189 Application to Parliament

(1) Parts 1, 2 and 5 to 7 of this Act apply to the processing of personal data by or
on behalf of either House of Parliament.

(2) Where the purposes for which and the manner in which personal data is, or is
5to be, processed are determined by or on behalf of the House of Commons, the
controller in respect of that data for the purposes of the GDPR and this Act is
the Corporate Officer of that House.

(3) Where the purposes for which and the manner in which personal data is, or is
to be, processed are determined by or on behalf of the House of Lords, the
10controller in respect of that data for the purposes of the GDPR and this Act is
the Corporate Officer of that House.

(4) Subsections (2) and (3) do not apply where the purposes for which and the
manner in which the personal data is, or is to be, processed are determined by
or on behalf of the Intelligence and Security Committee of Parliament.

(5) 15The following provisions apply to a person acting on behalf of either House as
they apply to any other person—

(a) section 161;

(b) section 162;

(c) section 163;

(d) 20paragraph 15 of Schedule 15.

(6) Subject to subsection (5), nothing in subsection (2) or (3) makes the Corporate
Officer of the House of Commons or the Corporate Officer of the House of
Lords liable to prosecution under the GDPR or this Act.

190 Minor and consequential amendments

(1) 25Schedule 18 contains minor and consequential amendments.

(2) The Secretary of State may by regulations make provision that is consequential
on any provision made by this Act.

(3) Regulations under subsection (2)—

(a) may include transitional, transitory or saving provision;

(b) 30may amend, repeal or revoke an enactment.

(4) The reference to an enactment in subsection (3)(b) does not include an
enactment passed or made after the end of the Session in which this Act is
passed.

(5) Regulations under this section that amend, repeal or revoke primary
35legislation are subject to the affirmative resolution procedure.

(6) Any other regulations under this section are subject to the negative resolution
procedure.

(7) In this section, “primary legislation” means—

(a) an Act;

(b) 40an Act of the Scottish Parliament;

(c) a Measure or Act of the National Assembly for Wales;

(d) Northern Ireland legislation.

Final

191 Commencement

(1) Except as provided by subsection (2), this Act comes into force on such day as
the Secretary of State may by regulations appoint.

(2) 5This section and the following provisions come into force on the day on which
this Act is passed—

(a) sections 1 and 2;

(b) section 169;

(c) sections 183, 184 and 185;

(d) 10sections 188 and 189;

(e) this section and sections 192, 193 and 194;

(f) any other provision of this Act so far as it confers power to make
regulations or Tribunal Procedure Rules or is otherwise necessary for
enabling the exercise of such a power on or after the day on which this
15Act is passed.

192 Transitional provision

The Secretary of State may by regulations make transitional, transitory or
saving provision in connection with the coming into force of any provision of
this Act.

193 20Extent

(1) This Act extends to England and Wales, Scotland and Northern Ireland, subject
to—

(a) subsections (2) and (3), and

(b) paragraph 12 of Schedule 12.

(2) 25Section 178 extends to England and Wales only.

(3) An amendment, repeal or revocation made by this Act has the same extent as
the enactment amended, repealed or revoked.

194 Short title

This Act may be cited as the Data Protection Act 2017.

SCHEDULES

Section 9

SCHEDULE 1 Special categories of personal data and criminal convictions etc data

Part 1 5Conditions relating to employment, health and research etc

Employment, social security and social protection

1 (1) This condition is met if—

(a) the processing is necessary for the purposes of performing or
exercising obligations or rights of the controller or the data subject
10under employment law, social security law or the law relating to
social protection, and

(b) when the processing is carried out, the controller has an appropriate
policy document in place (see paragraph 30 in Part 4 of this
Schedule).

(2) 15See also the additional safeguards in Part 4 of this Schedule.

(3) In this paragraph—

• “social security law” includes the law relating to any of the branches of
  social security listed in Article 3(1) of Regulation (EC) No. 883/2004
  of the European Parliament and of the Council on the co-ordination
  20of social security systems (as amended from time to time);

• “social protection” includes an intervention described in Article 2(b) of
  Regulation (EC) 458/2007 of the European Parliament and of the
  Council of 25 April 2007 on the European system of integrated social
  protection statistics (ESSPROS) (as amended from time to time).

25Health or social care purposes

2 (1) This condition is met if the processing is necessary for health or social care
purposes.

