some default text...

Data Protection Bill (HL Bill 66)

Data Protection BillPage 120

(5) For the purposes of sub-paragraph (3), a person who is an elected member
of the Common Council of the City of London and whose term of office
comes to an end at the end of the day preceding the annual Wardmotes is to
be treated as if he or she were such a member until the end of the fourth day
5after the day on which those Wardmotes are held.

Disclosure to elected representatives

19 (1) This condition is met if—

(a) the processing consists of the disclosure of personal data—

(i) to an elected representative or a person acting with the
10authority of such a representative, and

(ii) in response to a communication to the controller from that
representative or person which was made in response to a
request from an individual,

(b) the personal data is relevant to the subject matter of that
15communication, and

(c) the disclosure is necessary for the purpose of responding to that
communication,

subject to sub-paragraph (2).

(2) Where the request to the elected representative came from an individual
20other than the data subject, the condition in sub-paragraph (1) is met only if
the disclosure must be made without the consent of the data subject for one
of the following reasons—

(a) in the circumstances, consent to the processing cannot be given by
the data subject;

(b) 25in the circumstances, the elected representative cannot reasonably be
expected to obtain the consent of the data subject to the processing;

(c) obtaining the consent of the data subject would prejudice the action
taken by the elected representative;

(d) the processing is necessary in the interests of another individual and
30the data subject has withheld consent unreasonably.

(3) In this paragraph, “elected representative” has the same meaning as in
paragraph 18.

Informing elected representatives about prisoners

20 (1) This condition is met if—

(a) 35the processing consists of the processing of personal data about a
prisoner for the purpose of informing a member of the House of
Commons or a member of the Scottish Parliament about the prisoner,
and

(b) the member is under an obligation not to further disclose the
40personal data.

(2) The references in sub-paragraph (1) to personal data about, and to informing
someone about, a prisoner include personal data about, and informing
someone about, arrangements for the prisoner’s release.

(3) In this paragraph—

  • 45“prison” includes a young offender institution, a remand centre, a
    secure training centre or a secure college;

Data Protection BillPage 121

  • “prisoner” means a person detained in a prison.

Anti-doping in sport

21 (1) This condition is met if the processing is carried out—

(a) in connection with measures designed to eliminate doping which are
5undertaken by or under the supervision of a body with responsibility
for eliminating doping in a sport, at a sporting event or in sport
generally, or

(b) for the purposes of providing information about doping, or
suspected doping, to such a body.

(2) 10The reference in sub-paragraph (1)(a) to measures designed to eliminate
doping include measures designed to identify or prevent doping.

Part 3 Additional conditions relating to criminal convictions etc

Consent

22 15This condition is met if the data subject has given consent to the processing.

Protecting individual’s vital interests

23 This condition is met if—

(a) the processing is necessary to protect the vital interests of an
individual, and

(b) 20the data subject is physically or legally incapable of giving consent.

Processing by not-for-profit bodies

24 This condition is met if the processing is carried out—

(a) in the course of its legitimate activities with appropriate safeguards
by a foundation, association or other not-for-profit body with a
25political, philosophical, religious or trade union aim, and

(b) on condition that—

(i) the processing relates solely to the members or to former
members of the body or to persons who have regular contact
with it in connection with its purposes, and

(ii) 30the personal data is not disclosed outside that body without
the consent of the data subjects.

Personal data in the public domain

25 This condition is met if the processing relates to personal data which is
manifestly made public by the data subject.

35Legal claims and judicial acts

26 This condition is met if the processing is necessary for the establishment,
exercise or defence of a legal claim or whenever a court is acting in its
judicial capacity.

Data Protection BillPage 122

Administration of accounts used in commission of indecency offences involving children

27 (1) This condition is met if—

(a) the processing is of personal data about a conviction or caution for
an offence listed in sub-paragraph (2),

(b) 5the processing is necessary for the purpose of administering an
account relating to the payment card used in the commission of the
offence or cancelling that payment card, and

(c) when the processing is carried out, the controller has an appropriate
policy document in place (see paragraph 30 in Part 4 of this
10Schedule).

(2) Those offences are an offence under—

(a) section 1 of the Protection of Children Act 1978 (indecent
photographs of children),

(b) Article 3 of the Protection of Children (Northern Ireland) Order 1978
15(S.I. 1978/1047 (N.I. 17)) (indecent photographs of children),

(c) section 52 of the Civic Government (Scotland) Act 1982 (indecent
photographs etc of children),

(d) section 160 of the Criminal Justice Act 1988 (possession of indecent
photograph of child),

(e) 20Article 15 of the Criminal Justice (Evidence etc) (Northern Ireland)
Order 1988 (S.I. 1988/1847 (N.I. 17)) (possession of indecent
photograph of child), or

(f) section 62 of the Coroners and Justice Act 2009 (possession of
prohibited images of children),

25or incitement to commit an offence under any of those provisions.

