Data Protection Bill (HL Bill 66)

A

BILL

TO

Make provision for the regulation of the processing of information relating to
individuals; to make provision in connection with the Information
Commissioner’s functions under certain regulations relating to information; to
make provision for a direct marketing code of conduct; and for connected
purposes.

Be it enacted by the Queen’s most Excellent Majesty, by and with the advice and
consent of the Lords Spiritual and Temporal, and Commons, in this present
Parliament assembled, and by the authority of the same, as follows:—

Part 1 Preliminary

1 Overview

(1) This Act makes provision about the processing of personal data.

(2) 5Most processing of personal data is subject to the GDPR.

(3) Part 2 supplements the GDPR (see Chapter 2) and applies a broadly equivalent
regime to certain types of processing to which the GDPR does not apply (see
Chapter 3).

(4) Part 3 makes provision about the processing of personal data by competent
10authorities for law enforcement purposes and implements the Law
Enforcement Directive.

(5) Part 4 makes provision about the processing of personal data by the
intelligence services.

(6) Part 5 makes provision about the Information Commissioner.

(7) 15Part 6 makes provision about the enforcement of the data protection
legislation.

(8) Part 7 makes supplementary provision, including provision about the
application of this Act to the Crown and to Parliament.

Data Protection BillPage 2

2 Terms relating to the processing of personal data

(1) This section defines some terms used in this Act.

(2) “Personal data” means any information relating to an identified or identifiable
living individual (subject to subsection (14)(b)).

(3) 5“Identifiable living individual” means a living individual who can be
identified, directly or indirectly, in particular by reference to—

(a) an identifier such as a name, an identification number, location data or
an online identifier, or

(b) one or more factors specific to the physical, physiological, genetic,
10mental, economic, cultural or social identity of the individual.

(4) “Processing”, in relation to personal data, means an operation or set of
operations which is performed on personal data, or on sets of personal data,
such as—

(a) collection, recording, organisation, structuring or storage,

(b) 15adaptation or alteration,

(c) retrieval, consultation or use,

(d) disclosure by transmission, dissemination or otherwise making
available,

(e) alignment or combination, or

(f) 20restriction, erasure or destruction,

(subject to subsection (14)(b) and sections 4(7), 27(2) and 80(3), which make
provision about references to processing in the different Parts of this Act).

(5) “Data subject” means the identified or identifiable living individual to whom
personal data relates.

(6) 25“Controller” and “processor”, in relation to the processing of personal data to
which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies, have the same meaning
as in that Chapter or Part (see sections 4, 5, 30 and 81).

(7) “Filing system” means any structured set of personal data which is accessible
according to specific criteria, whether held by automated means or manually
30and whether centralised, decentralised or dispersed on a functional or
geographical basis.

(8) “The Commissioner” means the Information Commissioner (see section 112).

(9) “The data protection legislation” means—

(a) the GDPR,

(b) 35the applied GDPR,

(c) this Act,

(d) regulations made under this Act, and

(e) regulations made under section 2(2) of the European Communities Act
1972 which relate to the GDPR or the Law Enforcement Directive.

(10) 40“The GDPR” means Regulation (EU) 2016/679 of the European Parliament and
of the Council of 27 April 2016 on the protection of natural persons with regard
to the processing of personal data and on the free movement of such data
(General Data Protection Regulation).

(11) “The applied GDPR” means the GDPR as applied by Chapter 3 of Part 2.

Data Protection BillPage 3

(12) “The Law Enforcement Directive” means Directive (EU) 2016/680 of the
European Parliament and of the Council of 27 April 2016 on the protection of
natural persons with regard to the processing of personal data by competent
authorities for the purposes of the prevention, investigation, detection or
5prosecution of criminal offences or the execution of criminal penalties, and on
the free movement of such data, and repealing Council Framework Decision
2008/977/JHA.

(13) “The Data Protection Convention” means the Convention for the Protection of
Individuals with regard to Automatic Processing of Personal Data which was
10opened for signature on 28 January 1981, as amended up to the day on which
this Act is passed.

(14) In Parts 5 to 7, except where otherwise provided—

(a) references to the GDPR are to the GDPR read with Chapter 2 of Part 2
and include the applied GDPR read with Chapter 3 of Part 2;

(b) 15references to processing and personal data are to processing and
personal data to which Chapter 2 or 3 of Part 2, Part 3 or Part 4 applies.

(15) There is an index of defined expressions in section 185.

Part 2 General processing

20 CHAPTER 1 Scope and definitions

3 Processing to which this Part applies

(1) This Part is relevant to most processing of personal data.