(2) In this paragraph “health or social care purposes” means the purposes of—

(a) preventive or occupational medicine,

(b) 30the assessment of the working capacity of an employee,

(c) medical diagnosis,

(d) the provision of health care or treatment,

(e) the provision of social care, or

(f) the management of health care systems or services or social care
35systems or services.

(3) See also the conditions and safeguards in Article 9(3) of the GDPR
(obligations of secrecy) and section 10(1).

Public health

3 This condition is met if the processing—

(a) 5is necessary for reasons of public interest in the area of public health,
and

(b) is carried out—

(i) by or under the supervision of a health professional, or

(ii) by another person who in the circumstances owes a duty of
10confidentiality under an enactment or rule of law.

Research etc

4 This condition is met if the processing—

(a) is necessary for archiving purposes, scientific or historical research
purposes or statistical purposes,

(b) 15is carried out in accordance with Article 89(1) of the GDPR (as
supplemented by section 18), and

(c) is in the public interest.

Part 2 Substantial public interest conditions

20Requirement for an appropriate policy document when relying on conditions in this Part

5 (1) A condition in this Part of this Schedule is met only if, when the processing
is carried out, the controller has an appropriate policy document in place
(see paragraph 30 in Part 4 of this Schedule).

(2) See also the additional safeguards in Part 4 of this Schedule.

25Parliamentary, statutory and government purposes

6 (1) This condition is met if the processing—

(a) is necessary for a purpose listed in sub-paragraph (2), and

(b) is necessary for reasons of substantial public interest.

(2) Those purposes are—

(a) 30the administration of justice;

(b) the exercise of a function of either House of Parliament;

(c) the exercise of a function conferred on a person by an enactment;

(d) the exercise of a function of the Crown, a Minister of the Crown or a
government department.

35Equality of opportunity or treatment

7 (1) This condition is met if the processing—

(a) is of a specified category of personal data, and

(b) is necessary for the purposes of identifying or keeping under review
the existence or absence of equality of opportunity or treatment

between groups of people specified in relation to that category with
a view to enabling such equality to be promoted or maintained,

subject to the exceptions in sub-paragraphs (3) to (5).

(2) In sub-paragraph (1), “specified” means specified in the following table—

(3) Processing does not meet the condition in sub-paragraph (1) if—

(a) it is carried out for the purposes of measures or decisions with
respect to a particular data subject, and

(b) 20it is carried out without that data subject’s consent.

(4) Processing does not meet the condition in sub-paragraph (1) if it is likely to
cause substantial damage or substantial distress to an individual.

(5) Processing does not meet the condition in sub-paragraph (1) if—

(a) an individual who is the data subject (or one of the data subjects) has
25given notice in writing to the controller requiring the controller not
to process personal data in respect of which the individual is the data
subject (and has not given notice in writing withdrawing that
requirement),

(b) the notice gave the controller a reasonable period in which to stop
30processing such data, and

(c) that period has ended.

Preventing or detecting unlawful acts

8 (1) This condition is met if the processing—

(a) is necessary for the purposes of the prevention or detection of an
35unlawful act,

(b) must be carried out without the consent of the data subject so as not
to prejudice those purposes, and

(c) is necessary for reasons of substantial public interest.

(2) In this paragraph, “act” includes a failure to act.

Protecting the public against dishonesty etc

9 (1) This condition is met if the processing—

(a) is necessary for the exercise of a protective function,

(b) must be carried out without the consent of the data subject so as not
5to prejudice the exercise of that function, and

(c) is necessary for reasons of substantial public interest.

(2) In this paragraph, “protective function” means a function which is intended
to protect members of the public against—

(a) dishonesty, malpractice or other seriously improper conduct,

(b) 10unfitness or incompetence,

(c) mismanagement in the administration of a body or association, or

(d) failures in services provided by a body or association.

Journalism etc in connection with unlawful acts and dishonesty etc

10 (1) This condition is met if—

(a) 15the processing consists of the disclosure of personal data for the
special purposes,

(b) it is carried out in connection with a matter described in sub-
paragraph (2),

(c) it is necessary for reasons of substantial public interest,

(d) 20it is carried out with a view to the publication of the personal data by
any person, and

(e) the controller reasonably believes that publication of the personal
data would be in the public interest.