(3) See also the additional safeguards in Part 4 of this Schedule.

(4) In this paragraph—

  • “caution” means a caution given to a person in England and Wales or
    Northern Ireland in respect of an offence which, at the time when the
    30caution is given, is admitted;

  • “conviction” has the same meaning as in the Rehabilitation of
    Offenders Act 1974 or the Rehabilitation of Offenders (Northern
    Ireland) Order 1978 (S.I. 1978/1908 (N.I. 27));

  • “payment card” includes a credit card, a charge card and a debit card.

35Extension of certain conditions under Part 2 of this Schedule

28 (1) This condition is met if—

(a) the processing would meet a condition in Part 2 of this Schedule but
for an express requirement for the processing to be necessary for
reasons of substantial public interest, and

(b) 40when the processing is carried out, the controller has an appropriate
policy document in place (see paragraph 30 in Part 4 of this
Schedule).

(2) See also the additional safeguards in Part 4 of this Schedule.

Data Protection BillPage 123

Part 4 Appropriate policy document and additional safeguards

Application of this Part

29 This Part of this Schedule makes provision about the processing of personal
5data carried out in reliance on a condition in Part 1, 2 or 3 of this Schedule
which requires the controller to have an appropriate policy document in
place when the processing is carried out.

Requirement to have an appropriate policy document in place

30 The controller has an appropriate policy document in place in relation to the
10processing of personal data in reliance on a condition described in
paragraph 29 if the controller has produced a document which—

(a) explains the controller’s procedures for securing compliance with
the principles in Article 5 of the GDPR (principles relating to
processing of personal data) in connection with the processing of
15personal data in reliance on the condition in question, and

(b) explains the controller’s policies as regards the retention and erasure
of personal data processed in reliance on the condition, giving an
indication of how long such personal data is likely to be retained.

Additional safeguard: retention of appropriate policy document

31 (1) 20Where personal data is processed in reliance on a condition described in
paragraph 29, the controller must during the relevant period—

(a) retain the appropriate policy document,

(b) review and (if appropriate) update it from time to time, and

(c) make it available to the Commissioner, on request, without charge.

(2) 25“Relevant period”, in relation to the processing of personal data in reliance
on a condition described in paragraph 29, means a period which—

(a) begins when the controller starts to carry out processing of personal
data in reliance on that condition, and

(b) ends at the end of the period of 6 months beginning on the day the
30controller ceases to carry out such processing.

Additional safeguard: record of processing

32 A record maintained by the controller, or the controller’s representative,
under Article 30 of the GDPR in respect of the processing of personal data in
reliance on a condition described in paragraph 29 must include the
35following information—

(a) which condition is relied on,

(b) how the processing satisfies Article 6 of the GDPR (lawfulness of
processing), and

(c) whether the personal data is retained and erased in accordance with
40the policies described in paragraph 30(b) and, if it is not, the reasons
for not following those policies.

Data Protection BillPage 124

Section 14

SCHEDULE 2 Exemptions etc from the GDPR

Part 1 Adaptations and restrictions based on Articles 6(3) and 23(1)

5GDPR provisions to be adapted or restricted: “the listed GDPR provisions”

1 In this Part “the listed GDPR provisions” means—

(a) the following provisions of the GDPR (the rights and obligations in
which may be restricted by virtue of Article 23(1) of the GDPR)—

(i) Article 13(1) to (3) (personal data collected from data subject:
10information to be provided);

(ii) Article 14(1) to (4) (personal data collected other than from
data subject: information to be provided);

(iii) Article 15(1) to (3) (confirmation of processing, access to data
and safeguards for third country transfers);

(iv) 15Article 16 (right to rectification);

(v) Article 17(1) and (2) (right to erasure);

(vi) Article 18(1) (restriction of processing);

(vii) Article 20(1) and (2) (right to data portability);

(viii) Article 21(1) (objections to processing);

(ix) 20Article 5 (general principles) so far as its provisions
correspond to the rights and obligations provided for in the
provisions mentioned in sub-paragraphs (i) to (viii); and

(b) the following provisions of the GDPR (the application of which may
be adapted by virtue of Article 6(3) of the GDPR)—

(i) 25Article 5(1)(a) (lawful, fair and transparent processing), other
than the lawfulness requirements set out in Article 6;

(ii) Article 5(1)(b) (purpose limitation).

