Data Protection Bill (HL Bill 66)

Data Protection BillPage 140

  • Support Act 1995, or the Secretary of State’s functions
    in relation to social security or war pensions, or

    (iii)

    the controller is the Department for Communities in
    Northern Ireland and data is processed in connection
    5with the exercise of the functions conferred on the
    Department by or under the Child Support (Northern
    Ireland) Order 1991 (S.I. 1991/2628) and the Child
    Support (Northern Ireland) Order 1995 (S.I. 1995/
    2702);

  • 10“war pension” has the same meaning as in section 25 of the Social
    Security Act 1989 (establishment and functions of war pensions
    committees).

(2) For the purposes of this Part of this Schedule, the “serious harm test” is met
with respect to data concerning health if the application of Article 15 of the
15GDPR to the data would be likely to cause serious harm to the physical or
mental health of the data subject or another individual.

Exemption from the listed GDPR provisions: data processed by a court

3 (1) The listed GDPR provisions do not apply to data concerning health if—

(a) it is processed by a court,

(b) 20it consists of information supplied in a report or other evidence given
to the court in the course of proceedings to which rules listed in sub-
paragraph (2) apply, and

(c) in accordance with those rules, the data may be withheld by the court
in whole or in part from the data subject.

(2) 25Those rules are—

(a) the Magistrates’ Courts (Children and Young Persons) Rules
(Northern Ireland) 1969 (S.R. 1969 No. 221);

(b) the Magistrates’ Courts (Children and Young Persons) Rules 1992
(S.I. 1992/2071 (L. 17));

(c) 30the Family Proceedings Rules (Northern Ireland) 1996 (S.R. 1996 No.
322);

(d) the Magistrates’ Courts (Children (Northern Ireland) Order 1995)
Rules (Northern Ireland) 1996 (S.R. 1996 No.323);

(e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I.
351997/291 (S. 19));

(f) the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(g) the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in
Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject’s expectations and wishes

4 (1) 40This paragraph applies where a request for data concerning health is made
in exercise of a power conferred by an enactment or rule of law and—

(a) in relation to England and Wales or Northern Ireland, the data
subject is an individual aged under 18 and the person making the
request has parental responsibility for the data subject,

(b) 45in relation to Scotland, the data subject is an individual aged under
16 and the person making the request has parental responsibilities
for the data subject, or

Data Protection BillPage 141

(c) the data subject is incapable of managing his or her own affairs and
the person making the request has been appointed by a court to
manage those affairs.

(2) The listed GDPR provisions do not apply to data concerning health to the
5extent that complying with the request would disclose information—

(a) which was provided by the data subject in the expectation that it
would not be disclosed to the person making the request,

(b) which was obtained as a result of any examination or investigation
to which the data subject consented in the expectation that the
10information would not be so disclosed, or

(c) which the data subject has expressly indicated should not be so
disclosed.

(3) The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data
subject has expressly indicated that he or she no longer has the expectation
15mentioned there.

Exemption from Article 15 of the GDPR: serious harm

5 (1) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not apply to data
concerning health to the extent that the serious harm test is met with respect
20to the data.

(2) A controller who is not a health professional may not rely on sub-paragraph
(1) to withhold data concerning health unless the controller has obtained an
opinion from the person who appears to the controller to be the appropriate
health professional to the effect that the serious harm test is met with respect
25to the data.

(3) An opinion does not count for the purposes of sub-paragraph (2) if—

(a) it was obtained before the beginning of the relevant period, or

(b) it was obtained during that period but it is reasonable in all the
circumstances to re-consult the appropriate health professional.

(4) 30In this paragraph, “the relevant period” means the period of 6 months
ending with the day on which the opinion would be relied on.

Restriction of Article 15 of the GDPR: prior opinion of appropriate health professional

6 (1) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not permit the disclosure of
35data concerning health by a controller who is not a health professional
unless the controller has obtained an opinion from the person who appears
to the controller to be the appropriate health professional to the effect that
the serious harm test is not met with respect to the data.

(2) Sub-paragraph (1) does not apply to the extent that the controller is satisfied
40that the data concerning health has already been seen by, or is within the
knowledge of, the data subject.

(3) An opinion does not count for the purposes of sub-paragraph (1) if—

(a) it was obtained before the beginning of the relevant period, or

(b) it was obtained during that period but it is reasonable in all the
45circumstances to re-consult the appropriate health professional.

Data Protection BillPage 142

(4) In this paragraph, “the relevant period” means the period of 6 months
ending with the day on which the opinion would be relied on.

