaccurate”, in relation to personal data, means incorrect or misleading
as to any matter of fact; -
“international obligation of the United Kingdom” includes—
(a)an EU obligation, and
(b)an obligation that arises under an international agreement or
15arrangement to which the United Kingdom is a party; -
“international organisation” means an organisation and its subordinate
bodies governed by international law, or any other body which is set up
by, or on the basis of, an agreement between two or more countries; -
“Minister of the Crown” has the same meaning as in the Ministers of the
20Crown Act 1975; -
“publish” means make available to the public or a section of the public;
-
“subordinate legislation” has the meaning given in the Interpretation Act
1978; -
“tribunal” means any tribunal in which legal proceedings may be
25brought; -
“the Tribunal”, in relation to an application or appeal under this Act,
means—(a)the Upper Tribunal, in any case where it is determined by or
under Tribunal Procedure Rules that the Upper Tribunal is to
30hear the application or appeal, or(b)the First-tier Tribunal, in any other case.
185 Index of defined expressions
The Table below lists provisions which define or otherwise explain terms
defined for this Act, for a Part of this Act or for Chapter 2 or 3 of Part 2 of this
35Act.
the affirmative resolution procedure |
section 169 |
the applied Chapter 2 (in Chapter 3 of Part 2) |
section 20 |
the applied GDPR | 40section 2 |
assessment notice (in Part 6) | section 168 |
biometric data | section 184 |
certification provider (in Part 6) | section 168 |
Data Protection BillPage 106
the Commissioner | section 2 |
competent authority (in Part 3) | section 28 |
consent (in Part 4) | section 82 |
controller | section 2 |
data concerning health | 5section 184 |
the Data Protection Convention | section 2 |
the data protection legislation | section 2 |
the data protection principles (in Part 6) |
section 168 |
data subject | 10section 2 |
employee (in Parts 3 and 4) | sections 31 and 82 |
enactment | section 184 |
enforcement notice (in Part 6) | section 168 |
filing system | section 2 |
FOI public authority (in Chapter 3 of Part 2) |
15section 19 |
the GDPR | section 2 |
genetic data | section 184 |
government department | section 184 |
health professional | 20section 183 |
health record | section 184 |
identifiable living individual | section 2 |
inaccurate | section 184 |
information notice (in Part 6) | section 168 |
intelligence service (in Part 4) | 25section 80 |
international obligation of the United Kingdom |
section 184 |
international organisation | section 184 |
the Law Enforcement Directive | section 2 |
the law enforcement purposes (in Part 3) |
30section 29 |
Minister of the Crown | section 184 |
Data Protection BillPage 107
the negative resolution procedure |
section 169 |
penalty notice (in Part 6) | section 168 |
penalty variation notice (in Part 6) |
section 168 5 |
personal data | section 2 |
personal data breach (in Parts 3 and 4) |
sections 31 and 82 |
processing | section 2 |
processor | 10section 2 |
profiling (in Part 3) | section 31 |
public authority (in the GDPR and Part 2) |
section 6 |
public body (in the GDPR and Part 2) |
section 6 15 |
publish | section 184 |
recipient (in Parts 3 and 4) | sections 31 and 82 |
representative (in Part 6) | section 168 |
representative body (in relation to a right of a data subject) |
section 173 20 |
restriction of processing (in Parts 3 and 4) |
sections 31 and 82 |
social work professional | section 183 |
the special purposes (in Part 6) | section 164 |
special purposes proceedings (in Part 6) |
25section 164 |
subordinate legislation | section 184 |
third country (in Part 3) | section 31 |
tribunal | section 184 |
the Tribunal | 30section 184 |
Territorial application
186 Territorial application of this Act
(1)
This Act applies to a controller in respect of the processing of personal data
only if the controller is established in the United Kingdom and the personal
Data Protection BillPage 108
data is processed in the context of the activities of that establishment, subject to
subsection (3).