(2) The matters mentioned in sub-paragraph (1)(b) are any of the following
25(whether alleged or established)—

(a) the commission of an unlawful act by a person;

(b) dishonesty, malpractice or other seriously improper conduct of a
person;

(c) unfitness or incompetence of a person;

(d) 30mismanagement in the administration of a body or association;

(e) a failure in services provided by a body or association.

(3) In this paragraph—

• “act” includes a failure to act;

• “the special purposes” means—

  (a)

  35the purposes of journalism;

  (b)

  academic purposes;

  (c)

  artistic purposes;

  (d)

  literary purposes.

Preventing fraud

11 (1) 40This condition is met if the processing—

(a) is necessary for the purposes of preventing fraud or a particular kind
of fraud, and

(b) consists of—

(i) the disclosure of personal data by a person as a member of an
anti-fraud organisation,

(ii) the disclosure of personal data in accordance with
arrangements made by an anti-fraud organisation, or

(iii) 5the processing of personal data disclosed as described in sub-
paragraph (i) or (ii).

(2) In this paragraph, “anti-fraud organisation” has the same meaning as in
section 68 of the Serious Crime Act 2007.

Suspicion of terrorist financing or money laundering

12 10This condition is met if the processing is necessary for the purposes of
making a disclosure in good faith under either of the following—

(a) section 21CA of the Terrorism Act 2000 (disclosures between certain
entities within regulated sector in relation to suspicion of
commission of terrorist financing offence or for purposes of
15identifying terrorist property);

(b) section 339ZB of the Proceeds of Crime Act 2002 (disclosures within
regulated sector in relation to suspicion of money laundering).

Counselling etc

13 (1) This condition is met if the processing—

(a) 20is necessary for the provision of confidential counselling, advice or
support or of another similar service provided confidentially,

(b) is carried out without the consent of the data subject for a reason
listed in sub-paragraph (2), and

(c) is necessary for reasons of substantial public interest.

(2) 25The reasons mentioned in sub-paragraph (1)(b) are—

(a) in the circumstances, consent to the processing cannot be given by
the data subject;

(b) in the circumstances, the controller cannot reasonably be expected to
obtain the consent of the data subject to the processing;

(c) 30the processing must be carried out without the consent of the data
subject because obtaining the consent of the data subject would
prejudice the provision of the service mentioned in sub-paragraph
(1)(a).

Insurance

14 (1) 35This condition is met if the processing—

(a) is necessary for the purpose of carrying on insurance business,

(b) is of data concerning health which relates to a data subject who is the
parent, grandparent, great-grandparent or sibling of an insured
person,

(c) 40is not carried out for the purposes of measures or decisions with
respect to the data subject, and

(d) can reasonably be carried out without the consent of the data subject.

(2) For the purposes of sub-paragraph (1)(d), processing can reasonably be
carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of
the data subject, and

(b) the controller is not aware of the data subject withholding consent.

(3) In this paragraph—

• 5“insurance business” means business which consists of effecting or
  carrying out contracts for the following types of insurance—

  (a)

  life and annuity;

  (b)

  linked long term;

  (c)

  permanent health;

  (d)

  10accident;

  (e)

  sickness;

• “insured person” includes an individual who is seeking to become an
  insured person.

(4) Terms used in the definition of “insurance business” in sub-paragraph (3)
15and also in an order made under section 22 of the Financial Services and
Markets Act 2000 (regulated markets) have the same meaning in that sub-
paragraph as they have in that order.

Third party data processing for group insurance policies and insurance on the life of another

15 (1) This condition is met if the processing—

(a) 20is necessary for the purpose of carrying on business which consists
of effecting or carrying out a contract described in sub-paragraph (2),

(b) is of personal data which relates to a data subject who is not a party
to the contract or seeking to become a party to the contract, and

(c) can reasonably be carried out without the consent of the data subject.

(2) 25The contracts mentioned in sub-paragraph (1)(a) are—

(a) a contract which satisfies section 7(1)(a) to (c) of the Consumer
Insurance (Disclosure and Representations) Act 2012 (group
insurance contracts);

(b) a contract to which section 8 of that Act applies (consumer insurance
30contract for life insurance on the life of another).

(3) For the purposes of sub-paragraph (1)(c), processing can reasonably be
carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of
the data subject, and

(b) 35the controller is not aware of the data subject withholding consent.

