Data Protection Bill (HL Bill 66)

(2) For paragraph (1) substitute—

“(1) To the extent that the information requested includes personal data
of which the applicant is not the data subject, a public authority must
not disclose the personal data if—

(a) 5the first condition is satisfied, or

(b) the second or third condition is satisfied and, in all the
circumstances of the case, the public interest in not disclosing
the information outweighs the public interest in disclosing
it.”

(3) 10For paragraph (2) substitute—

“(2A) The first condition is that the disclosure of the information to a
member of the public otherwise than under these Regulations—

(a) would contravene any of the data protection principles, or

(b) would do so if the exemption in section 22(1) of the Data
15Protection Act 2017 (manual unstructured data held by
public authorities) were disregarded.

(2B) The second condition is that the disclosure of the information to a
member of the public otherwise than under these Regulations would
contravene—

(a) 20Article 21 of the GDPR (general processing: right to object to
processing), or

(b) section 97 of the Data Protection Act 2017 (intelligence
services processing: right to object to processing).”

(4) For paragraph (3) substitute—

“(3A) 25The third condition is that—

(a) on a request under Article 15(1) of the GDPR (general
processing: right of access by the data subject) for access to
personal data, the information would be withheld in reliance
on provision made by or under section 14, 15 or 24 of, or
30Schedule 2, 3 or 4 to, the Data Protection Act 2017,

(b) on a request under section 43(1)(b) of that Act (law
enforcement processing: right of access by the data subject),
the information would be withheld in reliance on subsection
(4) of that section, or

(c) 35on a request under section 92(1)(b) of that Act (intelligence
services processing: rights of access by the data subject), the
information would be withheld in reliance on a provision of
Chapter 6 of Part 4 of that Act.”

(5) Omit paragraph (4).

(6) 40For paragraph (5) substitute—

“(5A) For the purposes of this regulation a public authority may respond
to a request by neither confirming nor denying whether such
information exists and is held by the public authority, whether or not
it holds such information, to the extent that—

(a) 45the condition in paragraph (5B)(a) is satisfied, or

(b) a condition in paragraphs (5B)(b) to (e) is satisfied and in all
the circumstances of the case, the public interest in not

confirming or denying whether the information exists
outweighs the public interest in doing so.

(5B) The conditions mentioned in paragraph (5A) are—

(a) giving a member of the public the confirmation or denial—

(i) 5would (apart from these Regulations) contravene any
of the data protection principles, or

(ii) would do so if the exemptions in section 22(1) of the
Data Protection Act 2017 (manual unstructured data
held by public authorities) were disregarded;

(b) 10giving a member of the public the confirmation or denial
would (apart from these Regulations) contravene Article 21
of the GDPR or section 97 of the Data Protection Act 2017
(right to object to processing);

(c) on a request under Article 15(1) of the GDPR (general
15processing: right of access by the data subject) for
confirmation of whether personal data is being processed, the
information would be withheld in reliance on a provision
listed in paragraph (3A)(a);

(d) on a request under section 43(1)(a) of the Data Protection Act
202017 (law enforcement processing: right of access by the data
subject), the information would be withheld in reliance on
subsection (4) of that section;

(e) on a request under section 92(1)(a) of that Act (intelligence
services processing: rights of access by the data subject), the
25information would be withheld in reliance on a provision of
Chapter 6 of Part 4 of that Act.”

(7) After that paragraph insert—

“(6) In determining for the purposes of this regulation whether the
lawfulness principle in Article 5(1)(a) of the GDPR would be
30contravened by the disclosure of information, Article 6(1) of the
GDPR (lawfulness) is to be read as if the second sub-paragraph
(disapplying the legitimate interests gateway in relation to public
authorities) were omitted.”

17 In regulation 14 (refusal to disclose information), in paragraph (3)(b), for
35“regulations 13(2)(a)(ii) or 13(3)” substitute “regulation 13(1)(b) or (5A)”.

18 In regulation 18 (enforcement and appeal provisions), in paragraph (5), for
“regulation 13(5)” substitute “regulation 13(5A)”.

Environmental Information (Scotland) Regulations 2004 (S.S.I. 2004/520)

19 The Environmental Information (Scotland) Regulations 2004 (S.I. 2004/520)
40are amended as follows.

20 (1) Regulation 2 (interpretation) is amended as follows.