Part 3 Social work data

5Definitions

7 (1) In this Part of this Schedule—

  • “education data” has the meaning given by paragraph 17 of this
    Schedule;

  • “Health and Social Care trust” means a Health and Social Care trust
    10established under the Health and Personal Social Services (Northern
    Ireland) Order 1991;

  • “Principal Reporter” means the Principal Reporter appointed under the
    Children’s Hearings (Scotland) Act 2011, or an officer of the Scottish
    Children’s Reporter Administration to whom there is delegated
    15under paragraph 10(1) of Schedule 3 to that Act any function of the
    Principal Reporter;

  • “social work data” means personal data which—

    (a)

    is data to which paragraph 8 applies, but

    (b)

    is not education data or data concerning health.

(2) 20For the purposes of this Part of this Schedule, the “serious harm test” is met
with respect to social work data if the application of Article 15 of the GDPR
to the data would be likely to prejudice the carrying out of social work,
because it would be likely to cause serious harm to the physical or mental
health of the data subject or another individual.

(3) 25In sub-paragraph (2), “the carrying out of social work” is to be taken to
include doing any of the following—

(a) the exercise of any functions mentioned in paragraph 8(1)(a), (d), (f)
to (j), (m), (p), (s), (t), (u), (v) or (w);

(b) the provision of any service mentioned in paragraph 8(1)(b), (c) or
30(k);

(c) the exercise of the functions of a body mentioned in paragraph
8(1)(e) or a person mentioned in paragraph 8(1)(q) or (r).

(4) In this Part of this Schedule, a reference to a local authority, in relation to
data processed or formerly processed by it, includes a reference to the
35Council of the Isles of Scilly, in relation to data processed or formerly
processed by the Council in connection with any functions mentioned in
paragraph 8(1)(a)(ii) which are or have been conferred on the Council by an
enactment.

8 (1) This paragraph applies to personal data falling within any of the following
40descriptions—

(a) data processed by a local authority—

(i) in connection with its social services functions within the
meaning of the Local Authority Social Services Act 1970 or
any functions exercised by local authorities under the Social
45Work (Scotland) Act 1968 or referred to in section 5(1B) of
that Act, or

Data Protection BillPage 143

(ii) in the exercise of other functions but obtained or consisting of
information obtained in connection with any of the functions
mentioned in sub-paragraph (i);

(b) data processed by the Regional Health and Social Care Board—

(i) 5in connection with the provision of social care within the
meaning of the Health and Personal Social Services
(Northern Ireland) Order 1972, or

(ii) in the exercise of other functions but obtained or consisting of
information obtained in connection with the provision of that
10care;

(c) data processed by a Health and Social Care trust—

(i) in connection with the provision of social care within the
meaning of the Health and Personal Social Services
(Northern Ireland) Order 1972 on behalf of the Regional
15Health and Social Care Board by virtue of an authorisation
made under Article 3(1) of the Health and Personal Social
Services (Northern Ireland) Order 1994, or

(ii) in the exercise of other functions but obtained or consisting of
information obtained in connection with the provision of that
20care;

(d) data processed by a council in the exercise of its functions under Part
2 of Schedule 9 to the Health and Social Services and Social Security
Adjudications Act 1983;

(e) data processed by—

(i) 25a probation trust established under section 5 of the Offender
Management Act 2007, or

(ii) the Probation Board for Northern Ireland established by the
Probation Board (Northern Ireland) Order 1982;

(f) data processed by a local authority in the exercise of its functions
30under section 36 of the Children Act 1989 or Chapter 2 of Part 6 of the
Education Act 1996, so far as those functions relate to ensuring that
children of compulsory school age (within the meaning of section 8
of the Education Act 1996) receive suitable education whether by
attendance at school or otherwise;

(g) 35data processed by the Education Authority in the exercise of its
functions under Article 55 of the Children (Northern Ireland) Order
1995 or Article 45 of, and Schedule 13 to, the Education and Libraries
(Northern Ireland) Order 1986, so far as those functions relate to
ensuring that children of compulsory school age (within the
40meaning of Article 46 of the Education and Libraries (Northern
Ireland) Order 1986) receive efficient full-time education suitable to
their age, ability and aptitude and to any special educational needs
they may have, either by regular attendance at school or otherwise;

(h) data processed by an education authority in the exercise of its
45functions under sections 35 to 42 of the Education (Scotland) Act
1980 so far as those functions relate to ensuring that children of
school age (within the meaning of section 31 of the Education
(Scotland) Act 1980) receive efficient education suitable to their age,
ability and aptitude, whether by attendance at school or otherwise;

