Data Protection Bill (HL Bill 66)

10 In the Table in paragraph 9—

• “consumer protection enforcer” has the same meaning as “CPC
  20enforcer” in section 213(5A) of the Enterprise Act 2002;

• the “CPC Regulation” has the meaning given in section 235A of the
  Enterprise Act 2002;

• the “Financial Ombudsman” means the scheme operator within the
  meaning of Part 16 of the Financial Services and Markets Act 2000
  25(see section 225 of that Act);

• the “investigator of complaints against the financial regulators” means
  the person appointed under section 84(1)(b) of the Financial Services
  Act 2012;

• “relevant authority” has the same meaning as in section 5 of the Local
  30Government and Housing Act 1989, and “monitoring officer”, in
  relation to such an authority, means a person designated as such
  under that section;

• “relevant Welsh authority” has the same meaning as “relevant
  authority” in section 49(6) of the Local Government Act 2000, and
  35“monitoring officer”, in relation to such an authority, has the same
  meaning as in Part 3 of that Act.

Parliamentary privilege

11 The listed GDPR provisions do not apply to personal data where this is
required for the purpose of avoiding an infringement of the privileges of
40either House of Parliament.

Judicial appointments, judicial independence and judicial proceedings

12 (1) The listed GDPR provisions do not apply to personal data processed for the
purposes of assessing a person’s suitability for judicial office or the office of
Queen’s Counsel.

(2) 5The listed GDPR provisions do not apply to personal data processed by—

(a) an individual acting in a judicial capacity, or

(b) a court or tribunal acting in its judicial capacity.

(3) As regards personal data not falling within sub-paragraph (1) or (2), the
listed GDPR provisions do not apply to the extent that the application of
10those provisions would be likely to prejudice judicial independence or
judicial proceedings.

Crown honours, dignities and appointments

13 (1) The listed GDPR provisions do not apply to personal data processed for the
purposes of the conferring by the Crown of any honour or dignity.

(2) 15The listed GDPR provisions do not apply to personal data processed for the
purposes of assessing a person’s suitability for any of the following offices—

(a) archbishops and diocesan and suffragan bishops in the Church of
England;

(b) deans of cathedrals of the Church of England;

(c) 20deans and canons of the two Royal Peculiars;

(d) the First and Second Church Estates Commissioners;

(e) lord-lieutenants;

(f) Masters of Trinity College and Churchill College, Cambridge;

(g) the Provost of Eton;

(h) 25the Poet Laureate;

(i) the Astronomer Royal.

(3) The Secretary of State may by regulations amend the list in sub-paragraph
(2) to—

(a) remove an office, or

(b) 30add an office to which appointments are made by Her Majesty.

(4) Regulations under sub-paragraph (3) are subject to the affirmative
resolution procedure.

Part 3 Restriction based on Article 23(1): Protection of rights of others

35Protection of the rights of others: general

14 (1) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers), and Article 5 of the GDPR so far
as its provisions correspond to the rights and obligations provided for in
Article 15(1) to (3), do not oblige a controller to disclose information to the
40data subject to the extent that doing so would involve disclosing information
relating to another individual who can be identified from the information.

(2) Sub-paragraph (1) does not remove the controller’s obligation where—

(a) the other individual has consented to the disclosure of the
information to the data subject, or

(b) it is reasonable to disclose the information to the data subject without
the consent of the other individual.

(3) 5In determining whether it is reasonable to disclose the information without
consent, the controller must have regard to all the relevant circumstances,
including—

(a) the type of information that would be disclosed,

(b) any duty of confidentiality owed to the other individual,

(c) 10any steps taken by the controller with a view to seeking the consent
of the other individual,

(d) whether the other individual is capable of giving consent, and

(e) any express refusal of consent by the other individual.

(4) For the purposes of this paragraph—

(a) 15“information relating to another individual” includes information
identifying the other individual as the source of information;

(b) an individual can be identified from information to be provided to a
data subject by a controller if the individual can be identified from—

(i) that information, or

(ii) 20that information and any other information that the
controller reasonably believes the data subject is likely to
possess or obtain.

Assumption of reasonableness for health workers, social workers and education workers

15 (1) For the purposes of paragraph 14(2)(b), it is to be considered reasonable for
25a controller to disclose information to a data subject without the consent of
the other individual where—

(a) the health data test is met,

(b) the social work data test is met, or

(c) the education data test is met.

(2) 30The health data test is met if—

(a) the information in question is contained in a health record, and

(b) the other individual is a health professional who has compiled or
contributed to the health record or who, in his or her capacity as a
health professional, has been involved in the diagnosis, care or
35treatment of the data subject.

