Data Protection Bill (HL Bill 66)

Exemption from Article 15 of the GDPR: serious harm

19 Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not apply to education data
to the extent that the serious harm test is met with respect to the data.

5Restriction of Article 15 of the GDPR: prior opinion of Principal Reporter

20 (1) This paragraph applies where—

(a) a question arises as to whether a controller who is an education
authority is obliged by Article 15(1) to (3) of the GDPR (confirmation
of processing, access to data and safeguards for third country
10transfers) to disclose education data, and

(b) the controller believes that the data—

(i) originated from or was supplied by or on behalf of the
Principal Reporter acting in pursuance of the Principal
Reporter’s statutory duties, and

(ii) 15is not data which the data subject is entitled to receive from
the Principal Reporter.

(2) The controller must inform the Principal Reporter of the fact that the
question has arisen before the end of the period of 14 days beginning with
the day on which the question arises.

(3) 20Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not permit the controller to
disclose the data to the data subject unless the Principal Reporter has
informed the controller that, in the opinion of the Principal Reporter, the
serious harm test is not met with respect to the data.

25Part 5 Child abuse data

Exemption from Article 15 of the GDPR: child abuse data

21 (1) This paragraph applies where a request for child abuse data is made in
exercise of a power conferred by an enactment or rule of law and—

(a) 30the data subject is an individual aged under 18 and the person
making the request has parental responsibility for the data subject, or

(b) the data subject is incapable of managing his or her own affairs and
the person making the request has been appointed by a court to
manage those affairs.

(2) 35Article 15(1) to (3) of the GDPR (confirmation of processing, access to data
and safeguards for third country transfers) does not apply to child abuse
data to the extent that the application of that provision would not be in the
best interests of the data subject.

(3) “Child abuse data” is personal data consisting of information as to whether
40the data subject is or has been the subject of, or may be at risk of, child abuse.

(4) For this purpose, “child abuse” includes physical injury (other than
accidental injury) to, and physical and emotional neglect, ill-treatment and
sexual abuse of, an individual aged under 18.

(5) This paragraph does not apply in relation to Scotland.

Section 14

SCHEDULE 4 Exemptions etc from the GDPR: disclosure prohibited or restricted by an
enactment

5GDPR provisions to be restricted: “the listed GDPR provisions”

1 In this Schedule “the listed GDPR provisions” means the following
provisions of the GDPR (the rights and obligations in which may be
restricted by virtue of Article 23(1) of the GDPR)—

(a) Article 15(1) to (3) (confirmation of processing, access to data and
10safeguards for third country transfers);

(b) Article 5 (general principles) so far as its provisions correspond to the
rights and obligations provided for in Article 15(1) to (3).

Human fertilisation and embryology information

2 The listed GDPR provisions do not apply to personal data consisting of
15information the disclosure of which is prohibited or restricted by any of
sections 31, 31ZA to 31ZE and 33A to 33D of the Human Fertilisation and
Embryology Act 1990.

Adoption records and reports

3 (1) The listed GDPR provisions do not apply to personal data consisting of
20information the disclosure of which is prohibited or restricted by an
enactment listed in sub-paragraph (2), (3) or (4).

(2) The enactments extending to England and Wales are—

(a) regulation 14 of the Adoption Agencies Regulations 1983 (S.I. 1983/
1964);

(b) 25regulation 41 of the Adoption Agencies Regulations 2005 (S.I. 2005/
389);

(c) regulation 42 of the Adoption Agencies (Wales) Regulations 2005
(S.I. 2005/1313) (W.95);

(d) rules 5, 6, 9, 17, 18, 21, 22 and 53 of the Adoption Rules 1984 (S.I.
301984/265);

(e) rules 24, 29, 30, 65, 72, 73, 77, 78 and 83 of the Family Procedure
(Adoption) Rules 2005 (S.I. 2005/2795) (L.22);

(f) in the Family Procedure Rules 2010 (S.I. 2010/2955) (L.17): rules 14.6,
14.11, 14.12, 14.13, 14.14, 14.24, 16.20 (so far as it applies to a
35children’s guardian appointed in proceedings to which Part 14 of
those Rules applies), 16.32 and 16.33 (so far as it applies to a children
and family reporter in proceedings to which Part 14 of those Rules
applies).