(i) 50data relating to persons detained in a hospital at which high security
psychiatric services are provided under section 4 of the National
Health Service Act 2006 and processed by a Special Health Authority

Data Protection BillPage 144

established under section 28 of that Act in the exercise of any
functions similar to any social services functions of a local authority;

(j) data relating to persons detained in special accommodation
provided under Article 110 of the Mental Health (Northern Ireland)
5Order 1986 and processed by a Health and Social Care trust in the
exercise of any functions similar to any social services functions of a
local authority;

(k) data which—

(i) is processed by the National Society for the Prevention of
10Cruelty to Children, or by any other voluntary organisation
or other body designated under this paragraph by the
Secretary of State or the Department of Health in Northern
Ireland, and

(ii) appears to the Secretary of State or the Department, as the
15case may be, to be processed for the purposes of the provision
of any service similar to a service provided in the exercise of
any functions specified in paragraph (a), (b), (c) or (d);

(l) data processed by a body mentioned in sub-paragraph (2)

(i) which was obtained, or consists of information which was
20obtained, from an authority or body mentioned in any of
paragraphs (a) to (k) or from a government department, and

(ii) in the case of data obtained, or consisting of information
obtained, from an authority or body mentioned in any of
paragraphs (a) to (k), fell within any of those paragraphs
25while processed by the authority or body;

(m) data processed by a National Health Service trust first established
under section 25 of the National Health Service Act 2006, section 18
of the National Health Service (Wales) Act 2006 or section 5 of the
National Health Service and Community Care Act 1990 in the
30exercise of any functions similar to any social services functions of a
local authority;

(n) data processed by an NHS foundation trust in the exercise of any
functions similar to any social services functions of a local authority;

(o) data processed by a government department—

(i) 35which was obtained, or consists of information which was
obtained, from an authority or body mentioned in any of
paragraphs (a) to (n), and

(ii) which fell within any of those paragraphs while processed by
that authority or body;

(p) 40data processed for the purposes of the functions of the Secretary of
State pursuant to section 82(5) of the Children Act 1989;

(q) data processed by—

(i) a children’s guardian appointed under Part 16 of the Family
Procedure Rules 2010 (S.I. 2010/2955),

(ii) 45a guardian ad litem appointed under Article 60 of the
Children (Northern Ireland) Order 1995 (S.I. 1995/755) or
Article 66 of the Adoption (Northern Ireland) Order 1987 (S.I.
1997/2203), or

(iii) a safeguarder appointed under section 30(2) or 31(3) of the
50Children’s Hearings (Scotland) Act 2011 (asp 1);

(r) data processed by the Principal Reporter;

Data Protection BillPage 145

(s) data processed by an officer of the Children and Family Court
Advisory and Support Service for the purpose of the officer’s
functions under section 7 of the Children Act 1989 or Part 16 of the
Family Procedure Rules 2010;

(t) 5data processed by the Welsh family proceedings officer for the
purposes of the functions under section 7 of the Children Act 1989 or
Part 16 of the Family Procedure Rules 2010;

(u) data processed by an officer of the service appointed as guardian ad
litem under Part 16 of the Family Procedure Rules 2010;

(v) 10data processed by the Children and Family Court Advisory and
Support Service for the purpose of its functions under section 12(1)
and (2) and section 13(1), (2) and (4) of the Criminal Justice and Court
Services Act 2000;

(w) data processed by the Welsh Ministers for the purposes of their
15functions under section 35(1) and (2) and section 36(1), (2), (4), (5)
and (6) of the Children Act 2004;

(x) data processed for the purposes of the functions of the appropriate
Minister pursuant to section 12 of the Adoption and Children Act
2002 (independent review of determinations).

(2) 20The bodies referred to in sub-paragraph (1)(l) are—

(a) a National Health Service trust first established under section 25 of
the National Health Service Act 2006 or section 18 of the National
Health Service (Wales) Act 2006;

(b) a National Health Service trust first established under section 5 of the
25National Health Service and Community Care Act 1990;

(c) an NHS foundation trust;

(d) a clinical commissioning group established under section 14D of the
National Health Service Act 2006;

(e) the National Health Service Commissioning Board;

(f) 30a Local Health Board established under section 11 of the National
Health Service (Wales) Act 2006;

(g) a Health Board established under section 2 of the National Health
Service (Scotland) Act 1978.

Exemption from the listed GDPR provisions: data processed by a court

9 (1) 35The listed GDPR provisions do not apply to data that is not education data
or data concerning health if—

(a) it is processed by a court,

(b) it consists of information supplied in a report or other evidence given
to the court in the course of proceedings to which rules listed in sub-
40paragraph (2) apply, and

(c) in accordance with any of those rules, the data may be withheld by
the court in whole or in part from the data subject.