(3) The social work data test is met if—

(a) the other individual is—

(i) a children’s court officer,

(ii) a person who is or has been employed by a person or body
40referred to in paragraph 8 of Schedule 3 in connection with
functions exercised in relation to the information, or

(iii) a person who has provided for reward a service that is similar
to a service provided in the exercise of any relevant social
services functions, and

(b) 45the information relates to the other individual in an official capacity
or the other individual supplied the information—

(i) in an official capacity, or

(ii) in a case within paragraph (a)(iii), in connection with
providing the service mentioned in paragraph (a)(iii).

(4) The education data test is met if—

(a) the other individual is an education-related worker, or

(b) 5the other individual is employed by an education authority (within
the meaning of the Education (Scotland) Act 1980) in pursuance of its
functions relating to education and—

(i) the information relates to the other individual in his or her
capacity as such an employee, or

(ii) 10the other individual supplied the information in his or her
capacity as such an employee.

(5) In this paragraph—

• “children’s court officer” means a person referred to in paragraph
  8(1)(q), (r), (s), (t) or (u) of Schedule 3;

• 15“education-related worker” means a person referred to in paragraph
  14(4)(a) or (b) or 16(4)(a) or (b) of Schedule 3 (educational records);

• “relevant social services functions” means functions specified in
  paragraph 8(1)(a), (b), (c) or (d) of Schedule 3.

Part 4 20Restrictions based on Article 23(1): Restrictions of rules in Articles 13 to 15

GDPR provisions to be restricted: “the listed GDPR provisions”

16 In this Part “the listed GDPR provisions” means the following provisions of
the GDPR (the rights and obligations in which may be restricted by virtue of
Article 23(1) of the GDPR)—

(a) 25Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided);

(c) Article 15(1) to (3) (confirmation of processing, access to data and
30safeguards for third country transfers);

(d) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
sub-paragraphs (a) to (c).

Legal professional privilege

17 35The listed GDPR provisions do not apply to personal data that consists of
information in respect of which a claim to legal professional privilege or, in
Scotland, confidentiality of communications, could be maintained in legal
proceedings.

Self incrimination

18 (1) 40A person need not comply with the listed GDPR provisions to the extent that
compliance would, by revealing evidence of the commission of an offence,
expose the person to proceedings for that offence.

(2) The reference to an offence in sub-paragraph (1) does not include an offence
under—

(a) this Act,

(b) section 5 of the Perjury Act 1911 (false statements made otherwise
5than on oath),

(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act
1995 (false statements made otherwise than on oath), or

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (S.I. 1979/
1714 (N.I. 19)) (false statutory declarations and other false unsworn
10statements).

(3) Information disclosed by any person in compliance with Article 15 of the
GDPR is not admissible against the person in proceedings for an offence
under this Act.

Corporate finance

19 (1) 15The listed GDPR provisions do not apply to personal data processed for the
purposes of or in connection with a corporate finance service provided by a
relevant person to the extent that either Condition A or Condition B is met.

(2) Condition A is that the application of the listed GDPR provisions would be
likely to affect the price of an instrument.

(3) 20Condition B is that—

(a) the relevant person reasonably believes that the application of the
listed GDPR provisions to the personal data in question could affect
a decision of a person—

(i) whether to deal in, subscribe for or issue an instrument, or

(ii) 25whether to act in a way likely to have an effect on a business
activity (such as an effect on the industrial strategy of a
person, the capital structure of an undertaking or the legal or
beneficial ownership of a business or asset), and

(b) the application of the listed GDPR provisions to that personal data
30would have a prejudicial effect on the orderly functioning of
financial markets or the efficient allocation of capital within the
economy.

(4) In this paragraph—

• “corporate finance service” means a service consisting in—

  (a)

  35underwriting in respect of issues of, or the placing of issues
  of, any instrument,

  (b)

  services relating to such underwriting, or

  (c)

  advice to undertakings on capital structure, industrial
  strategy and related matters and advice and service relating
  40to mergers and the purchase of undertakings;

• “instrument” means an instrument listed in section C of Annex 1 to
  Directive 2004/39/EC of the European Parliament and of the
  Council of 21 April 2004 on markets in financial instruments, and
  references to an instrument include an instrument not yet in
  45existence but which is to be or may be created;

• “price” includes value;

• “relevant person” means—

• (a)

  a person who, by reason of a permission under Part 4A of the
  Financial Services and Markets Act 2000, is able to carry on a
  corporate finance service without contravening the general
  prohibition;

  (b)

  5an EEA firm of the kind mentioned in paragraph 5(a) or (b) of
  Schedule 3 to that Act which has qualified for authorisation
  under paragraph 12 of that Schedule, and may lawfully carry
  on a corporate finance service;

  (c)

  a person who is exempt from the general prohibition in
  10respect of any corporate finance service—

  (i)

  as a result of an exemption order made under section
  38(1) of that Act, or

  (ii)

  by reason of section 39(1) of that Act (appointed
  representatives);

  (d)

  15a person, not falling within paragraph (a), (b) or (c), who may
  lawfully carry on a corporate finance service without
  contravening the general prohibition;

  (e)

  a person who, in the course of employment, provides to their
  employer a service falling within paragraph (b) or (c) of the
  20definition of “corporate finance service”;

  (f)

  a partner who provides to other partners in the partnership a
  service falling within either of those paragraphs.

