some default text...

Data Protection Bill (HL Bill 66)

Data Protection BillPage 180

of individuals’ rights and freedoms with regard to processing of
personal data to which those Parts apply;

(d) promote the awareness of controllers and processors of their
obligations under Parts 3 and 4 of this Act;

(e) 5on request, provide information to a data subject concerning the
exercise of the data subject’s rights under Parts 3 and 4 of this Act
and, if appropriate, co-operate with LED supervisory authorities and
foreign designated authorities to provide such information;

(f) co-operate with LED supervisory authorities and foreign designated
10authorities with a view to ensuring the consistency of application
and enforcement of the Law Enforcement Directive and the Data
Protection Convention, including by sharing information and
providing mutual assistance;

(g) conduct investigations on the application of Parts 3 and 4 of this Act,
15including on the basis of information received from an LED
supervisory authority, a foreign designated authority or another
public authority;

(h) monitor relevant developments to the extent that they have an
impact on the protection of personal data, including the
20development of information and communication technologies;

(i) contribute to the activities of the European Data Protection Board
established by the GDPR in connection with the processing of
personal data to which the Law Enforcement Directive applies.

General powers

2 25The Commissioner has the following investigative, corrective, authorisation
and advisory powers in relation to processing of personal data to which Part
3 or 4 of this Act applies—

(a) to notify the controller or the processor of an alleged infringement of
Part 3 or 4 of this Act;

(b) 30to issue warnings to a controller or processor that intended
processing operations are likely to infringe provisions of Part 3 or 4
of this Act;

(c) to issue reprimands to a controller or processor where processing
operations have infringed provisions of Part 3 or 4 of this Act;

(d) 35to issue, on the Commissioner’s own initiative or on request,
opinions to Parliament, the government or other institutions and
bodies as well as to the public on any issue related to the protection
of personal data.

Definitions

3 40In this Schedule—

  • “foreign designated authority” means an authority designated for the
    purposes of Article 13 of the Data Protection Convention by a party,
    other than the United Kingdom, which is bound by that Convention;

  • “LED supervisory authority” means a supervisory authority for the
    45purposes of Article 41 of the Law Enforcement Directive in a member
    State other than the United Kingdom.

Data Protection BillPage 181

Section 116

SCHEDULE 14 Co-operation and mutual assistance

Part 1 Law Enforcement Directive

5Co-operation

1 (1) The Commissioner may provide information or assistance to an LED
supervisory authority to the extent that, in the opinion of the Commissioner,
providing that information or assistance is necessary for the performance of
the recipient’s data protection functions.

(2) 10The Commissioner may ask an LED supervisory authority to provide
information or assistance which the Commissioner requires for the
performance of the Commissioner’s data protection functions.

(3) In this paragraph, “data protection functions” means functions relating to
the protection of individuals with respect to the processing of personal data.

15Requests for information and assistance from LED supervisory authorities

2 (1) This paragraph applies where the Commissioner receives a request from an
LED supervisory authority for information or assistance referred to in
Article 41 of the Law Enforcement Directive and the request—

(a) explains the purpose of and reasons for the request, and

(b) 20contains all other information necessary to enable the Commissioner
to respond.

(2) The Commissioner must—

(a) take all appropriate measures required to reply to the request
without undue delay and, in any event, before the end of the period
25of 1 month beginning with receipt of the request, and

(b) inform the LED supervisory authority of the results or, as the case
may be, of the progress of the measures taken in order to respond to
the request.

(3) The Commissioner must not refuse to comply with the request unless—

(a) 30the Commissioner does not have power to do what is requested, or

(b) complying with the request would infringe the Law Enforcement
Directive, EU legislation or the law of the United Kingdom or a part
of the United Kingdom.

(4) If the Commissioner refuses to comply with a request from an LED
35supervisory authority, the Commissioner must inform the authority of the
reasons for the refusal.

(5) As a general rule, the Commissioner must provide information requested by
LED supervisory authorities by electronic means using a standardised
format.

Data Protection BillPage 182

Fees

3 (1) Subject to sub-paragraph (2), any information or assistance that is required
to be provided by this Part of this Schedule must be provided free of charge.

(2) The Commissioner may enter into agreements with other LED supervisory
5authorities for the Commissioner and other authorities to indemnify each
other for expenditure arising from the provision of assistance in exceptional
circumstances.

Restrictions on use of information

4 Where the Commissioner receives information from an LED supervisory
10authority as a result of a request under paragraph 1(2), the Commissioner
may use the information only for the purposes specified in the request.

LED supervisory authority

5 In this Part of this Schedule, “LED supervisory authority” means a
supervisory authority for the purposes of Article 41 of the Law Enforcement
15Directive in a member State other than the United Kingdom.