(2) Chapter 2 of this Part—

(a) 25applies to the types of processing of personal data to which the GDPR
applies by virtue of Article 2 of the GDPR, and

(b) supplements, and must be read with, the GDPR.

(3) Chapter 3 of this Part—

(a) applies to certain types of processing of personal data to which the
30GDPR does not apply (see section 19), and

(b) makes provision for a regime broadly equivalent to the GDPR to apply
to such processing.

4 Definitions

(1) Terms used in Chapter 2 and in the GDPR have the same meaning in Chapter
352 as they have in the GDPR.

(2) In subsection (1), the reference to a term’s meaning in the GDPR is to its
meaning in the GDPR read with any provision of Chapter 2 which modifies the
term’s meaning for the purposes of the GDPR.

(3) Subsection (1) is subject to any provision in Chapter 2 which provides
40expressly for the term to have a different meaning.

Data Protection BillPage 4

(4) Terms used in Chapter 3 and in the applied GDPR have the same meaning in
Chapter 3 as they have in the applied GDPR.

(5) In subsection (4), the reference to a term’s meaning in the applied GDPR is to
its meaning in the GDPR read with any provision of Chapter 2 (as applied by
5Chapter 3) or Chapter 3 which modifies the term’s meaning for the purposes
of the applied GDPR.

(6) Subsection (4) is subject to any provision in Chapter 2 (as applied by Chapter
3) or Chapter 3 which provides expressly for the term to have a different
meaning.

(7) 10A reference in Chapter 2 or Chapter 3 to the processing of personal data is to
processing to which the Chapter applies.

(8) Sections 2 and 184 include definitions of other expressions used in this Part.

CHAPTER 2 The GDPR

15Meaning of certain terms used in the GDPR

5 Meaning of “controller”

(1) The definition of “controller” in Article 4(7) of the GDPR has effect subject to—

(a) subsection (2),

(b) section 188, and

(c) 20section 189.

(2) For the purposes of the GDPR, where personal data is processed only—

(a) for purposes for which it is required by an enactment to be processed,
and

(b) by means by which it is required by an enactment to be processed,

25the person on whom the obligation to process the data is imposed by the
enactment (or, if different, one of the enactments) is the controller.

6 Meaning of “public authority” and “public body”

(1) For the purposes of the GDPR, the following (and only the following) are
“public authorities” and “public bodies” under the law of the United
30Kingdom—

(a) a public authority as defined by the Freedom of Information Act 2000,
subject to subsection (2),

(b) a Scottish public authority as defined by the Freedom of Information
(Scotland) Act 2002 (asp 13)2002 (asp 13), subject to subsection (2), and

(c) 35an authority or a body specified by the Secretary of State in regulations.

(2) The Secretary of State may by regulations provide that a person specified in the
regulations that is a public authority described in subsection (1)(a) or (b) is not
a “public authority” or “public body” for the purposes of the GDPR.

(3) Regulations under this section are subject to the affirmative resolution
40procedure.

Data Protection BillPage 5

Lawfulness of processing

7 Lawfulness of processing: public interest etc

In Article 6(1) of the GDPR (lawfulness of processing), the reference in point (e)
to processing of personal data that is necessary for the performance of a task
5carried out in the public interest or in the exercise of the controller’s official
authority includes processing of personal data that is necessary for—

(a) the administration of justice,

(b) the exercise of a function of either House of Parliament,

(c) the exercise of a function conferred on a person by an enactment, or

(d) 10the exercise of a function of the Crown, a Minister of the Crown or a
government department.

8 Child’s consent in relation to information society services

In Article 8(1) of the GDPR (conditions applicable to child’s consent in relation
to information society services)—

(a) 15references to “16 years” are to be read as references to “13 years”, and

(b) the reference to “information society services” does not include
preventive or counselling services.

Special categories of personal data

9 Special categories of personal data and criminal convictions etc data

(1) 20Subsections (2) and (3) make provision about the processing of personal data
described in Article 9(1) of the GDPR (prohibition on processing of special
categories of personal data) in reliance on an exception in one of the following
points of Article 9(2)—

(a) point (b) (employment, social security and social protection);

(b) 25point (g) (substantial public interest);

(c) point (h) (health and social care);

(d) point (i) (public health);

(e) point (j) (archiving, research and statistics).

(2) The processing meets the requirement in point (b), (h), (i) or (j) of Article 9(2)
30of the GDPR for authorisation by, or a basis in, the law of the United Kingdom
or a part of the United Kingdom only if it meets a condition in Part 1 of
Schedule 1.

(3) The processing meets the requirement in point (g) of Article 9(2) of the GDPR
for a basis in the law of the United Kingdom or a part of the United Kingdom
35only if it meets a condition in Part 2 of Schedule 1.