(5) In the definition of “relevant person” in sub-paragraph (4), references to “the
general prohibition” are to the general prohibition within the meaning of
25section 19 of the Financial Services and Markets Act 2000.

Management forecasts

20 The listed GDPR provisions do not apply to personal data processed for the
purposes of management forecasting or management planning in relation to
a business or other activity, to the extent that the application of those
30provisions would be likely to prejudice the conduct of the business or
activity concerned.

Negotiations

21 The listed GDPR provisions do not apply to personal data that consists of
records of the intentions of the controller in relation to any negotiations with
35the data subject to the extent that the application of those provisions would
be likely to prejudice those negotiations.

Confidential references

22 The listed GDPR provisions do not apply to personal data consisting of a
reference given (or to be given) in confidence by the controller for the
40purposes of—

(a) the education, training or employment (or prospective education,
training or employment) of the data subject,

(b) the appointment (or prospective appointment) of the data subject to
any office, or

(c) 45the provision (or prospective provision) by the data subject of any
service.

Exam scripts and exam marks

23 (1) The listed GDPR provisions do not apply to personal data consisting of
information recorded by candidates during an exam.

(2) Where personal data consists of marks or other information processed by a
5controller—

(a) for the purposes of determining the results of an exam, or

(b) in consequence of the determination of the results of an exam,

the duty in Article 12(3) or (4) of the GDPR for the controller to provide
information requested by the data subject within a certain time period, as it
10applies to Article 15 of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers), is modified as set out in sub-
paragraph (3).

(3) Where a question arises as to whether the controller is obliged by Article 15
of the GDPR to disclose personal data, and the question arises before the day
15on which the exam results are announced, the controller must provide the
information mentioned in Article 12(3) or (4)—

(a) before the end of the period of five months beginning with the date
on which the question arises, or

(b) if earlier, before the end of the period of 40 days beginning with the
20date of the announcement of the results.

(4) In this paragraph, “exam” means an academic, professional or other
examination used for determining the knowledge, intelligence, skill or
ability of a candidate and may include an exam consisting of an assessment
of the candidate’s performance while undertaking work or any other
25activity.

(5) For the purposes of this paragraph, the results of an exam are treated as
announced when they are first published or, if not published, first
communicated to the candidate.

Part 5 30Exemptions etc based on Article 85(2) for reasons of freedom of expression and
information

Journalistic, academic, artistic and literary purposes

24 (1) In this paragraph, “the special purposes” means one or more of the
following—

(a) 35the purposes of journalism;

(b) academic purposes;

(c) artistic purposes;

(d) literary purposes.

(2) The listed GDPR provisions do not apply to personal data that is being
40processed only for the special purposes to the extent that—

(a) the personal data is being processed with a view to the publication
by a person of journalistic, academic, artistic or literary material,

(b) the controller reasonably believes that the publication of the material
would be in the public interest, and

(c) the controller reasonably believes that the application of any one or
more of the listed GDPR provisions would be incompatible with the
special purposes.

(3) In determining whether publication would be in the public interest the
5controller must take into account the special importance of the public
interest in the freedom of expression and information.

(4) In determining whether it is reasonable to believe that publication would be
in the public interest, the controller must have regard to any of the codes of
practice or guidelines listed in sub-paragraph (5) that is relevant to the
10publication in question.

(5) The codes of practice and guidelines are—

(a) BBC Editorial Guidelines;

(b) Ofcom Broadcasting Code;

(c) IPSO Editors’ Code of Practice.

(6) 15The Secretary of State may by regulations amend the list in sub-paragraph
(5).

(7) Regulations under sub-paragraph (6) are subject to the affirmative
resolution procedure.

