Data Protection Bill (HL Bill 66)

Data Protection BillPage 190

Giving a penalty notice

4 (1) The Commissioner may not give a penalty notice before a time, or before the
end of a period, specified in the notice of intent for making oral or written
representations.

(2) 5When deciding whether to give a penalty notice to a person and determining
the amount of the penalty, the Commissioner must consider any oral or
written representations made by the person in accordance with the notice of
intent.

Contents of penalty notice

5 (1) 10A penalty notice must contain the following information—

(a) the name and address of the person to whom it is addressed;

(b) details of the notice of intent given to the person;

(c) whether the Commissioner received oral or written representations
in accordance with the notice of intent;

(d) 15the reasons why the Commissioner proposes to impose the penalty
(see sub-paragraph (2));

(e) the reasons for the amount of the penalty, including any aggravating
or mitigating factors that the Commissioner has taken into account;

(f) details of how the penalty is to be paid;

(g) 20details of the rights of appeal under section 154;

(h) details of the Commissioner’s enforcement powers under this
Schedule.

(2) The information required under sub-paragraph (1)(d) includes—

(a) a description of the circumstances of the failure, and

(b) 25where the notice if given in respect of a failure described in section
142(2), the nature of the personal data involved in the failure.

Period for payment of penalty

6 (1) A penalty must be paid to the Commissioner within the period specified in
the penalty notice.

(2) 30The period specified must be a period of not less than 28 days beginning
with the day after the day on which the penalty notice is given.

Variation of penalty

7 (1) The Commissioner may vary a penalty notice by giving written notice (a
“penalty variation notice”) to the person to whom it was given.

(2) 35A penalty variation notice must specify—

(a) the penalty notice concerned, and

(b) how it is varied.

(3) A penalty variation notice may not—

(a) reduce the period for payment of the penalty;

(b) 40increase the amount of the penalty;

(c) otherwise vary the penalty notice to the detriment of the person to
whom it was given.

Data Protection BillPage 191

(4) If—

(a) a penalty variation notice reduces the amount of the penalty, and

(b) when that notice is given, an amount has already been paid that
exceeds the amount of the reduced penalty,

5the Commissioner must repay the excess.

Cancellation of penalty

8 (1) The Commissioner may cancel a penalty notice by giving written notice to
the person to whom it was given.

(2) If a penalty notice is cancelled, the Commissioner—

(a) 10may not take any further action under section 148 or this Schedule in
relation to the failure to which that notice relates, and

(b) must repay any amount that has been paid in accordance with that
notice.

Enforcement of payment

9 (1) 15The Commissioner must not take action to recover a penalty unless—

(a) the period specified in accordance with paragraph 6 has ended,

(b) any appeals against the penalty notice have been decided or
otherwise ended,

(c) if the penalty notice has been varied, any appeals against the penalty
20variation notice have been decided or otherwise ended, and

(d) the period for the controller or processor to appeal against the
penalty, and any variation of it, has ended.

(2) In England and Wales, a penalty is recoverable—

(a) if the county court so orders, as if it were payable under an order of
25that court;

(b) if the High Court so orders, as if it were payable under an order of
that court.

(3) In Scotland, a penalty may be enforced in the same manner as an extract
registered decree arbitral bearing a warrant for execution issued by the
30sheriff court of any sheriffdom in Scotland.

(4) In Northern Ireland, a penalty is recoverable—

(a) if a county court so orders, as if it were payable under an order of that
court;

(b) if the High Court so orders, as if it were payable under an order of
35that court.

Section 171

SCHEDULE 17 Relevant records

Relevant records

1 (1) In section 171, “relevant record” means—

(a) 40a health record,

Data Protection BillPage 192

(b) a relevant record relating to a conviction or caution (see paragraph
2), or

(c) a relevant record relating to statutory functions (see paragraph 3).

(2) A record is not a “relevant record” to the extent that it relates, or is to relate,
5only to personal data which falls within section 19(2) (manual unstructured
personal data held by FOI public authorities).

