Data Protection Bill (HL Bill 66)
SCHEDULE 8 continued
Contents page 70-79 80-89 90-99 100-109 110-119 120-129 130-139 140-149 150-159 160-169 170-179 180-189 190-199 200-203 Last page
Data Protection BillPage 170
Other authorities
39 The Director of Public Prosecutions.
40 The Director of Public Prosecutions for Northern Ireland.
41 The Lord Advocate.
42 5A Procurator Fiscal.
43 The Director of Service Prosecutions.
44 The Information Commissioner.
45 The Scottish Information Commissioner.
46 The Scottish Courts and Tribunal Service.
47 10The Crown agent.
48 A court or tribunal.
Section 33(3)
SCHEDULE 8 Conditions for sensitive processing under Part 3
Judicial and statutory purposes
1 (1) 15This condition is met if the processing—
(a) is necessary for a purpose listed in sub-paragraph (2), and
(b) is necessary for reasons of substantial public interest.
(2) Those purposes are—
(a) the administration of justice;
(b) 20the exercise of a function conferred on a person by an enactment.
Protecting individual’s vital interests
2
This condition is met if the processing is necessary to protect the vital
interests of the data subject or of another individual.
Personal data already in the public domain
3
25This condition is met if the processing relates to personal data which is
manifestly made public by the data subject.
Legal claims and judicial acts
4
This condition is met if the processing is necessary for the establishment,
exercise or defence of a legal claim or whenever a court is acting in its
30judicial capacity.
Preventing fraud
5 (1) This condition is met if the processing—
Data Protection BillPage 171
(a)
is necessary for the purposes of preventing fraud or a particular kind
of fraud, and
(b) consists of—
(i)
the disclosure of personal data by a competent authority as a
5member of an anti-fraud organisation,
(ii)
the disclosure of personal data by a competent authority in
accordance with arrangements made by an anti-fraud
organisation, or
(iii)
the processing of personal data disclosed as described in sub-
10paragraph (i) or (ii).
(2)
In this paragraph, “anti-fraud organisation” has the same meaning as in
section 68 of the Serious Crime Act 2007.
Archiving etc
6 This condition is met if the processing is necessary—
(a) 15for archiving purposes in the public interest,
(b) for scientific or historical research purposes, or
(c) for statistical purposes.
Section 84
SCHEDULE 9 Conditions for processing under Part 4
1 20The data subject has given consent to the processing.
2 The processing is necessary—
(a)
for the performance of a contract to which the data subject is a party,
or
(b)
in order to take steps at the request of the data subject prior to
25entering into a contract.
3
The processing is necessary for compliance with a legal obligation to which
the controller is subject, other than an obligation imposed by contract.
4
The processing is necessary in order to protect the vital interests of the data
subject or of another individual.
5 30The processing is necessary—
(a) for the administration of justice,
(b) for the exercise of any functions of either House of Parliament,
(c)
for the exercise of any functions conferred on a person by an
enactment,
(d)
35for the exercise of any functions of the Crown, a Minister of the
Crown or a government department, or
(e)
for the exercise of any other functions of a public nature exercised in
the public interest by a person.
6
(1)
The processing is necessary for the purposes of legitimate interests pursued
40by—
Data Protection BillPage 172
(a) the controller, or
(b) the third party or parties to whom the data is disclosed.
(2)
Sub-paragraph (1) does not apply where the processing is unwarranted in
any particular case because of prejudice to the rights and freedoms or
5legitimate interests of the data subject.
(3)
In this paragraph, “third party”, in relation to personal data, means a person
other than the data subject, the controller or a processor or other person
authorised to process personal data for the controller or processor.
Section 84
SCHEDULE 10 10Conditions for sensitive processing under Part 4
Consent to particular processing
1 The data subject has given consent to the processing.
Right or obligation relating to employment
2
The processing is necessary for the purposes of exercising or performing any
15right or obligation which is conferred or imposed by an enactment or rule of
law on the controller in connection with employment.
Vital interests of a person
3 The processing is necessary—
(a)
in order to protect the vital interests of the data subject or of another
20person, in a case where—
(i) consent cannot be given by or on behalf of the data subject, or
(ii)
the controller cannot reasonably be expected to obtain the
consent of the data subject, or
(b)
in order to protect the vital interests of another person, in a case
25where consent by or on behalf of the data subject has been
unreasonably withheld.