Part 2 Data Protection Convention

Co-operation between the Commissioner and foreign designated authorities

6 (1) The Commissioner must, at the request of a foreign designated authority—

(a) 20provide that authority with such information referred to in Article
13(3)(a) of the Data Protection Convention (information on law and
administrative practice in the field of data protection) as is the
subject of the request, and

(b) take appropriate measures in accordance with Article 13(3)(b) of the
25Data Protection Convention for providing that authority with
information relating to the processing of personal data in the United
Kingdom.

(2) The Commissioner may ask a foreign designated authority—

(a) to provide the Commissioner with information referred to in Article
3013(3) of the Data Protection Convention, or

(b) to take appropriate measures to provide such information.

Assisting persons resident outside the UK with requests under Article 14 of the Convention

7 (1) This paragraph applies where a request for assistance in exercising any of
the rights referred to in Article 8 of the Data Protection Convention in the
35United Kingdom is made by a person resident outside the United Kingdom,
including where the request is forwarded to the Commissioner through the
Secretary of State or a foreign designated authority.

(2) The Commissioner must take appropriate measures to assist the person to
exercise those rights.

Data Protection BillPage 183

Assisting UK residents with requests under Article 8 of the Convention

8 (1) This paragraph applies where a request for assistance in exercising any of
the rights referred to in Article 8 of the Data Protection Convention in a
country or territory (other than the United Kingdom) specified in the request
5is—

(a) made by a person resident in the United Kingdom, and

(b) submitted through the Commissioner under Article 14(2) of the
Convention.

(2) If the Commissioner is satisfied that the request contains all necessary
10particulars referred to in Article 14(3) of the Data Protection Convention, the
Commissioner must send the request to the foreign designated authority in
the specified country or territory.

(3) Otherwise, the Commissioner must, where practicable, notify the person
making the request of the reasons why the Commissioner is not required to
15assist.

Restrictions on use of information

9 Where the Commissioner receives information from a foreign designated
authority as a result of—

(a) a request made by the Commissioner under paragraph 6(2), or

(b) 20a request received by the Commissioner under paragraph 6(1) or 7,

the Commissioner may use the information only for the purposes specified
in the request.

Foreign designated authority

10 In this Part of this Schedule, “foreign designated authority” means an
25authority designated for the purposes of Article 13 of the Data Protection
Convention by a party, other than the United Kingdom, which is bound by
that Data Protection Convention.

Section 147

SCHEDULE 15 Powers of entry and inspection

30Issue of warrants in connection with non-compliance and offences

1 (1) This paragraph applies if a circuit judge or a District Judge (Magistrates’
Courts) is satisfied by information on oath supplied by the Commissioner
that—

(a) there are reasonable grounds for suspecting that—

(i) 35a controller or processor has failed or is failing as described
in section 142(2), or

(ii) an offence under this Act has been or is being committed, and

(b) there are reasonable grounds for suspecting that evidence of the
failure or of the commission of the offence is to be found on premises
40specified in the information.

(2) The judge may grant a warrant to the Commissioner.

Data Protection BillPage 184

Issue of warrants in connection with assessment notices

2 (1) This paragraph applies if a circuit judge or a District Judge (Magistrates’
Courts) is satisfied by information on oath supplied by the Commissioner
that a controller or processor has failed to comply with a requirement
5imposed by an assessment notice.

(2) The judge may, for the purpose of enabling the Commissioner to determine
whether the controller or processor has complied or is complying with the
data protection legislation, grant a warrant to the Commissioner in relation
to premises that were specified in the assessment notice.

10Restrictions on issuing warrants: processing for the special purposes

3 A judge must not issue a warrant under this Schedule in respect of personal
data processed for the special purposes unless a determination under
section 164 with respect to the data or the processing has taken effect.

Restrictions on issuing warrants: procedural requirements

4 (1) 15A judge must not issue a warrant under this Schedule unless satisfied that—

(a) the conditions in sub-paragraphs (2) to (4) are met,

(b) compliance with those conditions would defeat the object of entry to
the premises in question, or

(c) the Commissioner requires access to the premises in question
20urgently.

(2) The first condition is that the Commissioner has given 7 days’ notice in
writing to the occupier of the premises in question demanding access to the
premises.

(3) The second condition is that—

(a) 25access to the premises was demanded at a reasonable hour and was
unreasonably refused, or

(b) entry to the premises was granted but the occupier unreasonably
refused to comply with a request by the Commissioner or the
Commissioner‘s officers or staff to be allowed to do any of the things
30referred to in paragraph 5.

(4) The third condition is that, since the refusal, the occupier of the premises—

(a) has been notified by the Commissioner of the application for the
warrant, and

(b) has had an opportunity to be heard by the judge on the question of
35whether or not the warrant should be issued.