Relevant records relating to a conviction or caution

2 (1) “Relevant record relating to a conviction or caution” means a record
which—

(a) 10has been or is to be obtained by a data subject in the exercise of a data
subject access right from a person listed in sub-paragraph (2), and

(b) contains information relating to a conviction or caution.

(2) Those persons are—

(a) the chief constable of a police force maintained under section 2 of the
15Police Act 1996;

(b) the Commissioner of Police of the Metropolis;

(c) the Commissioner of Police for the City of London;

(d) the Chief Constable of the Police Service of Northern Ireland;

(e) the chief constable of the Police Service of Scotland;

(f) 20the Director General of the National Crime Agency;

(g) the Secretary of State.

(3) In this paragraph—

  • “caution” means a caution given to a person in England and Wales or
    Northern Ireland in respect of an offence which, at the time when the
    25caution is given, is admitted;

  • “conviction” has the same meaning as in the Rehabilitation of
    Offenders Act 1974 or the Rehabilitation of Offenders (Northern
    Ireland) Order 1978 (S.I. 1978/1908 (N.I 27)).

Relevant records relating to statutory functions

3 (1) 30“Relevant record relating to statutory functions” means a record which—

(a) has been or is to be obtained by a data subject in the exercise of a data
subject access right from a person listed in sub-paragraph (2), and

(b) contains information relating to a relevant function in relation to that
person.

(2) 35Those persons are—

(a) the Secretary of State;

(b) the Department for Communities in Northern Ireland;

(c) the Scottish Ministers;

(d) the Disclosure and Barring Service.

(3) 40In relation to the Secretary of State, the “relevant functions” are—

(a) the Secretary of State’s functions in relation to a person sentenced to
detention under—

(i) section 92 of the Powers of Criminal Courts (Sentencing Act
2000,

Data Protection BillPage 193

(ii) section 205(2) or 208 of the Criminal Procedure (Scotland) Act
1995, or

(iii) section 73 of the Children and Young Persons Act (Northern
Ireland) 1968 (c. 34 (N.I.));

(b) 5the Secretary of State’s functions in relation to a person imprisoned
or detained under—

(i) the Prison Act 1952,

(ii) the Prisons (Scotland) Act 1989, or

(iii) the Prison Act (Northern Ireland) 1953 (c. 18 (N.I.));

(c) 10the Secretary of State’s functions under—

(i) the Social Security Contributions and Benefits Act 1992,

(ii) the Social Security Administration Act 1992,

(iii) the Jobseekers Act 1995,

(iv) Part 1 of the Welfare Reform Act 2007, or

(v) 15Part 1 of the Welfare Reform Act 2012.

(4) In relation to the Department for Communities in Northern Ireland, the
“relevant functions” are its functions under—

(a) the Social Security Contributions and Benefits (Northern Ireland)
Act 1992,

(b) 20the Social Security Administration (Northern Ireland) Act 1992,

(c) the Jobseekers (Northern Ireland) Order 1995 (S.I. 1995/2705
(N.I. 15)), or

(d) Part 1 of the Welfare Reform Act (Northern Ireland) 2007 (c. 2 (N.I.)).

(5) In relation to the Scottish Ministers, the “relevant functions” are their
25functions under Parts 1 and 2 of the Protection of Vulnerable Groups
(Scotland) Act 2007 (asp 14).

(6) In relation to the Disclosure and Barring Service, the “relevant functions” are
its functions under—

(a) the Safeguarding Vulnerable Groups Act 2006, or

(b) 30the Safeguarding Vulnerable Groups (Northern Ireland) Order 2007
(S.I. 2007/1351 (N.I. 11)).

Data subject access right

4 In this Schedule, “data subject access right” means a right under—

(a) Article 15 of the GDPR (right of access by the data subject);

(b) 35Article 20 of the GDPR (right to data portability);

(c) section 43 of this Act (law enforcement processing: right of access by
the data subject);

(d) section 92 of this Act (intelligence services processing: right of access
by the data subject).

40Records stating that personal data is not processed

5 For the purposes of this Schedule, a record which states that a controller is
not processing personal data relating to a particular matter is to be taken to
be a record containing information relating to that matter.

Data Protection BillPage 194

Power to amend

6 (1) The Secretary of State may by regulations amend this Schedule.