Data already published by data subject
4
The information contained in the personal data has been made public as a
result of steps deliberately taken by the data subject.
30Legal proceedings etc
5 The processing—
(a)
is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings),
(b) is necessary for the purpose of obtaining legal advice, or
(c)
35is otherwise necessary for the purposes of establishing, exercising or
defending legal rights.
Data Protection BillPage 173
State functions
6 The processing is necessary—
(a) for the administration of justice,
(b) for the exercise of any functions of either House of Parliament,
(c)
5for the exercise of any functions conferred on any person by an
enactment, or
(d)
for the exercise of any functions of the Crown, a Minister of the
Crown or a government department.
Medical purposes
7 (1) 10The processing is necessary for medical purposes and is undertaken by—
(a) a health professional, or
(b)
a person who in the circumstances owes a duty of confidentiality
which is equivalent to that which would arise if that person were a
health professional.
(2)
15In this paragraph, “medical purposes” includes the purposes of preventative
medicine, medical diagnosis, medical research, the provision of care and
treatment and the management of healthcare services.
Equality
8 (1) The processing—
(a)
20is of sensitive personal data consisting of information as to racial or
ethnic origin,
(b)
is necessary for the purpose of identifying or keeping under review
the existence or absence of equality of opportunity or treatment
between persons of different racial or ethnic origins, with a view to
25enabling such equality to be promoted or maintained, and
(c)
is carried out with appropriate safeguards for the rights and
freedoms of data subjects.
(2)
In this paragraph, “sensitive personal data” means personal data the
processing of which constitutes sensitive processing (see section 84(7)).
Section 110
30SCHEDULE 11 Other exemptions under Part 4
Preliminary
1 In this Schedule, “the listed provisions” means—
(a)
Chapter 2 (the data protection principles), except section 84(1)(a) and
35(2) and Schedules 9 and 10;
(b) Chapter 3 (rights of data subjects);
(c)
in Chapter 4, section 106 (communication of personal data breach to
the Commissioner).
Data Protection BillPage 174
Crime
2
The listed provisions do not apply to personal data processed for any of the
following purposes—
(a) the prevention and detection of crime, or
(b) 5the apprehension and prosecution of offenders,
to the extent that the application of the listed provisions would be likely to
prejudice any of the matters mentioned in paragraph (a) or (b).
Information required to be disclosed by law etc or in connection with legal proceedings
3
(1)
The listed provisions do not apply to personal data consisting of information
10that the controller is obliged by an enactment to make available to the public,
to the extent that the application of the listed provisions would prevent the
controller from complying with that obligation.
(2)
The listed provisions do not apply to personal data where disclosure of the
data is required by an enactment, a rule of law or the order of a court, to the
15extent that the application of the listed provisions would prevent the
controller from making the disclosure.
(3)
The listed provisions do not apply to personal data where disclosure of the
data is necessary—
(a)
for the purpose of, or in connection with, legal proceedings
20(including prospective legal proceedings), or
(b)
for the purpose of obtaining legal advice or otherwise establishing,
exercising or defending legal rights,
to the extent that the application of the listed provisions would prevent the
controller from making the disclosure.
25Parliamentary privilege
4
The listed provisions do not apply to personal data where this is required for
the purpose of avoiding an infringement of the privileges of either House of
Parliament.
Judicial proceedings
5
30The listed provisions do not apply to personal data to the extent that the
application of the listed provisions would be likely to prejudice judicial
proceedings.
Crown honours and dignities
6
The listed provisions do not apply to personal data processed for the
35purposes of the conferring by the Crown of any honour or dignity.
Armed forces
7
The listed provisions do not apply to personal data to the extent that the
application of the listed provisions would be likely to prejudice the combat
effectiveness of any of the armed forces of the Crown.
Data Protection BillPage 175
Economic well-being
8
The listed provisions do not apply to personal data to the extent that the
application of the listed provisions would be likely to prejudice the
economic well-being of the United Kingdom.
5Legal professional privilege
9
The listed provisions do not apply to personal data that consists of
information in respect of which a claim to legal professional privilege or, in
Scotland, confidentiality of communications, could be maintained in legal
proceedings.
10Negotiations
10
The listed provisions do not apply to personal data that consists of records
of the intentions of the controller in relation to any negotiations with the data
subject to the extent that the application of the listed provisions would be
likely to prejudice the negotiations.