(5) In determining whether the first condition is met, an assessment notice
given to the occupier is to be disregarded.

Content of warrants

5 (1) A warrant issued under this Schedule must authorise the Commissioner or
40any of the Commissioner’s officers or staff—

(a) to enter the premises,

(b) to search the premises, and

Data Protection BillPage 185

(c) to inspect, examine, operate and test any equipment found on the
premises which is used or intended to be used for the processing of
personal data.

(2) A warrant issued under paragraph 1 must authorise the Commissioner or
5any of the Commissioner’s officers or staff—

(a) to inspect and seize any documents or other material found on the
premises which may be evidence of the failure or offence mentioned
in that paragraph,

(b) to require any person on the premises to provide an explanation of
10any document or other material found on the premises, and

(c) to require any person on the premises to provide such other
information as may reasonably be required for the purpose of
determining whether the controller or processor has failed or is
failing as described in section 142(2).

(3) 15A warrant issued under paragraph 2 must authorise the Commissioner or
any of the Commissioner’s officers or staff—

(a) to inspect and seize any documents or other material found on the
premises which may enable the Commissioner to determine whether
the controller or processor has complied or is complying with the
20data protection legislation,

(b) to require any person on the premises to provide an explanation of
any document or other material found on the premises, and

(c) to require any person on the premises to provide such other
information as may reasonably be required for the purpose of
25determining whether the controller or processor has complied or is
complying with the data protection legislation.

(4) A warrant issued under this Schedule must authorise the Commissioner or
any of the Commissioner’s officers or staff to do the things described in sub-
paragraphs (1) to (3) at any time in the period of 7 days beginning with the
30day on which the warrant is issued.

Copies of warrants

6 A judge who issues a warrant under this Schedule must—

(a) issue two copies of it, and

(b) certify them clearly as copies.

35Execution of warrants: reasonable force

7 A person executing a warrant issued under this Schedule may use such
reasonable force as may be necessary.

Execution of warrants: time when executed

8 A warrant issued under this Schedule may be executed only at a reasonable,
40hour, unless it appears to the person executing it that there are grounds for
suspecting that exercising it at a reasonable hour would defeat the object of
the warrant.

Data Protection BillPage 186

Execution of warrants: occupier of premises

9 (1) If an occupier of the premises in respect of which a warrant is issued under
this Schedule is present when the warrant is executed, the person executing
the warrant must—

(a) 5show the occupier the warrant, and

(b) give the occupier a copy of it.

(2) Otherwise, a copy of the warrant must be left in a prominent place on the
premises.

Execution of warrants: seizure of documents etc

10 (1) 10This paragraph applies where a person executing a warrant under this
Schedule seizes something.

(2) The person must, on request—

(a) give a receipt for it, and

(b) give an occupier of the premises a copy of it.

(3) 15Sub-paragraph (2)(b) does not apply if the person executing the warrant
considers that providing a copy would result in undue delay.

(4) Anything seized may be retained for so long as is necessary in all the
circumstances.

Matters exempt from inspection and seizure: privileged communications

11 (1) 20The powers of inspection and seizure conferred by a warrant issued under
this Schedule are not exercisable in respect of a communication which is
made—

(a) between a professional legal adviser and the adviser’s client, and

(b) in connection with the giving of legal advice to the client with respect
25to obligations, liabilities or rights under the data protection
legislation.

(2) The powers of inspection and seizure conferred by a warrant issued under
this Schedule are not exercisable in respect of a communication which is
made—

(a) 30between a professional legal adviser and the adviser’s client or
between such an adviser or client and another person,

(b) in connection with or in contemplation of proceedings under or
arising out of the data protection legislation, and

(c) for the purposes of such proceedings.

(3) 35Sub-paragraphs (1) and (2) do not prevent the exercise of powers conferred
by a warrant issued under this Schedule in respect of—

(a) anything in the possession of a person other than the professional
legal adviser or the adviser’s client, or

(b) anything held with the intention of furthering a criminal purpose.

(4) 40The references to a communication in sub-paragraphs (1) and (2) include—

(a) a copy or other record of the communication, and

Data Protection BillPage 187

(b) anything enclosed with or referred to in the communication if made
as described in sub-paragraph (1)(b) or in sub-paragraph (2)(b) and
(c).

(5) In sub-paragraphs (1) to (3), the references to the client of a professional legal
5adviser include a person acting on behalf of such a client.

Matters exempt from inspection and seizure: Parliamentary privilege

12 The powers of inspection and seizure conferred by a warrant issued under
this Schedule are not exercisable where their exercise would involve an
infringement of the privileges of either House of Parliament.