(4) Subsection (5) makes provision about the processing of personal data relating
to criminal convictions and offences or related security measures that is not
carried out under the control of official authority.

(5) The processing meets the requirement in Article 10 of the GDPR for
40authorisation by the law of the United Kingdom or a part of the United
Kingdom only if it meets a condition in Part 1, 2 or 3 of Schedule 1.

(6) The Secretary of State may by regulations—

Data Protection BillPage 6

(a) amend Schedule 1 by adding, varying or omitting conditions or
safeguards, and

(b) make consequential amendments of this section.

(7) Regulations under this section are subject to the affirmative resolution
5procedure.

10 Special categories of personal data etc: supplementary

(1) For the purposes of Article 9(2)(h) of the GDPR (processing for health or social
care purposes etc), the circumstances in which the processing of personal data
is carried out subject to the conditions and safeguards referred to in Article 9(3)
10of the GDPR (obligation of secrecy) include circumstances in which it is carried
out—

(a) by or under the supervision of a health professional or a social work
professional, or

(b) by another person who in the circumstances owes a duty of
15confidentiality under an enactment or rule of law.

(2) In Article 10 of the GDPR and this section, references to personal data relating
to criminal convictions and offences or related security measures include
personal data relating to—

(a) the alleged commission of offences by the data subject, or

(b) 20proceedings for an offence committed or alleged to have been
committed by the data subject or the disposal of such proceedings,
including sentencing.

Rights of the data subject

11 Limits on fees that may be charged by controllers

(1) 25The Secretary of State may by regulations specify limits on the fees that a
controller may charge in reliance on—

(a) Article 12(5) of the GDPR (reasonable fees when responding to
manifestly unfounded or excessive requests), or

(b) Article 15(3) of the GDPR (reasonable fees for provision of further
30copies).

(2) The Secretary of State may by regulations—

(a) require controllers of a description specified in the regulations to
produce and publish guidance about the fees that they charge in
reliance on those provisions, and

(b) 35specify what the guidance must include.

(3) Regulations under this section are subject to the negative resolution procedure.

12 Obligations of credit reference agencies

(1) This section applies where a controller is a credit reference agency (within the
meaning of section 145(8) of the Consumer Credit Act 1974).

(2) 40The controller’s obligations under Article 15(1) to (3) of the GDPR
(confirmation of processing, access to data and safeguards for third country

Data Protection BillPage 7

transfers) are taken to apply only to personal data relating to the data subject’s
financial standing, unless the data subject has indicated a contrary intention.

(3) Where the controller discloses personal data in pursuance of Article 15(1) to (3)
of the GDPR, the disclosure must be accompanied by a statement informing the
5data subject of the data subject’s rights under section 159 of the Consumer
Credit Act 1974 (correction of wrong information).

13 Automated decision-making authorised by law: safeguards

(1) This section makes provision for the purposes of Article 22(2)(b) of the GDPR
(exception from prohibition on taking significant decisions based solely on
10automated processing for decisions that are authorised by law and subject to
safeguards for the data subject’s rights, freedoms and legitimate interests).

(2) A decision is a “significant decision” for the purposes of this section if, in
relation to a data subject, it—

(a) produces legal effects concerning the data subject, or

(b) 15significantly affects the data subject.

(3) A decision is a “qualifying significant decision” for the purposes of this section
if—

(a) it is a significant decision in relation to a data subject,

(b) it is required or authorised by law, and

(c) 20it does not fall within Article 22(2)(a) or (c) of the GDPR (decisions
necessary to a contract or made with the data subject’s consent).

(4) Where a controller takes a qualifying significant decision in relation to a data
subject based solely on automated processing—

(a) the controller must, as soon as reasonably practicable, notify the data
25subject in writing that a decision has been taken based solely on
automated processing, and

(b) the data subject may, before the end of the period of 21 days beginning
with receipt of the notification, request the controller to—

(i) reconsider the decision, or

(ii) 30take a new decision that is not based solely on automated
processing.

(5) If a request is made to a controller under subsection (4), the controller must,
before the end of the period of 21 days beginning with receipt of the request—

(a) consider the request, including any information provided by the data
35subject that is relevant to it,

(b) comply with the request, and

(c) by notice in writing inform the data subject of—

(i) the steps taken to comply with the request, and

(ii) the outcome of complying with the request.

(6) 40The Secretary of State may by regulations make such further provision as the
Secretary of State considers appropriate to provide suitable measures to
safeguard a data subject’s rights, freedoms and legitimate interests in
connection with the taking of qualifying significant decisions based solely on
automated processing.