15Confidential references given by the controller
11
The listed provisions do not apply to personal data consisting of a reference
given (or to be given) in confidence by the controller for the purposes of—
(a)
the education, training or employment (or prospective education,
training or employment) of the data subject,
(b)
20the appointment (or prospective appointment) of the data subject to
any office, or
(c)
the provision (or prospective provision) by the data subject of any
service.
Exam scripts and marks
12
(1)
25The listed provisions do not apply to personal data consisting of information
recorded by candidates during an exam.
(2)
Where personal data consists of marks or other information processed by a
controller—
(a) for the purposes of determining the results of an exam, or
(b) 30in consequence of the determination of the results of an exam,
section 92 has effect subject to sub-paragraph (3).
(3)
Where the relevant day falls before the day on which the results of the exam
are announced, the period mentioned in section 92(10)(b) is extended until
the earlier of—
(a)
35the end of the period of five months beginning with the relevant day,
and
(b)
the end of the period of 40 days beginning with the date of the
announcement of the results.
(4) In this paragraph—
-
40“exam” means an academic, professional or other examination used for
determining the knowledge, intelligence, skill or ability of a
candidate and may include an exam consisting of an assessment of
Data Protection BillPage 176
-
the candidate’s performance while undertaking work or any other
activity; -
“relevant day” has the same meaning as in section 92.
(5)
For the purposes of this paragraph, the results of an exam are treated as
5announced when they are first published or, if not published, first
communicated to the candidate.
Research and statistics
13 (1) The listed provisions do not apply to personal data processed for—
(a) scientific or historical research purposes, or
(b) 10statistical purposes,
to the extent that the application of those provisions would prevent or
seriously impair the achievement of the purposes in question.
(2) The exemption in sub-paragraph (1) is available only where—
(a)
the personal data is processed subject to appropriate safeguards for
15the rights and freedoms of data subjects, and
(b)
the results of the research or any resulting statistics are not made
available in a form which identifies a data subject.
Archiving in the public interest
14
(1)
The listed provisions do not apply to personal data processed for archiving
20purposes in the public interest to the extent that the application of those
provisions would prevent or seriously impair the achievement of those
purposes.
(2)
The exemption in sub-paragraph (1) is available only where the personal
data is processed subject to appropriate safeguards for the rights and
25freedoms of data subjects.
Section 112
SCHEDULE 12 The Information Commissioner
Status and capacity
1 (1) The Commissioner is to continue to be a corporation sole.
(2)
30The Commissioner and the Commissioner’s officers and staff are not to be
regarded as servants or agents of the Crown.
Appointment
2 (1) The Commissioner is to be appointed by Her Majesty by Letters Patent.
(2)
No recommendation may be made to Her Majesty for the appointment of a
35person as the Commissioner unless the person concerned has been selected
on merit on the basis of fair and open competition.
Data Protection BillPage 177
(3)
The Commissioner is to hold office for such term not exceeding 7 years as
may be determined at the time of the Commissioner’s appointment, subject
to paragraph 3.
(4) A person cannot be appointed as the Commissioner more than once.
5Resignation and removal
3
(1)
The Commissioner may be relieved of office by Her Majesty at the
Commissioner’s own request.
(2)
The Commissioner may be removed from office by Her Majesty on an
Address from both Houses of Parliament.
(3)
10No motion is to be made in either House of Parliament for such an Address
unless a Minister of the Crown has presented a report to that House stating
that the Minister is satisfied that one or both of the following grounds is
made out—
(a) the Commissioner is guilty of serious misconduct;
(b)
15the Commissioner no longer fulfils the conditions required for the
performance of the Commissioner’s functions.
Salary etc
4
(1)
The Commissioner is to be paid such salary as may be specified by a
resolution of the House of Commons.
(2)
20There is to be paid in respect of the Commissioner such pension as may be
specified by a resolution of the House of Commons.
(3) A resolution for the purposes of this paragraph may—
(a) specify the salary or pension,
(b)
specify the salary or pension and provide for it to be increased by
25reference to such variables as may be specified in the resolution, or
(c)
provide that the salary or pension is to be the same as, or calculated
on the same basis as, that payable to, or in respect of, a person
employed in a specified office under, or in a specified capacity in the
service of, the Crown.