(8) For the purposes of this paragraph, the listed GDPR provisions are the
20following provisions of the GDPR (which may be exempted or derogated
from by virtue of Article 85(2) of the GDPR)—

(a) in Chapter II of the GDPR (principles)—

(i) Article 5(1)(a) to (e) (principles relating to processing);

(ii) Article 6 (lawfulness);

(iii) 25Article 7 (conditions for consent);

(iv) Article 8(1) and (2) (child’s consent);

(v) Article 9 (processing of special categories of data);

(vi) Article 10 (data relating to criminal convictions etc);

(vii) Article 11(2) (processing not requiring identification);

(b) 30in Chapter III of the GDPR (rights of the data subject)—

(i) Article 13(1) to (3) (personal data collected from data subject:
information to be provided);

(ii) Article 14(1) to (4) (personal data collected other than from
data subject: information to be provided);

(iii) 35Article 15(1) to (3) (confirmation of processing, access to data
and safeguards for third country transfers);

(iv) Article 16 (right to rectification);

(v) Article 17(1) and (2) (right to erasure);

(vi) Article 18(1)(a), (b) and (d) (restriction of processing);

(vii) 40Article 20(1) and (2) (right to data portability);

(viii) Article 21(1) (objections to processing);

(c) in Chapter VII of the GDPR (co-operation and consistency)—

(i) Articles 60 to 62 (co-operation);

(ii) Articles 63 to 67 (consistency).

(9) 45For the purposes of this paragraph “publish”, in relation to journalistic,
academic, artistic or literary material, means make available to the public or
a section of the public.

Part 6 Derogations etc based on Article 89 for research, statistics and archiving

Research and statistics

25 (1) The listed GDPR provisions do not apply to personal data processed for—

(a) 5scientific or historical research purposes, or

(b) statistical purposes,

to the extent that the application of those provisions would prevent or
seriously impair the achievement of the purposes in question.

This is subject to sub-paragraph (3).

(2) 10The listed GDPR provisions are the following provisions of the GDPR (the
rights in which may be derogated from by virtue of Article 89(2) of the
GDPR)—

(a) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(b) 15Article 16 (right to rectification);

(c) Article 18(1) (restriction of processing);

(d) Article 21(1) (objections to processing).

(3) The exemption in sub-paragraph (1) is available only where—

(a) the personal data is processed in accordance with Article 89(1) of the
20GDPR (as supplemented by section 18), and

(b) as regards the disapplication of Article 15(1) to (3), the results of the
research or any resulting statistics are not made available in a form
which identifies a data subject.

Archiving in the public interest

26 (1) 25The listed GDPR provisions do not apply to personal data processed for
archiving purposes in the public interest to the extent that the application of
those provisions would prevent or seriously impair the achievement of
those purposes.

This is subject to sub-paragraph (3).

(2) 30The listed GDPR provisions are the following provisions of the GDPR (the
rights in which may be derogated from by virtue of Article 89(3) of the
GDPR)—

(a) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(b) 35Article 16 (right to rectification);

(c) Article 18(1) (restriction of processing);

(d) Article 19 (notification obligations);

(e) Article 20(1) (right to data portability);

(f) Article 21(1) (objections to processing).

(3) 40The exemption in sub-paragraph (1) is available only where the personal
data is processed in accordance with Article 89(1) of the GDPR (as
supplemented by section 18).

Section 14

SCHEDULE 3 Exemptions etc from the GDPR: health, social work, education and child abuse
data

Part 1 5GDPR provisions to be restricted: “the listed GDPR provisions”

1 In this Schedule “the listed GDPR provisions” means the following
provisions of the GDPR (the rights and obligations in which may be
restricted by virtue of Article 23(1) of the GDPR)—

(a) Article 13(1) to (3) (personal data collected from data subject:
10information to be provided);

(b) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided);

(c) Article 15(1) to (3) (confirmation of processing, access to data and
safeguards for third country transfers);

(d) 15Article 16 (right to rectification);

(e) Article 17(1) and (2) (right to erasure);

(f) Article 18(1) (restriction of processing);

(g) Article 20(1) and (2) (right to data portability);

(h) Article 21(1) (objections to processing);

(i) 20Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in the provisions mentioned in
sub-paragraphs (a) to (h).

Part 2 Health data

25Definitions

2 (1) In this Part of this Schedule—

• “the appropriate health professional”, in relation to a question as to
  whether the serious harm test is met with respect to data concerning
  health, means—

  (a)

  30the health professional who is currently or was most recently
  responsible for the diagnosis, care or treatment of the data
  subject in connection with the matters to which the data
  relates,

  (b)

  where there is more than one such health professional, the
  35health professional who is the most suitable to provide an
  opinion on the question, or

  (c)

  a health professional who has the necessary experience and
  qualifications to provide an opinion on the question, where—

  (i)

  there is no health professional available falling within
  40paragraph (a) or (b), or

  (ii)

  the controller is the Secretary of State and data is
  processed in connection with the exercise of the
  functions conferred on the Secretary of State by or
  under the Child Support Act 1991 and the Child