Crime and taxation: general

2 (1) The listed GDPR provisions do not apply to personal data processed for any
30of the following purposes—

(a) the prevention or detection of crime,

(b) the apprehension or prosecution of offenders, or

(c) the assessment or collection of a tax or duty or an imposition of a
similar nature,

35to the extent that the application of those provisions would be likely to
prejudice any of the matters mentioned in paragraphs (a) to (c).

(2) Sub-paragraph (3) applies where—

(a) personal data is processed by a person (“Controller 1”) for any of the
purposes mentioned in sub-paragraph (1)(a) to (c), and

(b) 40another person (“Controller 2”) obtains the data from Controller 1 for
the purpose of discharging statutory functions and processes it for
the purpose of discharging statutory functions.

(3) Controller 2 is exempt from the obligations in the following provisions of the
GDPR—

Data Protection BillPage 125

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided),

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),

(c) 5Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers), and

(d) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c),

10to the same extent that Controller 1 is exempt from those obligations by
virtue of sub-paragraph (1).

Crime and taxation: risk assessment systems

3 (1) The GDPR provisions listed in sub-paragraph (3) do not apply to personal
data which consists of a classification applied to the data subject as part of a
15risk assessment system falling within sub-paragraph (2) to the extent that the
application of those provisions would prevent the system from operating
effectively.

(2) A risk assessment system falls within this sub-paragraph if—

(a) it is operated by a government department, a local authority or
20another authority administering housing benefit, and

(b) it is operated for the purposes of—

(i) the assessment or collection of a tax or duty or an imposition
of a similar nature, or

(ii) the prevention or detection of crime or apprehension or
25prosecution of offenders, where the offence concerned
involves the unlawful use of public money or an unlawful
claim for payment out of public money.

(3) The GDPR provisions referred to in sub-paragraph (1) are the following
provisions of the GDPR (the rights and obligations in which may be
30restricted by virtue of Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided);

(c) 35Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(d) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c).

40Immigration

4 (1) The listed GDPR provisions do not apply to personal data processed for any
of the following purposes—

(a) the maintenance of effective immigration control, or

(b) the investigation or detection of activities that would undermine the
45maintenance of effective immigration control,

to the extent that the application of those provisions would be likely to
prejudice any of the matters mentioned in paragraphs (a) and (b).


Data Protection BillPage 126

(2) Sub-paragraph (3) applies where—

(a) personal data is processed by a person (“Controller 1”), and

(b) another person (“Controller 2”) obtains the data from Controller 1 for
any of the purposes mentioned in sub-paragraph (1)(a) and (b) and
5processes it for any of those purposes.

(3) Controller 1 is exempt from the obligations in the following provisions of the
GDPR—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided),

(b) 10Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),

(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers), and

(d) Article 5 (general principles) so far as its provisions correspond to the
15rights and obligations provided for in the provisions mentioned in
paragraphs (a) to (c),

to the same extent that Controller 2 is exempt from those obligations by
virtue of sub-paragraph (1).

Information required to be disclosed by law etc or in connection with legal proceedings

5 (1) 20The listed GDPR provisions do not apply to personal data consisting of
information that the controller is obliged by an enactment to make available
to the public, to the extent that the application of those provisions would
prevent the controller from complying with that obligation.

(2) The listed GDPR provisions do not apply to personal data where disclosure
25of the data is required by an enactment, a rule of law or an order of a court,
to the extent that the application of those provisions would prevent the
controller from making the disclosure.

(3) The listed GDPR provisions do not apply to personal data where disclosure
of the data is necessary—

(a) 30for the purpose of, or in connection with, legal proceedings
(including prospective legal proceedings), or

(b) for the purpose of obtaining legal advice or otherwise establishing,
exercising or defending legal rights,

to the extent that the application of those provisions would prevent the
35controller from making the disclosure.

Part 2 Restrictions based on Article 23(1): Restrictions of rules in Articles 13 to 21

GDPR provisions to be restricted: “the listed GDPR provisions”

6 In this Part “the listed GDPR provisions” means the following provisions of
40the GDPR (the rights and obligations in which may be restricted by virtue of
Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
45subject: information to be provided);

Data Protection BillPage 127

(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(d) Article 16 (right to rectification);

(e) Article 17(1) and (2) (right to erasure);

(f) 5Article 18(1) (restriction of processing);

(g) Article 20(1) and (2) (right to data portability);

(h) Article 21(1) (objections to processing);

(i) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
10sub-paragraphs (a) to (h).