(2) Regulations under this paragraph are subject to the affirmative resolution
procedure.

Section 190

5SCHEDULE 18 Minor and consequential amendments

Consumer Credit Act 1974 (c. 39)

1 (1) The Consumer Credit Act 1974 is amended as follows.

(2) In section 157 (duty to disclose name etc of agency)—

(a) 10in subsection (2A)(a), for “the Data Protection Act 1998” substitute
“the GDPR”;

(b) in subsection (2A)(b), after “any” insert “other”;

(c) after subsection (4) insert—

(5) In this section “the GDPR” has the same meaning as in Parts
155 to 7 of the Data Protection Act 2017 (see section 2(14) of that
Act).”

(3) In section 159 (correction of wrong information)—

(a) in subsection (1)(a), for “section 7 of the Data Protection Act 1998”
substitute “Article 15(1) to (3) of the GDPR (confirmation of
20processing, access to data and safeguards for third country
transfers)”;

(b) after subsection (8) insert—

(9) In this section “the GDPR” has the same meaning as in Parts
5 to 7 of the Data Protection Act 2017 (see section 2(14) of that
25Act).”

Data Protection Act 1998 (c. 29)

2 The Data Protection Act 1998 is repealed.

Immigration and Asylum Act 1999 (c. 33)

3 (1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of
30persons to be removed or deported) is amended as follows.

(2) For subsection (4) substitute—

(4) For the purposes of Article 49(1)(d) of the GDPR, the provision under
this section of identification data is a transfer of personal data which
is necessary for important reasons of public interest.”

(3) 35After subsection (4) insert—

(4A) “The GDPR” has the same meaning as in Parts 5 to 7 of the Data
Protection Act 2017 (see section 2(14) of that Act).”

Data Protection BillPage 195

Freedom of Information Act 2000 (c. 36)

4 The Freedom of Information Act 2000 is amended as follows.

5 In section 2(3) (absolute exemptions), for paragraph (f) substitute—

(f) section 40(1),

(fa) 5section 40(2) so far as relating to cases where the first
condition referred to in that subsection is satisfied,”.

6 (1) Section 40 (personal information) is amended as follows.

(2) In subsection (2)—

(a) in paragraph (a), for “do” substitute “does”, and

(b) 10in paragraph (b), for “either the first or the second” substitute “the
first, second or third”.

(3) For subsection (3) substitute—

(3A) The first condition is that the disclosure of the information to a
member of the public otherwise than under this Act—

(a) 15would contravene any of the data protection principles, or

(b) would do so if the exemption in section 22(1) of the Data
Protection Act 2017 (manual unstructured data held by
public authorities) were disregarded.

(3B) The second condition is that the disclosure of the information to a
20member of the public otherwise than under this Act would
contravene Article 21 of the GDPR (general processing: right to
object to processing).”

(4) For subsection (4) substitute—

(4A) The third condition is that—

(a) 25on a request under Article 15(1) of the GDPR (general
processing: right of access by the data subject) for access to
personal data, the information would be withheld in reliance
on provision made by or under section 14, 15 or 24 of, or
Schedule 2, 3 or 4 to, the Data Protection Act 2017, or

(b) 30on a request under section 43(1)(b) of that Act (law
enforcement processing: right of access by the data subject),
the information would be withheld in reliance on subsection
(4) of that section.”

(5) For subsection (5) substitute—

(5A) 35The duty to confirm or deny does not arise in relation to information
which is (or if it were held by the public authority would be) exempt
information by virtue of subsection (1).

(5B) The duty to confirm or deny does not arise in relation to other
information if or to the extent that any of the following applies—

(a) 40giving a member of the public the confirmation or denial that
would have to be given to comply with section 1(1)(a)—

(i) would (apart from this Act) contravene any of the
data protection principles, or

Data Protection BillPage 196

(ii) would do so if the exemptions in section 22(1) of the
Data Protection Act 2017 (manual unstructured data
held by public authorities) were disregarded;

(b) giving a member of the public the confirmation or denial that
5would have to be given to comply with section 1(1)(a) would
(apart from this Act) contravene Article 21 of the GDPR
(general processing: right to object to processing);

(c) on a request under Article 15(1) of the GDPR (general
processing: right of access by the data subject) for
10confirmation of whether personal data is being processed, the
information would be withheld in reliance on a provision
listed in subsection (4A)(a);

(d) on a request under section 43(1)(a) of the Data Protection Act
2017 (law enforcement processing: right of access by the data
15subject), the information would be withheld in reliance on
subsection (4) of that section.”