(3) The enactments extending to Scotland are—

(a) 40regulation 23 of the Adoption Agencies (Scotland) Regulations 1996
(S.I. 1996/3266 (S.254);

(b) rule 67.3 of the Act of Sederunt (Rules of the Court of Session 1994)
1994 (S.I. 1994/1443) (S.69);

(c) rules 10.3, 17.2, 21, 25, 39, 43.3, 46.2, 47 of the Act of Sederunt (Sheriff
Court Rules Amendment) (Adoption and Children (Scotland) Act
52007) 2009 (S.S.I. 2009/284).

(d) regulation 28(1) of Adoption Support Services and Allowances
(Scotland) Regulations 2009 (S.S.I. 2009/152);

(e) sections 53 and 55 of the Adoption and Children (Scotland) Act 2007
(asp 4);

(f) 10regulation 28 of the Adoption Agencies (Scotland) Regulations 2009
(S.S.I. 2009/154);

(g) regulation 3 of the Adoption (Disclosure of Information and Medical
Information about Natural Parents) (Scotland) Regulations 2009
(S.S.I. 2009/268).

(4) 15The enactments extending to Northern Ireland are—

(a) Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987
(S.I. 1987/2203) (N.I.22);

(b) rule 53 of Order 84 of the Rules of the Court of Judicature (Northern
Ireland) 1980 (S.R. 1980/346);

(c) 20rules 4A.4(5), 4A.5(1), 4A.6(6) and 4A.22(5), 4C.7 of Part IVA of the
Family Proceedings Rules (Northern Ireland) 1996 (S.R. 1996/322).

Statements of special educational needs

4 (1) The listed GDPR provisions do not apply to personal data consisting of
information the disclosure of which is prohibited or restricted by an
25enactment listed in sub-paragraph (2).

(2) The enactments are—

(a) regulation 17 of the Special Educational Needs and Disability
Regulations 2014 (S.I. 2014/1530);

(b) regulation 10 of the Additional Support for Learning (Co-ordinated
30Support Plan) (Scotland) Amendment Regulations 2005 (S.I. 2005/
518);

(c) regulation 22 of the Education (Special Educational Needs)
Regulations (Northern Ireland) 2005 (S.I. 2005/384).

Parental order records and reports

5 (1) 35The listed GDPR provisions do not apply to personal data consisting of
information the disclosure of which is prohibited or restricted by an
enactment listed in sub-paragraph (2), (3) or (4).

(2) The enactments extending to England and Wales are—

(a) sections 60, 77, 78 and 79 of the Adoption and Children Act 2002, as
40applied with modifications by regulation 2 of and Schedule 1 to the
Human Fertilisation and Embryology (Parental Orders) Regulations
2010 (S.I. 2010/985) in relation to parental orders made under—

(i) section 30 of the Human Fertilisation and Embryology Act
1990, or

(ii) 45section 54 of the Human Fertilisation and Embryology Act
2008;

(b) rules made under section 144 of the Magistrates’ Courts Act 1980 by
virtue of section 141(1) of the Adoption and Children Act 2002, as
applied with modifications by regulation 2 of and Schedule 1 to the
Human Fertilisation and Embryology (Parental Orders) Regulations
52010, so far as the rules relate to—

(i) the appointment and duties of the parental order reporter,
and

(ii) the keeping of registers and the custody, inspection and
disclosure of documents and information relating to parental
10order proceedings or related proceedings;

(c) rules made under section 75 of the Courts Act 2003 by virtue of
section 141(1) of the Adoption and Children Act 2002, as applied
with modifications by regulation 2 of Schedule 1 to the Human
Fertilisation and Embryology (Parental Orders) Regulations 2010, so
15far as the rules relate to—

(i) the appointment and duties of the parental order reporter,
and

(ii) the keeping of registers and the custody, inspection and
disclosure of documents and information relating to parental
20order proceedings or related proceedings.

(3) The enactments extending to Scotland are—

(a) sections 53 and 55 of the Adoption and Children (Scotland) Act 2007,
as applied with modifications by regulation 4 of and Schedule 3 to
the Human Fertilisation and Embryology (Parental Orders)
25Regulations 2010 in relation to parental orders made under—

(i) section 30 of the Human Fertilisation and Embryology Act
1990, or

(ii) section 54 of the Human Fertilisation and Embryology Act
2008;

(b) 30rules 2.47 and 2.59 of the Act of Sederunt (Child Care and
Maintenance Rules) 1997 (S.I. 1997/291), or rules with equivalent
effect replacing those rules;

(c) rules 21 and 25 of the Sheriff Court Adoption Rules 2009.