Functions designed to protect the public etc

7 The listed GDPR provisions do not apply to personal data processed for the
purposes of discharging a function that—

(a) is designed as described in column 1 of the Table, and

(b) 15meets the condition relating to the function specified in column 2 of
the Table,

to the extent that the application of those provisions would be likely to
prejudice the proper discharge of the function.

TABLE
Description of function design 20Condition

1. The function is designed to protect
members of the public against—

(a)  financial loss due to dishonesty,
malpractice or other seriously
25improper conduct by, or the
unfitness or incompetence of,
persons concerned in the provision
of banking, insurance, investment
or other financial services or in the
30management of bodies corporate,

(b)  financial loss due to the conduct of
discharged or undischarged
bankrupts, or

(c)  dishonesty, malpractice or other
35seriously improper conduct by, or
the unfitness or incompetence of,
persons authorised to carry on any
profession or other activity.

The function is—

(a)  conferred on a person by an
enactment,

(b) a function of the Crown, a
Minister of the Crown or a
government department, or

(c) of a public nature, and is
exercised in the public
interest.

Data Protection BillPage 128

Description of function design Condition

2. The function is designed—

(a)  to protect charities or community
interest companies against
5misconduct or mismanagement
(whether by trustees, directors or
other persons) in their
administration,

(b) to protect the property of charities
10or community interest companies
from loss or misapplication, or

(c) to recover the property of charities
or community interest companies.

The function is—

(a)  conferred on a person by an
enactment,

(b) a function of the Crown, a
Minister of the Crown or a
government department, or

(c) of a public nature, and is
exercised in the public
interest.

3. The function is designed—

(a)  15to secure the health, safety and
welfare of persons at work, or

(b) to protect persons other than those
at work against risk to health or
safety arising out of or in
20connection with the action of
persons at work.

The function is—

(a)  conferred on a person by an
enactment,

(b) a function of the Crown, a
Minister of the Crown or a
government department, or

(c) of a public nature, and is
exercised in the public
interest.

4. The function is designed to protect
members of the public against—

(a)  25maladministration by public
bodies,

(b) failures in services provided by
public bodies, or

(c) a failure of a public body to provide
30a service which it is a function of
the body to provide.

The function is conferred by any
enactment on—

(a)  the Parliamentary
Commissioner for
Administration,

(b) the Commissioner for Local
Administration in England,

(c) the Health Service
Commissioner for England,

(d) the Public Services
Ombudsman for Wales,

(e) the Northern Ireland Public
35Services Ombudsman, or

(f) the Scottish Public Services
Ombudsman.

Data Protection BillPage 129

Description of function design Condition

5. The function is designed—

(a)  to protect members of the public
against conduct which may
5adversely affect their interests by
persons carrying on a business,

(b) to regulate agreements or conduct
which have as their object or effect
the prevention, restriction or
10distortion of competition in
connection with any commercial
activity, or

(c) to regulate conduct on the part of
one or more undertakings which
15amounts to the abuse of a dominant
position in a market.

The function is conferred on the
Competition and Markets
Authority by an enactment.

Regulatory functions relating to legal services, the health service and children’s services

8 (1) The listed GDPR provisions do not apply to personal data processed for the
purposes of discharging a function listed in sub-paragraph (2) to the extent
20that the application of those provisions would be likely to prejudice the
proper discharge of the function.

(2) The functions are—

(a) a function of the Legal Services Board;

(b) the function of considering a complaint under the scheme
25established under Part 6 of the Legal Services Act 2007 (legal
complaints);

(c) the function of considering a complaint under—

(i) section 14 of the NHS Redress Act 2006,

(ii) section 113(1) or (2) or section 114(1) or (3) of the Health and
30Social Care (Community Health and Standards) Act 2003,

(iii) section 24D or 26 of the Children Act 1989, or

(iv) Part 2A of the Public Services Ombudsman (Wales) Act 2005;

(d) the function of considering a complaint or representations under
Chapter 1 of Part 10 of the Social Services and Well-being (Wales) Act
352014 (anaw 4).

Functions of certain other regulatory bodies

9 The listed GDPR provisions do not apply to personal data processed for the
purposes of discharging a function that—

(a) is a function of a body described in column 1 of the Table, and

(b) 40is conferred on that body as described in column 2 of the Table,

to the extent that the application of those provisions would be likely to
prejudice the proper discharge of the function.