(6) Omit subsection (6).

(7) For subsection (7) substitute—

(7) In this section—

  • 20“the data protection principles” means the principles set out
    in—

    (a)

    Article 5(1) of the GDPR, and

    (b)

    section 32(1) of the Data Protection Act 2017;

  • “data subject” has the same meaning as in the Data Protection
    25Act 2017 (see section 2(5) of that Act);

  • “the GDPR”, “personal data” and “processing” have the same
    meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see
    section 2(14) of that Act).

(8) In determining for the purposes of this section whether the
30lawfulness principle in Article 5(1)(a) of the GDPR would be
contravened by the disclosure of information, Article 6(1) of the
GDPR (lawfulness) is to be read as if the second sub-paragraph
(disapplying the legitimate interests gateway in relation to public
authorities) were omitted.”

7 35Omit section 49 (reports to be laid before Parliament).

8 For section 61 (appeal proceedings) substitute—

61 Appeal proceedings

(1) Tribunal Procedure Rules may make provision for regulating the
exercise of rights of appeal conferred by sections 57(1) and (2) and
4060(1) and (4).

(2) In relation to appeals under those provisions, Tribunal Procedure
Rules may make provision about—

(a) securing the production of material used for the processing of
personal data, and

(b) 45the inspection, examination, operation and testing of
equipment or material used in connection with the
processing of personal data.

Data Protection BillPage 197

(3) Subsection (4) applies where—

(a) a person does something, or fails to do something, in relation
to proceedings before the First-tier Tribunal on an appeal
under those provisions, and

(b) 5if those proceedings were proceedings before a court having
power to commit for contempt, the act or omission would
constitute contempt of court.

(4) The First-tier Tribunal may certify the offence to the Upper Tribunal.

(5) Where an offence is certified under subsection (4), the Upper Tribuna
10may—

(a) inquire into the matter, and

(b) deal with the person charged with the offence in any manner
in which it could deal with the person if the offence had been
committed in relation to the Upper Tribunal.

(6) 15Before exercising the power under subsection (5)(b), the court
must—

(a) hear any witness who may be produced against or on behalf
of the person charged with the offence, and

(b) hear any statement that may be offered in defence.”

9 20After section 76A insert—

76B Disclosure of information to Commissioner or Tribunal

No enactment or rule of law prohibiting or restricting the disclosure
of information precludes a person from providing the
Commissioner, the First-tier Tribunal or the Upper Tribunal with
25information necessary for the discharge of their functions under this
Act.

76C Confidentiality of information provided to Commissioner

(1) It is an offence for a person who is or has been the Commissioner, or
a member of the Commissioner’s staff or an agent of the
30Commissioner, knowingly or recklessly to disclose information
which—

(a) has been obtained by, or provided to, the Commissioner
under or for the purposes of this Act,

(b) relates to an identified or identifiable living individual or
35business, and

(c) is not available to the public from other sources at the time of
the disclosure and has not previously been available to the
public from other sources,

unless the disclosure is made with lawful authority.

(2) 40For the purposes of subsection (1), a disclosure is made with lawful
authority only if and to the extent that—

(a) the disclosure was made with the consent of the individual or
of the person for the time being carrying on the business,

(b) the information was provided for the purpose of its being
45made available to the public (in whatever manner) under a
provision of this Act or the data protection legislation,

Data Protection BillPage 198

(c) the disclosure was made for the purposes of, and is necessary
for, the discharge of a function under this Act or the data
protection legislation,

(d) the disclosure was made for the purposes of, and is necessary
5for, the discharge of an EU obligation,

(e) the disclosure was made for the purposes of criminal or civil
proceedings, however arising, or

(f) having regard to the rights, freedoms and legitimate interests
of any person, the disclosure was necessary in the public
10interest.