(4) The enactments extending to Northern Ireland are—

(a) 35Articles 50 and 54 of the Adoption (Northern Ireland) Order 1987, as
applied with modifications by regulation 3 of and Schedule 2 to the
Human Fertilisation and Embryology (Parental Orders) Regulations
2010 in respect of parental orders made under—

(i) section 30 of the Human Fertilisation and Embryology Act
401990, or

(ii) section 54 of the Human Fertilisation and Embryology Act
2008;

(b) rules 4, 5 and 16 of Order 84A of the Rules of the Court of Judicature
(Northern Ireland) 1980, or rules with equivalent effect replacing
45those rules;

(c) rules 3, 4 and 15 of Order 50A of the County Court Rules (Northern
Ireland) 1981 (S.I. 1981/225), or rules with equivalent effect replacing
those rules.

Information provided by Principal Reporter for children’s hearing

6 The listed GDPR provisions do not apply to personal data consisting of
information the disclosure of which is prohibited or restricted by any of the
following enactments—

(a) 5section 178 of the Children’s Hearings (Scotland) Act 2011 (asp 1);

(b) the Children’s Hearings (Scotland) Act 2011 (Rules of Procedure in
Children’s Hearings) Rules 2013 (S.S.I. 2013/194).

Section 16

SCHEDULE 5 Accreditation of certification providers: reviews and appeals

10Introduction

1 (1) This Schedule applies where—

(a) a person (“the applicant”) applies to an accreditation authority for
accreditation as a certification provider, and

(b) is dissatisfied with the decision on that application.

(2) 15In this Schedule—

• “accreditation authority” means—

  (a)

  the Commissioner, or

  (b)

  the national accreditation body;

• “certification provider” and “national accreditation body” have the
  20same meaning as in section 16.

Review

2 (1) The applicant may ask the accreditation authority to review the decision.

(2) The request must be made in writing before the end of the period of 28 days
beginning with the day on which the person receives written notice of the
25accreditation authority’s decision.

(3) The request must specify—

(a) the decision to be reviewed, and

(b) the reasons for asking for the review.

(4) The request may be accompanied by additional documents which the
30applicant wants the accreditation authority to take into account for the
purposes of the review.

(5) If the applicant makes a request in accordance with sub-paragraphs (1) to
(4), the accreditation authority must—

(a) review the decision, and

(b) 35inform the applicant of the outcome of the review in writing before
the end of the period of 28 days beginning with the day on which the
request for a review is received.

Right to appeal

3 (1) If the applicant is dissatisfied with the decision on the review under
paragraph 2, the applicant may ask the accreditation authority to refer the
decision to an appeal panel constituted in accordance with paragraph 4.

(2) 5The request must be made in writing before the end of the period of 3
months beginning with the day on which the person receives written notice
of the decision on the review.

(3) A request must specify—

(a) the decision to be referred to the appeal panel, and

(b) 10the reasons for asking for it to be referred.

(4) The request may be accompanied by additional documents which the
applicant wants the appeal panel to take into account.

(5) The applicant may discontinue an appeal at any time by giving notice in
writing to the accreditation authority.

15Appeal panel

4 (1) If the applicant makes a request in accordance with paragraph 3, an appeal
panel must be established in accordance with this paragraph.

(2) An appeal panel must consist of a chair and at least two other members.

(3) Where the request relates to a decision of the Commissioner—

(a) 20the Secretary of State may appoint one person to be a member of the
appeal panel other than the chair, and

(b) subject to paragraph (a), the Commissioner must appoint the
members of the appeal panel.

(4) Where the request relates to a decision of the national accreditation body—

(a) 25the Secretary of State—

(i) may appoint one person to be a member of the appeal panel
other than the chair, or

(ii) may direct the Commissioner to appoint one person to be a
member of the appeal panel other than the chair, and

(b) 30subject to paragraph (a), the chair of the national accreditation body
must appoint the members of the appeal panel.