(2) In paragraph (1), at the appropriate places, insert—

• ““the data protection principles” means the principles set out
  in—

  (a)

  45Article 5(1) of the GDPR, and

  (b)

  section 32(1) of the Data Protection Act 2017;”;

• ““data subject” has the same meaning as in the Data Protection
  Act 2017 (see section 2(5) of that Act);”;

• ““the GDPR” has the same meaning as in Parts 5 to 7 of the Data
  Protection Act 2017 (see section 2(14) of that Act);”;

• 5““personal data” has the same meaning as in Parts 5 to 7 of the
  Data Protection Act 2017 (see section 2(14) of that Act);”.

(3) For paragraph (3) substitute—

“(3A) In these Regulations, references to the Data Protection Act 2017 have
effect as if in Chapter 3 of Part 2 of that Act (other general
10processing)—

(a) the references to an FOI public authority were references to a
Scottish public authority as defined in these Regulations, and

(b) the references to personal data held by such an authority
were to be interpreted in accordance with paragraph (2) of
15this regulation.”

21 (1) Regulation 11 (personal data) is amended as follows.

(2) For paragraph (2) substitute—

“(2) To the extent that environmental information requested includes
personal data of which the applicant is not the data subject, a Scottish
20public authority must not make the personal data available if—

(a) the first condition set out in paragraph (3A) is satisfied, or

(b) the second or third condition set out in paragraph (3B) or
(4A) is satisfied and, in all the circumstances of the case, the
public interest in making the information available is
25outweighed by that in not doing so.”

(3) For paragraph (3) substitute—

“(3A) The first condition is that the disclosure of the information to a
member of the public otherwise than under these Regulations—

(a) would contravene any of the data protection principles, or

(b) 30would do so if the exemption in section 22(1) of the Data
Protection Act 2017 (manual unstructured data held by
public authorities) were disregarded.

(3B) The second condition is that the disclosure of the information to a
member of the public otherwise than under these Regulations would
35contravene Article 21 of the GDPR (general processing: right to
object to processing).”

(4) For paragraph (4) substitute—

“(4A) The third condition is that any of the following applies to the
information—

(a) 40it is exempt from the obligation under Article 15(1) of the
GDPR (general processing: right of access by the data subject)
to provide access to, and information about, personal data by
virtue of provision made by or under section 14, 15 or 24 of,
or Schedule 2, 3 or 4 to, the Data Protection Act 2017, or

(b) 45on a request under section 43(1)(b) of that Act (law
enforcement processing: right of access by the data subject),

the information would be withheld in reliance on subsection
(4) of that section.”

(5) Omit paragraph (5).

(6) After paragraph (6) insert—

“(7) 5In determining, for the purposes of this regulation, whether the
lawfulness principle in Article 5(1)(a) of the GDPR would be
contravened by the disclosure of information, Article 6(1) of the
GDPR (lawfulness) is to be read as if the second sub-paragraph
(disapplying the legitimate interests gateway in relation to public
10authorities) were omitted.”

Criminal Justice and Immigration Act 2008 (c. 4)

22 In the Criminal Justice and Immigration Act 2008, omit—

(a) section 77 (power to alter penalty for unlawfully obtaining etc
personal data);

(b) 15section 78 (new defence for obtaining etc for journalism and other
special purposes).

Criminal Justice and Data Protection (Protocol No. 36) Regulations 2014 (S.I. 2014/3141)

23 In the Criminal Justice and Data Protection (Protocol No. 36) Regulations
2014, omit Part 4 (data protection in relation to police and judicial co-
20operation in criminal matters).

Small Business, Enterprise and Employment Act 2015 (c. 26)

24 (1) Section 6 of the Small Business, Enterprise and Employment Act 2015
(application of listed provisions to designated credit reference agencies) is
amended as follows.

(2) 25In subsection (7)—

(a) for paragraph (b) substitute—

“(b) Article 15(1) to (3) of the GDPR (confirmation of
processing, access to data and safeguards for third
country transfers);”;

(b) 30omit paragraph (c).

(3) After subsection (7) insert—

“(7A) In subsection (7) “the GDPR” has the same meaning as in Parts 5 to 7
of the Data Protection Act 2017 (see section 2(14) of that Act).”

Digital Economy Act 2017 (c. 30)

25 35In the Digital Economy Act 2017, omit sections 108 to 110 (charges payable
to the Information Commissioner).

Provision inserted in subordinate legislation by this Schedule

26 Provision inserted into subordinate legislation by this Schedule may be
amended or revoked as if it had been inserted using the power under which
40the subordinate legislation was originally made.