(3) In this section, “the data protection legislation” and “identifiable
living individual” have the same meaning as in the Data Protection
Act 2017 (see section 2 of that Act).”

10 In section 77(1)(b) (offence of altering etc records with intent to prevent
15disclosure), omit “or section 7 of the Data Protection Act 1998,”.

Freedom of Information (Scotland) Act 2002 (asp 13)

11 The Freedom of Information (Scotland) Act 2002 is amended as follows.

12 In section 2(2)(e)(ii) (absolute exemptions), omit “by virtue of subsection
(2)(a)(i) or (b) of that section”.

13 (1) 20Section 38 (personal information) is amended as follows.

(2) In subsection (1), for paragraph (b) substitute—

(b) personal data and the first, second or third condition is
satisfied (see subsections (2A) to (3A));”.

(3) For subsection (2) substitute—

(2A) 25The first condition is that the disclosure of the information to a
member of the public otherwise than under this Act—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemptions in section 22(1) of the Data
Protection Act 2017 (manual unstructured data held by
30public authorities) were disregarded.

(2B) The second condition is that the disclosure of the information to a
member of the public otherwise than under this Act would
contravene Article 21 of the GDPR (general processing: right to
object to processing).”

(4) 35For subsection (3) substitute—

(3A) The third condition is that—

(a) on a request under Article 15(1) of the GDPR (general
processing: right of access by the data subject) for access to
personal data, the information would be withheld in reliance
40on provision made by or under section 14, 15 or 24 of, or
Schedule 2, 3 or 4 to, the Data Protection Act 2017, or

(b) on a request under section 43(1)(b) of that Act (law
enforcement processing: right of access by the data subject),
the information would be withheld in reliance on subsection
45(4) of that section.”

Data Protection BillPage 199

(5) Omit subsection (4).

(6) In subsection (5), for the definitions of “the data protection principles” and
of “data subject” and “personal data” substitute—

  • ““the data protection principles” means the principles set out
    5in—

    (a)

    Article 5(1) of the GDPR, and

    (b)

    32(1) of the Data Protection Act 2017;

  • “data subject” has the same meaning as in the Data Protection
    Act 2017 (see section 2(5) of that Act);

  • 10“the GDPR”, “personal data” and “processing” have the same
    meaning as in Parts 5 to 7 of the Data Protection Act 2017 (see
    section 2(14) of that Act);”.

(7) After that subsection insert—

(5A) In determining for the purposes of this section whether the
15lawfulness principle in Article 5(1)(a) of the GDPR would be
contravened by the disclosure of information, Article 6(1) of the
GDPR (lawfulness) is to be read as if the second sub-paragraph
(disapplying the legitimate interests gateway in relation to public
authorities) were omitted.”

20Environmental Information Regulations 2004 (S.I. 2004/3391)

14 The Environmental Information Regulations 2004 (S.I. 2004/3391) are
amended as follows.

15 (1) Regulation 2 (interpretation) is amended as follows.

(2) In paragraph (1), at the appropriate places, insert—

  • 25““the data protection principles” means the principles set out
    in—

    (a)

    Article 5(1) of the GDPR,

    (b)

    section 32(1) of the Data Protection Act 2017, and

    (c)

    section 83(1) of that Act;”;

  • 30““data subject” has the same meaning as in the Data Protection
    Act 2017 (see section 2(5) of that Act);”;

  • ““the GDPR” has the same meaning as in Parts 5 to 7 of the Data
    Protection Act 2017 (see section 2(14) of that Act);”;

  • ““personal data” has the same meaning as in Parts 5 to 7 of the
    35Data Protection Act 2017 (see section 2(14) of that Act);”.

(3) For paragraph (4) substitute—

(4A) In these Regulations, references to the Data Protection Act 2017 have
effect as if in Chapter 3 of Part 2 of that Act (other general
processing)—

(a) 40the references to an FOI public authority were references to a
public authority as defined in these Regulations, and

(b) the references to personal data held by such an authority
were to be interpreted in accordance with regulation 3(2).”

16 (1) Regulation 13 (personal data) is amended as follows.