(5) A person may not be a member of an appeal panel if the person—

(a) has a commercial interest in the decision referred to the panel,

(b) has had any prior involvement in any matters relating to the
35decision, or

(c) is an employee or officer of the accreditation authority.

(6) The Commissioner may not be a member of an appeal panel to which a
decision of the Commissioner is referred.

(7) The applicant may object to all or any of the members of the appeal panel.

(8) 40If the applicant objects to a member of the appeal panel under sub-
paragraph (7), the person who appointed that member must appoint a
replacement.

(9) The applicant may not object to a member of the appeal panel appointed
under sub-paragraph (7).

Hearing

5 (1) If the appeal panel considers it necessary, a hearing must be held at which
5both the applicant and the accreditation authority may be represented.

(2) Any additional documents which the applicant or the accreditation
authority want the appeal panel to take into account must be submitted to
the chair of the appeal panel at least 5 working days before the hearing.

(3) The appeal panel may allow experts and witnesses to give evidence at a
10hearing.

Decision following referral to appeal panel

6 (1) The appeal panel must, before the end of the period of 28 days beginning
with the day on which the appeal panel is established in accordance with
paragraph 4—

(a) 15make a reasoned recommendation in writing to the accreditation
authority, and

(b) give a copy of the recommendation to the applicant.

(2) For the purposes of sub-paragraph (1), where there is an objection under
paragraph 4(7), an appeal panel is not to be taken to be established in
20accordance with paragraph 4 until the replacement member is appointed
(or, if there is more than one objection, until the last replacement member is
appointed).

(3) The accreditation authority must, before the end of the period of 3 working
days beginning with the day on which the authority receives the
25recommendation—

(a) make a reasoned final decision in writing, and

(b) give a copy of the decision to the applicant.

(4) Where the accreditation authority is the national accreditation body, the
recommendation must be given to, and the final decision must be made by,
30the chief executive of that body.

(5) In this paragraph, “working day” means any day other than—

(a) Saturday or Sunday,

(b) Christmas Day or Good Friday, or

(c) a day which is a bank holiday under the Banking and Financial
35Dealings Act 1971 in any part of the United Kingdom.

Section 20

SCHEDULE 6 The applied GDPR and the applied Chapter 2

Part 1 Modifications to the GDPR

5Introductory

1 In its application by virtue of section 20(1), the GDPR has effect as if it were
modified as follows.

References to the GDPR and its provisions

2 References to “this Regulation” and to provisions of the GDPR have effect as
10references to the applied GDPR and to the provisions of the applied GDPR,
except—

(a) in the provisions modified by paragraphs 9(f), 15(b), 16(a)(ii), 35,
36(a) and (e)(ii), 38(a), 46 and 47;

(b) in Article 61(2) inserted by paragraph 49.

15References to Union law and Member State law

3 (1) References to “Union law”, “Member State law”, “the law of a Member State”
and “Union or Member State law” have effect as references to domestic law.

(2) Sub-paragraph (1) is subject to the specific modifications made in this Part
of this Schedule.

(3) 20For the purposes of this Part of this Schedule, “domestic law” means the law
of the United Kingdom, or of a part of the United Kingdom, and includes
law in the form of an enactment, an instrument made under Her Majesty’s
prerogative or a rule of law.

References to the Union and to Member States

4 (1) 25References to “the Union”, “a Member State” and “Member States” have
effect as references to the United Kingdom.

(2) Sub-paragraph (1) is subject to the specific modifications made in this Part
of this Schedule.

References to supervisory authorities

5 (1) 30References to a “supervisory authority”, a “competent supervisory
authority” or “supervisory authorities”, however expressed, have effect as
references to the Commissioner.

(2) Sub-paragraph (1) does not apply to the references in—

(a) Article 4(21) as modified by paragraph 9(f);

(b) 35Article 57(1)(h);

(c) Article 61(1) inserted by paragraph 49.

(3) Sub-paragraph (1) is also subject to the specific modifications made in this
Part of this Schedule.

References to the national parliament

6 References to “the national Parliament” have effect as references to both
Houses of Parliament.

Chapter I of the GDPR (general provisions)

7 5For Article 2 (material scope) substitute—

“2 This Regulation applies to the processing of personal data to
which Chapter 3 of Part 2 of the 2017 Act applies (see section 19 of
that Act).”