(2) Those rules are—

(a) the Magistrates’ Courts (Children and Young Persons) Rules
45(Northern Ireland) 1969 (S.R. 1969 No. 221);

(b) the Magistrates’ Courts (Children and Young Persons) Rules 1992
(S.I. 1992/2071 (L. 17));

(c) the Family Proceedings Rules (Northern Ireland) 1996 (S.R. 1996 No.
322);

Data Protection BillPage 146

(d) the Magistrates’ Courts (Children (Northern Ireland) Order 1995)
Rules (Northern Ireland) 1996 (S.R. 1996 No.323);

(e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I.
1997/291 (S. 19));

(f) 5the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(g) the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in
Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Exemption from the listed GDPR provisions: data subject’s expectations and wishes

10 (1) This paragraph applies where a request for social work data is made in
10exercise of a power conferred by an enactment or rule of law and—

(a) in relation to England and Wales or Northern Ireland, the data
subject is an individual aged under 18 and the person making the
request has parental responsibility for the data subject,

(b) in relation to Scotland, the data subject is an individual aged under
1516 and the person making the request has parental responsibilities
for the data subject, or

(c) the data subject is incapable of managing his or her own affairs and
the person making the request has been appointed by a court to
manage those affairs.

(2) 20The listed GDPR provisions do not apply to social work data to the extent
that complying with the request would disclose information—

(a) which was provided by the data subject in the expectation that it
would not be disclosed to the person making the request,

(b) which was obtained as a result of any examination or investigation
25to which the data subject consented in the expectation that the
information would not be so disclosed, or

(c) which the data subject has expressly indicated should not be so
disclosed.

(3) The exemptions under sub-paragraph (2)(a) and (b) do not apply if the data
30subject has expressly indicated that he or she no longer has the expectation
mentioned there.

Exemption from Article 15 of the GDPR: serious harm

11 Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not apply to social work
35data to the extent that the serious harm test is met with respect to the data.

Restriction of Article 15 of the GDPR: prior opinion of Principal Reporter

12 (1) This paragraph applies where—

(a) a question arises as to whether a controller who is a social work
authority is obliged Article 15(1) to (3) of the GDPR (confirmation of
40processing, access to data and safeguards for third country transfers)
to disclose social work data, and

(b) the data—

(i) originated from or was supplied by the Principal Reporter
acting in pursuance of the Principal Reporter’s statutory
45duties, and

Data Protection BillPage 147

(ii) is not data which the data subject is entitled to receive from
the Principal Reporter.

(2) The controller must inform the Principal Reporter of the fact that the
question has arisen before the end of the period of 14 days beginning with
5the day on which the question arises.

(3) Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not permit the controller to
disclose the data to the data subject unless the Principal Reporter has
informed the controller that, in the opinion of the Principal Reporter, the
10serious harm test is not met with respect to the data.

(4) In this paragraph “social work authority” means a local authority for the
purposes of the Social Work (Scotland) Act 1968.

Part 4 Education data

15Educational records

13 In this Part of this Schedule “educational record” means a record to which
paragraph 14, 15 or 16 applies.

14 (1) This paragraph applies to a record of information which—

(a) is processed by or on behalf of the governing body of, or a teacher at,
20a school in England and Wales specified in sub-paragraph (3),

(b) relates to an individual who is or has been a pupil at the school, and

(c) originated from, or was supplied by or on behalf of, any of the
persons specified in sub-paragraph (4).

(2) But this paragraph does not apply to information which is processed by a
25teacher solely for the teacher’s own use.

(3) The schools referred to in sub-paragraph (1)(a) are—

(a) a school maintained by a local authority;

(b) a special school (as defined in section 337 of the Education Act 1996)
that is not maintained by a local authority.

(4) 30The persons referred to in sub-paragraph (1)(c) are—

(a) an employee of the local authority which maintains the school;

(b) in the case of—

(i) a voluntary aided, foundation or foundation special school
(within the meaning of the School Standards and Framework
35Act 1998), or

(ii) a special school that is not maintained by a local authority,

a teacher or other employee at the school (including an educational
psychologist engaged by the governing body under a contract for
services);

(c) 40the pupil to whom the record relates;

(d) a parent, as defined by section 576(1) of the Education Act 1996, of
that pupil.

(5) In this paragraph “local authority” has the meaning given by section 579(1)
of the Education Act 1996.

Data Protection BillPage 148

15 (1) This paragraph applies to a record of information which is processed—

(a) by an education authority in Scotland, and

(b) for the purpose of the relevant function of the authority.