(2)
This Act applies to a processor in respect of the processing of personal data
only if—
(a)
5the controller on whose behalf the processor acts is established in the
United Kingdom and the personal data is processed in the context of
the activities of that establishment, or
(b)
the processor is established in the United Kingdom and the personal
data is processed in the context of the activities of that establishment,
10subject to subsection (4).
(3)
This Act also applies to a controller in respect of the processing of personal data
to which Chapter 2 of Part 2 (the GDPR) applies where—
(a)
the controller is established in a country or territory other than the
United Kingdom and the personal data is processed in the context of
15the activities of that establishment,
(b)
the personal data relates to an individual who is in the United Kingdom
when the processing takes place, and
(c) the purpose of the processing is—
(i)
to offer goods or services to individuals in the United Kingdom,
20whether or not for payment, or
(ii) to monitor individuals’ behaviour in the United Kingdom.
(4)
This Act also applies to a processor in respect of the processing of personal data
to which Chapter 2 of Part 2 (the GDPR) applies where—
(a)
the controller on whose behalf the processor acts is established in a
25country or territory other than the United Kingdom and the personal
data is processed in the context of the activities of that establishment, or
(b)
the processor is established in a country or territory other than the
United Kingdom and the personal data is processed in the context of
the activities of that establishment,
30and the conditions in subsection (3)(b) and (c) are satisfied.
(5)
Subsections (1) to (4) have effect subject to any provision made under section
118 providing for the Commissioner to carry out functions in relation to other
controllers or processors.
(6)
In this section, references to a person established in the United Kingdom
35include the following—
(a) an individual who is ordinarily resident in the United Kingdom,
(b)
a body incorporated under the law of the United Kingdom or a part of
the United Kingdom,
(c)
a partnership or other unincorporated association formed under the
40law of the United Kingdom or a part of the United Kingdom, and
(d)
a person not within paragraph (a), (b) or (c) who maintains, and carried
on activities through, an office, branch or agency or other stable
arrangements in the United Kingdom,
and references to establishment in another country or territory have a
45corresponding meaning.
(7) For the purposes of this section—
Data Protection BillPage 109
(a)
a person who is treated as a controller by virtue of Article 28(10) of the
GDPR or section 57(8) or 103(3) of this Act (processor to be treated as
controller in certain circumstances) is to be treated as a processor;
(b)
where there is more than one controller, the references in subsections
5(2)(a) and (4)(a) to the controller are to one or more of them.
General
187 Children in Scotland
(1)
Subsections (2) and (3) apply where a question falls to be determined in
Scotland as to the legal capacity of a person aged under 16 to—
(a) 10exercise a right conferred by the data protection legislation, or
(b) give consent for the purposes of the data protection legislation.
(2)
The person is to be taken to have that capacity where the person has a general
understanding of what it means to exercise the right or give such consent.
(3)
A person aged 12 or over is to be presumed to be of sufficient age and maturity
15to have such understanding, unless the contrary is shown.
188 Application to the Crown
(1) This Act binds the Crown.
(2)
For the purposes of this Act, each government department is to be treated as a
person separate from the other government departments.
(3)
20Where the purposes for which and the manner in which personal data is, or is
to be, processed are determined by a person acting on behalf of the Royal
Household, the Duchy of Lancaster or the Duchy of Cornwall, the controller in
respect of that data for the purposes of the GDPR and this Act is—
(a) in relation to the Royal Household, the Keeper of the Privy Purse,
(b)
25in relation to the Duchy of Lancaster, such person as the Chancellor of
the Duchy appoints, and
(c)
in relation to the Duchy of Cornwall, such person as the Duke of
Cornwall, or the possessor for the time being of the Duchy of Cornwall,
appoints.
(4)
30Different persons may be appointed under subsection (3)(b) or (c) for different
purposes.
(5)
The following provisions apply to a person in the service of the Crown as they
apply to any other person—
(a) section 117;
(b) 35section 161;
(c) section 162;
(d) section 163;
(e) paragraph 15 of Schedule 15.
(6)
Subject to subsection (5), neither a government department nor a person who
40is a controller under subsection (3) is liable to prosecution under the GDPR or
this Act.