8 For Article 3 substitute—

10“Article 3

Territorial application

Section 186 of the 2017 Act has effect for the purposes of this
Regulation as it has effect for the purposes of that Act but as if it
were modified as follows—

(a) 15references to “this Act” have effect as references to this
Regulation;

(b) in subsection (1), omit “, subject to subsection (3)”;

(c) in subsection (2), omit “, subject to subsection (4)”;

(d) omit subsections (3) to (5);

(e) 20in subsection (7), omit “or section 57(8) or 103(3) of this Act
(processor to be treated as controller in certain
circumstances).”

9 In Article 4 (definitions)—

(a) in paragraph (7) (meaning of “controller”), for “; where the purposes
25and means of such processing are determined by Union or Member
State law, the controller or the specific criteria for its nomination may
be provided for by Union or Member State law” substitute “, subject
to section 5 of the 2017 Act (meaning of “controller”)”;

(b) after paragraph (7), insert—

“(7A) 30“the 2017 Act” means the Data Protection Act 2017 as applied
by section 20 of that Act and further modified by section 2 of
that Act.”

(c) omit paragraph (16) (meaning of “main establishment”);

(d) omit paragraph (17) (meaning of “representative”);

(e) 35in paragraph (20) (meaning of “binding corporate rules”), for “on the
territory of a Member State” substitute “in the United Kingdom”;

(f) in paragraph (21) (meaning of “supervisory authority”), after “a
Member State” insert “(other than the United Kingdom);

(g) after paragraph (21) insert—

“(21A) 40“the Commissioner” means the Information
Commissioner (see section 112 of the 2017 Act);”;

(h) omit paragraph (22) (meaning of “supervisory authority concerned”;

(i) omit paragraph (23) (meaning of “cross-border processing”);

(j) omit paragraph (24) (meaning of “relevant and reasoned objection”);

(k) after paragraph (26), insert—

“(27) “the GDPR” has the meaning given in section 2(10) of the
2017 Act.”

Chapter II of the GDPR (principles)

10 5In Article 6 (lawfulness of processing)—

(a) omit paragraph 2;

(b) in paragraph 3, for the first subparagraph, substitute—

“In addition to the provision made in section 14 of and Part
1 of Schedule 2 to the 2017 Act, a legal basis for the
10processing referred to in point (c) and (e) of paragraph 1
may be laid down by the Secretary of State in regulations
(see section 15 of the 2017 Act).”

(c) in paragraph 3, in the second subparagraph, for “The Union or
Member State law shall” substitute “The regulations must”

11 15In Article 8 (conditions applicable to child’s consent in relation to
information society services)—

(a) in paragraph 1, for the second subparagraph, substitute—

“This paragraph is subject to section 8 of the 2017 Act.”;

(b) in paragraph 3, for “general contract law of Member States”
20substitute “the general law of contract as it operates in domestic
law”.

12 In Article 9 (processing of special categories of personal data)—

(a) in paragraph 2(a), omit “, except where Union or Member State law
provide that the prohibition referred to in paragraph 1 may not be
25lifted by the data subject”;

(b) in paragraph 2(b), for “Union or Member State law” substitute
“domestic law (see section 9 of the 2017 Act)”;

(c) in paragraph 2, for point (g), substitute—

“(g) processing is necessary for reasons of substantial
30public interest and is authorised by domestic law
(see section 9 of the 2017 Act);”;

(d) in paragraph 2(h), for “Union or Member State law” substitute
“domestic law (see section 9)”;

(e) in paragraph 2(i), for “Union or Member State law” insert “domestic
35law (see section 9 of the 2017 Act);”;

(f) in paragraph 2, for point (j) substitute—

“(j) processing is necessary for archiving purposes in
the public interest, scientific or historical research
purposes or statistical purposes in accordance with
40Article 89(1) (as supplemented by section 18 of the
2017 Act) and is authorised by domestic law (see
section 9 of that Act).”;

(g) in paragraph 3, for “national competent bodies”, in both places,
substitute “a national competent body of the United Kingdom”;

(h) 45omit paragraph 4.

13 In Article 10 (processing of personal data relating to criminal convictions
and offences), in the first sentence, for “Union or Member State law