(2) But this paragraph does not apply to information which is processed by a
5teacher solely for the teacher’s own use.

(3) For the purposes of this paragraph, information processed by an education
authority is processed for the purpose of the relevant function of the
authority if the processing relates to the discharge of that function in respect
of a person—

(a) 10who is or has been a pupil in a school provided by the authority, or

(b) who receives, or has received, further education provided by the
authority.

(4) In this paragraph “the relevant function” means, in relation to each
education authority, its function under section 1 of the Education (Scotland)
15Act 1980 and section 7(1) of the Self-Governing Schools etc. (Scotland) Act
1989.

16 (1) This paragraph applies to a record of information which—

(a) is processed by or on behalf of the Board of Governors of, or a teacher
at, a grant-aided school in Northern Ireland,

(b) 20relates to an individual who is or has been a pupil at the school, and

(c) originated from, or was supplied by or on behalf of, any of the
persons specified in sub-paragraph (4).

(2) But this paragraph does not apply to information which is processed by a
teacher solely for the teacher’s own use.

(3) 25In this paragraph “grant-aided school” has the same meaning as in the
Education and Libraries (Northern Ireland) Order 1986 (S.I. 1986/594 (N.I.
3).

(4) The persons referred to in sub-paragraph (1)(c) are—

(a) a teacher at the school;

(b) 30an employee of the Education Authority, other than a teacher at the
school;

(c) the pupil to whom the record relates;

(d) a parent, as defined by Article 2(2) of the Education and Libraries
(Northern Ireland) Order 1986.

35Other definitions

17 (1) In this Part of this Schedule—

  • “education authority” and “further education” have the same meaning
    as in the Education (Scotland) Act 1980;

  • “education data” means personal data consisting of information
    40which—

    (a)

    constitutes an educational record, but

    (b)

    is not data concerning health;

  • “Principal Reporter” means the Principal Reporter appointed under the
    Children’s Hearings (Scotland) Act 2011, or an officer of the Scottish
    45Children’s Reporter Administration to whom there is delegated

Data Protection BillPage 149

  • under paragraph 10(1) of Schedule 3 to that Act any function of the
    Principal Reporter;

  • “pupil” means—

    (a)

    in relation to a school in England and Wales, a registered
    5pupil within the meaning of the Education Act 1996,

    (b)

    in relation to a school in Scotland, a pupil within the meaning
    of the Education (Scotland) Act 1980, and

    (c)

    in relation to a school in Northern Ireland, a registered pupil
    within the meaning of the Education and Libraries (Northern
    10Ireland) Order 1986;

  • “school”—

    (a)

    in relation to England and Wales, has the same meaning as in
    the Education Act 1996,

    (b)

    in relation to Scotland, has the same meaning as in the
    15Education (Scotland) Act 1980, and

    (c)

    in relation to Northern Ireland, has the same meaning as in
    the Education and Libraries (Northern Ireland) Order 1986;

  • “teacher” includes—

    (a)

    in Great Britain, head teacher, and

    (b)

    20in Northern Ireland, the principal of a school.

(2) For the purposes of this Part of this Schedule, the “serious harm test” is met
with respect to education data if the application of Article 15 of the GDPR to
the data would be likely to cause serious harm to the physical or mental
health of the data subject or another individual.

25Exemption from the listed GDPR provisions: data processed by a court

18 (1) The listed GDPR provisions do not apply to education data if—

(a) it is processed by a court,

(b) it consists of information supplied in a report or other evidence given
to the court in the course of proceedings to which rules listed in sub-
30paragraph (2) apply, and

(c) in accordance with those rules, the data may be withheld by the court
in whole or in part from the data subject.

(2) Those rules are—

(a) the Magistrates’ Courts (Children and Young Persons) Rules
35(Northern Ireland) 1969 (S.R. 1969 No. 221);

(b) the Magistrates’ Courts (Children and Young Persons) Rules 1992
(S.I. 1992/2071 (L. 17));

(c) the Family Proceedings Rules (Northern Ireland) 1996 (S.R. 1996 No.
322);

(d) 40the Magistrates’ Courts (Children (Northern Ireland) Order 1995)
Rules (Northern Ireland) 1996 (S.R. 1996 No.323);

(e) the Act of Sederunt (Child Care and Maintenance Rules) 1997 (S.I.
1997/291 (S. 19));

(f) the Family Procedure Rules 2010 (S.I. 2010/2955 (L. 17));

(g) 45the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in
Children’s Hearings) Rules 2013 (S.S.I. 2013/194).