(7) 45Regulations under subsection (6)

(a) may amend this section, and

Data Protection BillPage 8

(b) are subject to the affirmative resolution procedure.

Restrictions on data subject's rights

14 Exemptions etc

(1) Schedules 2, 3 and 4 make provision for exemptions from, and restrictions and
5adaptations of the application of, rules of the GDPR.

(2) In Schedule 2—

(a) Part 1 makes provision adapting or restricting the application of rules
contained in Articles 13 to 21 of the GDPR in specified circumstances,
as allowed for by Article 6(3) and Article 23(1) of the GDPR;

(b) 10Part 2 makes provision restricting the application of rules contained in
Articles 13 to 21 of the GDPR in specified circumstances, as allowed for
by Article 23(1) of the GDPR;

(c) Part 3 makes provision restricting the application of Article 15 of the
GDPR where this is necessary to protect the rights of others, as allowed
15for by Article 23(1) of the GDPR;

(d) Part 4 makes provision restricting the application of rules contained in
Articles 13 to 15 of the GDPR in specified circumstances, as allowed for
by Article 23(1) of the GDPR;

(e) Part 5 makes provision containing exemptions or derogations from
20Chapters II, III and VII of the GDPR for reasons relating to freedom of
expression, as allowed for by Article 85(2) of the GDPR;

(f) Part 6 makes provision containing derogations from rights contained in
Articles 15, 16, 18, 19, 20 and 21 of the GDPR for scientific or historical
research purposes, statistical purposes and archiving purposes, as
25allowed for by Article 89(2) and (3) of the GDPR.

(3) Schedule 3 makes provision restricting the application of rules contained in
Articles 13 to 21 of the GDPR to health, social work, education and child abuse
data, as allowed for by Article 23(1) of the GDPR.

(4) Schedule 4 makes provision restricting the application of rules contained in
30Articles 13 to 21 of the GDPR to information the disclosure of which is
prohibited or restricted by an enactment, as allowed for by Article 23(1) of the
GDPR.

(5) In connection with the safeguarding of national security and with defence, see
Chapter 3 of this Part and the exemption in section 24.

15 35Power to make further exemptions etc by regulations

(1) The following powers to make provision altering the application of the GDPR
may be exercised by way of regulations made by the Secretary of State under
this section—

(a) the power in Article 6(3) for Member State law to lay down a legal basis
40containing specific provisions to adapt the application of rules of the
GDPR where processing is necessary for compliance with a legal
obligation, for the performance of a task in the public interest or in the
exercise of official authority;

(b) the power in Article 23(1) to make a legislative measure restricting the
45scope of the obligations and rights mentioned in that Article where

Data Protection BillPage 9

necessary and proportionate to safeguard certain objectives of general
public interest;

(c) the power in Article 85(2) to provide for exemptions or derogations
from certain Chapters of the GDPR where necessary to reconcile the
5protection of personal data with the freedom of expression and
information;

(d) the powers in Article 89 for Member State law to provide for
derogations from the rights mentioned in paragraphs (2) and (3) of that
Article where necessary for scientific or historical research purposes,
10statistical purposes or archiving purposes.

(2) Regulations under this section may include provision amending or repealing
any provision of section 14 and Schedules 2 to 4.

(3) Regulations under this section are subject to the affirmative resolution
procedure.

15Accreditation of certification providers

16 Accreditation of certification providers

(1) Accreditation of a person as a certification provider is only valid when carried
out by—

(a) the Commissioner, or

(b) 20the national accreditation body.

(2) The Commissioner may only accredit a person as a certification provider
where the Commissioner—

(a) has published a statement that the Commissioner will carry out such
accreditation, and

(b) 25has not published a notice withdrawing that statement.

(3) The national accreditation body may only accredit a person as a certification
provider where the Commissioner—

(a) has published a statement that the body may carry out such
accreditation, and

(b) 30has not published a notice withdrawing that statement.

(4) The Commissioner may only publish a statement under subsection (3)(a) if
satisfied that the national accreditation body meets any additional
requirements established by the Commissioner under Article 43(1)(b) of the
GDPR.

(5) 35The publication of a notice under subsection (2)(b) or (3)(b) does not affect the
validity of any accreditation carried out before its publication.

(6) Schedule 5 makes provision about reviews of, and appeals from, a decision
relating to accreditation of a person as a certification provider.

(7) The national accreditation body may charge a reasonable fee in connection
40with, or incidental to, the carrying out of the body’s functions under this
section, Schedule 5 and Article 43 of the GDPR.

(8) The national accreditation authority must provide the Secretary of State with
such information relating to its functions under this section, Schedule 5 and
Article 43 of the GDPR as the Secretary of State may reasonably require.