Occupational pensions

16 (1) This condition is met if the processing—

(a) is necessary for the purpose of making a determination in connection
with eligibility for, or benefits payable under, an occupational
40pension scheme,

(b) is not carried out for the purposes of measures or decisions with
respect to the data subject, and

(c) can reasonably be carried out without the consent of the data subject.

(2) For the purposes of sub-paragraph (1)(c), processing can reasonably be
45carried out without the consent of the data subject only where—

(a) the controller cannot reasonably be expected to obtain the consent of
the data subject, and

(b) the controller is not aware of the data subject withholding consent.

(3) In this paragraph—

• 5“occupational pension scheme” has the meaning given in section 1 of
  the Pension Schemes Act 1993;

• “member”, in relation to a scheme, includes an individual who is
  seeking to become a member of the scheme.

Political parties

17 (1) 10This condition is met if the processing—

(a) is of personal data revealing political opinions,

(b) is carried out by a person or organisation included in the register
maintained under section 23 of the Political Parties, Elections and
Referendums Act 2000, and

(c) 15is necessary for the purposes of the person’s or organisation’s
political activities,

subject to the exceptions in sub-paragraphs (2) and (3).

(2) Processing does not meet the condition in sub-paragraph (1) if it is likely to
cause substantial damage or substantial distress to a person.

(3) 20Processing does not meet the condition in sub-paragraph (1) if—

(a) an individual who is the data subject (or one of the data subjects) has
given notice in writing to the controller requiring the controller not
to process personal data in respect of which the individual is the data
subject (and has not given notice in writing withdrawing that
25requirement),

(b) the notice gave the controller a reasonable period in which to stop
processing such data, and

(c) that period has ended.

(4) In this paragraph, “political activities” include campaigning, fund-raising,
30political surveys and case-work.

Elected representatives responding to requests

18 (1) This condition is met if—

(a) the processing is carried out—

(i) by an elected representative or a person acting with the
35authority of such a representative,

(ii) in connection with the discharge of the elected
representative’s functions, and

(iii) in response to a request by an individual that the elected
representative take action on behalf of the individual, and

(b) 40the processing is necessary for the purposes of, or in connection with,
the action reasonably taken by the elected representative in response
to that request,

subject to sub-paragraph (2).

(2) Where the request is made by an individual other than the data subject, the
condition in sub-paragraph (1) is met only if the processing must be carried
out without the consent of the data subject for one of the following reasons—

(a) in the circumstances, consent to the processing cannot be given by
5the data subject;

(b) in the circumstances, the elected representative cannot reasonably be
expected to obtain the consent of the data subject to the processing;

(c) obtaining the consent of the data subject would prejudice the action
taken by the elected representative;

(d) 10the processing is necessary in the interests of another individual and
the data subject has withheld consent unreasonably.

(3) In this paragraph—

• “elected representative” means—

  (a)

  a member of the House of Commons;

  (b)

  15a member of the National Assembly for Wales;

  (c)

  a member of the Scottish Parliament;

  (d)

  a member of the Northern Ireland Assembly;

  (e)

  a member of the European Parliament elected in the United
  Kingdom;

  (f)

  20an elected member of a local authority within the meaning of
  section 270(1) of the Local Government Act 1972, namely—

  (i)

  in England, a county council, a district council, a
  London borough council or a parish council;

  (ii)

  in Wales, a county council, a county borough council
  25or a community council;

  (g)

  an elected mayor of a local authority within the meaning of
  Part 1A or 2 of the Local Government Act 2000;

  (h)

  the Mayor of London or an elected member of the London
  Assembly;

  (i)

  30an elected member of—

  (i)

  the Common Council of the City of London, or

  (ii)

  the Council of the Isles of Scilly;

  (j)

  an elected member of a council constituted under section 2 of
  the Local Government etc (Scotland) Act 1994;

  (k)

  35an elected member of a district council within the meaning of
  the Local Government Act (Northern Ireland) 1972.

(4) For the purposes of sub-paragraph (3), a person who is—

(a) a Member of the House of Commons immediately before Parliament
is dissolved,

(b) 40a Member of the Scottish Parliament immediately before that
Parliament is dissolved,

(c) a Member of the Northern Ireland Assembly immediately before that
Assembly is dissolved, or

(d) a Member of the National Assembly for Wales immediately before
45that Assembly is dissolved,

is to be treated as if the person were such a member until the end of the
fourth day after the day on which the subsequent general election in relation
to that Parliament or Assembly is held.