(4) 30A resolution for the purposes of this paragraph may take effect from—
(a) the date on which it is passed, or
(b) from an earlier date or later date specified in the resolution.
(5)
A resolution for the purposes of this paragraph may make different
provision in relation to the pension payable to, or in respect of, different
35holders of the office of Commissioner.
(6)
A salary or pension payable under this paragraph is to be charged on and
issued out of the Consolidated Fund.
(7)
In this paragraph, “pension” includes an allowance or gratuity and a
reference to the payment of a pension includes a reference to the making of
40payments towards the provision of a pension.
Officers and staff
5 (1) The Commissioner—
Data Protection BillPage 178
(a) must appoint one or more deputy commissioners, and
(b) may appoint other officers and staff.
(2)
The Commissioner is to determine the remuneration and other conditions of
service of people appointed under this paragraph.
(3)
5The Commissioner may pay pensions, allowances or gratuities to, or in
respect of, people appointed under this paragraph, including pensions,
allowances or gratuities paid by way of compensation in respect of loss of
office or employment.
(4)
The references in sub-paragraph (3) to paying pensions, allowances or
10gratuities includes making payments towards the provision of pensions,
allowances or gratuities.
(5)
In making appointments under this paragraph, the Commissioner must
have regard to the principle of selection on merit on the basis of fair and
open competition.
(6)
15The Employers’ Liability (Compulsory Insurance) Act 1969 does not require
insurance to be effected by the Commissioner.
Carrying out of the Commissioner’s functions by officers and staff
6
(1)
The functions of the Commissioner are to be carried out by the deputy
commissioner or deputy commissioners if—
(a) 20there is a vacancy in the office of the Commissioner, or
(b) the Commissioner is for any reason unable to act.
(2)
When the Commissioner appoints a second or subsequent deputy
commissioner, the Commissioner must specify which deputy commissioner
is to carry out which of the Commissioner’s functions in the circumstances
25referred to in sub-paragraph (1).
(3)
A function of the Commissioner may, to the extent authorised by the
Commissioner, be carried out by any of the Commissioner’s officers or staff.
Authentication of the seal of the Commissioner
7 The application of the seal of the Commissioner is to be authenticated by—
(a) 30the Commissioner’s signature, or
(b) the signature of another person authorised for the purpose.
Presumption of authenticity of documents issued by the Commissioner
8
A document purporting to be an instrument issued by the Commissioner
and to be—
(a) 35duly executed under the Commissioner’s seal, or
(b) signed by or on behalf of the Commissioner,
is to be received in evidence and is to be deemed to be such an instrument
unless the contrary is shown.
Money
9
40The Secretary of State may make payments to the Commissioner out of
money provided by Parliament.
Data Protection BillPage 179
Fees and other sums
10
(1)
All fees and other sums received by the Commissioner in carrying out the
Commissioner’s functions are to be paid by the Commissioner to the
Secretary of State.
(2)
5Sub-paragraph (1) does not apply where the Secretary of State, with the
consent of the Treasury, otherwise directs.
(3)
Any sums received by the Secretary of State under sub-paragraph (1) are to
be paid into the Consolidated Fund.
Accounts
11 (1) 10The Commissioner must—
(a)
keep proper accounts and other records in relation to the accounts,
and
(b)
prepare in respect of each financial year a statement of account in
such form as the Secretary of State may direct.
(2)
15The Commissioner must send a copy of the statement to the Comptroller
and Auditor General—
(a)
on or before 31 August next following the end of the year to which
the statement relates, or
(b)
on or before such earlier date after the end of that year as the
20Treasury may direct.
(3)
The Comptroller and Auditor General must examine, certify and report on
the statement.
(4)
The Commissioner must arrange for copies of the statement and the
Comptroller and Auditor General’s report to be laid before Parliament.
(5)
25In this paragraph, “financial year” means a period of 12 months beginning
with 1 April.
Scotland
12 Paragraphs 1(1), 7 and 8 do not extend to Scotland.
Section 114
SCHEDULE 13 30Other general functions of the Commissioner
General tasks
1 The Commissioner must—
(a) monitor and enforce Parts 3 and 4 of this Act;
(b)
promote public awareness and understanding of the risks, rules,
35safeguards and rights in relation to processing of personal data to
which those Parts apply;
(c)
advise Parliament, the government and other institutions and bodies
on legislative and administrative measures relating to the protection