10Partially exempt material

13 (1) This paragraph applies if a person in occupation of premises in respect of
which a warrant is issued under this Schedule objects to the inspection or
seizure of any material under the warrant on the grounds that it consists
partly of matters in respect of which those powers are not exercisable.

(2) 15The person must, if the person executing the warrant so requests, provide
that person with a copy of so much of the material as is not exempt from
those powers.

Return of warrants

14 (1) Where a warrant issued under this Schedule is executed—

(a) 20it must be returned to the court from which it was issued after being
executed, and

(b) the person by whom it is executed must write on the warrant a
statement of the powers that have been exercised under the warrant.

(2) Where a warrant issued under this Schedule is not executed, it must be
25returned to the court from which it was issued within the time authorised
for its execution.

Offences

15 (1) It is an offence for a person—

(a) intentionally to obstruct a person in the execution of a warrant issued
30under this Schedule, or

(b) to fail without reasonable excuse to give a person executing such a
warrant such assistance as the person may reasonably require for the
execution of the warrant.

(2) It is an offence for a person—

(a) 35to make a statement in response to a requirement under paragraph
5(2)(b) or (c) or (3)(b) or (c) which the person knows to be false in a
material respect, or

(b) recklessly to make a statement in response to such a requirement
which is false in a material respect.

Data Protection BillPage 188

Self-incrimination

16 (1) An explanation given, or information provided, by a person in response to a
requirement under paragraph 5(2)(b) or (c) or (3)(b) or (c) may only be used
in evidence against that person—

(a) 5on a prosecution for an offence under a provision listed in sub-
paragraph (2), or

(b) on a prosecution for any other offence where—

(i) in giving evidence that person makes a statement
inconsistent with that explanation or information, and

(ii) 10evidence relating to that explanation or information is
adduced, or a question relating to it is asked, by that person
or on that person‘s behalf.

(2) Those provisions are—

(a) paragraph 15,

(b) 15section 5 of the Perjury Act 1911 (false statements made otherwise
than on oath),

(c) section 44(2) of the Criminal Law (Consolidation) (Scotland) Act
1995 (false statements made otherwise than on oath), or

(d) Article 10 of the Perjury (Northern Ireland) Order 1979 (false
20statutory declarations and other false unsworn statements).

Vessels, vehicles etc

17 In this Schedule—

(a) “premises” includes a vehicle, vessel or other means of transport,
and

(b) 25references to the occupier of premises include the person in charge of
a vehicle, vessel or other means of transport.

Scotland

18 In the application of this Schedule to Scotland—

(a) references to a circuit judge have effect as if they were references to
30the sheriff or the summary sheriff,

(b) references to information on oath have effect as if they were
references to evidence on oath, and

(c) references to the court from which the warrant was issued have
effect as if they were references to the sheriff clerk.

35Northern Ireland

19 In the application of this Schedule to Northern Ireland—

(a) references to a circuit judge have effect as if they were references to
a county court judge, and

(b) references to information on oath have effect as if they were
40references to a complaint on oath.

Data Protection BillPage 189

Section 148

SCHEDULE 16 Penalties

Meaning of “penalty”

1 In this Schedule, “penalty” means a penalty imposed by a penalty notice.

5Notice of intent to impose penalty

2 (1) Before giving a person a penalty notice, the Commissioner must, by written
notice (a “notice of intent”) inform the person that the Commissioner intends
to give a penalty notice.

(2) The Commissioner may not give a penalty notice in reliance on a notice of
10intent after the end of the period of 6 months beginning with the day after
the notice of intent is given.

Contents of notice of intent

3 (1) A notice of intent must contain the following information—

(a) the name and address of the person to whom the Commissioner
15proposes to give a penalty notice;

(b) the reasons why the Commissioner proposes to give a penalty notice
(see sub-paragraph (2));

(c) an indication of the amount of the penalty the Commissioner
proposes to impose, including any aggravating or mitigating factors
20that the Commissioner proposes to take into account;

(d) the date on which the Commissioner proposes to give the penalty
notice.

(2) The information required under sub-paragraph (1)(b) includes—

(a) a description of the circumstances of the failure, and

(b) 25where the notice if given in respect of a failure described in section
142(2), the nature of the personal data involved in the failure.

(3) A notice of intent must also—

(a) state that the person may make written representations about the
Commissioner’s intention to give a penalty notice, and

(b) 30specify the period within which such representations may be made.

(4) The period specified for making written representations must be a period of
not less than 21 days beginning with the day on which the notice of intent is
given.

(5) If the Commissioner considers that it is appropriate for the person to have
35an opportunity to make oral representations about the Commissioner’s
intention to give a penalty notice, the notice of intent must also—

(a) state that the person may make such representations, and

(b) specify the arrangements for making such representations and the
time at which, or the period within which, they may be made.