Data Protection Bill (HL Bill 66)

(9) In this section—

• “certification provider” means a person who issues certification for the
  purposes of Article 42 of the GDPR;

• “the national accreditation body” means the national accreditation body
  5for the purposes of Article 4(1) of Regulation (EC) No 765/2008 of the
  European Parliament and of the Council of 9 July 2008 setting out the
  requirements for accreditation and market surveillance relating to the
  marketing of products and repealing Regulation (EEC) No 339/93.

Transfers of personal data to third countries etc

17 10Transfers of personal data to third countries etc

(1) The Secretary of State may by regulations specify, for the purposes of Article
49(1)(d) of the GDPR—

(a) circumstances in which a transfer of personal data to a third country or
international organisation is to be taken to be necessary for important
15reasons of public interest, and

(b) circumstances in which a transfer of personal data to a third country or
international organisation which is not required by an enactment is not
to be taken to be necessary for important reasons of public interest.

(2) The Secretary of State may by regulations restrict the transfer of a category of
20personal data to a third country or international organisation where—

(a) the transfer is not authorised by an adequacy decision under Article
45(3) of the GDPR, and

(b) the Secretary of State considers the restriction to be necessary for
important reasons of public interest.

(3) 25Regulations under this section are subject to the negative resolution procedure.

Specific processing situations

18 Processing for archiving, research and statistical purposes: safeguards

(1) This section makes provision about—

(a) processing that is necessary for archiving purposes in the public
30interest,

(b) processing that is necessary for scientific or historical research
purposes, and

(c) processing that is necessary for statistical purposes.

(2) Such processing does not satisfy the requirement in Article 89(1) of the GDPR
35for the processing to be subject to appropriate safeguards for the rights and
freedoms of the data subject if—

(a) it is carried out for the purposes of measures or decisions with respect
to a particular data subject, or

(b) it is likely to cause substantial damage or substantial distress to an
40individual.

CHAPTER 3 Other general processing

Scope

19 Processing to which this Chapter applies

(1) 5This Chapter applies to the automated or structured processing of personal
data in the course of —

(a) an activity which is outside the scope of European Union law, or

(b) an activity which falls within the scope of Article 2(2)(b) of the GDPR
(common foreign and security policy activities),

10provided that the processing is not processing to which Part 3 (law
enforcement processing) or Part 4 (intelligence services processing) applies.

(2) This Chapter also applies to the manual unstructured processing of personal
data held by an FOI public authority.

(3) This Chapter does not apply to the processing of personal data by an
15individual in the course of a purely personal or household activity.

(4) In this section—

• “automated or structured processing of personal data” means—

  (a)

  processing of personal data carried on wholly or partly by
  automated means, and

  (b)

  processing of personal data that forms part of a filing system or
  20is intended to form part of a filing system;

• “manual unstructured processing of personal data” means processing of
  personal data which is not automated or structured processing of
  personal data.

(5) 25In this Chapter, “FOI public authority” means—

(a) a public authority as defined in the Freedom of Information Act 2000, or

(b) a Scottish public authority as defined in the Freedom of Information
(Scotland) Act 2002 (asp 13)2002 (asp 13).

(6) References in this Chapter to personal data “held” by an FOI public authority
30are to be interpreted—

(a) in relation to England and Wales and Northern Ireland, in accordance
with section 3(2) of the Freedom of Information Act 2000, and

(b) in relation to Scotland, in accordance with section 3(2), (4) and (5) of the
Freedom of Information (Scotland) Act 2002 (asp 13),

35but such references do not include information held by an intelligence service
(as defined in section 80) on behalf of an FOI public authority.

(7) But personal data is not to be treated as “held” by an FOI public authority for
the purposes of this Chapter, where—

(a) section 7 of the Freedom of Information Act 2000 prevents Parts 1 to 5
40of that Act from applying to the personal data, or

(b) section 7(1) of the Freedom of Information (Scotland) Act 2002 (asp 130)
prevents that Act from applying to the personal data.

Application of the GDPR

20 Application of the GDPR to processing to which this Chapter applies

(1) The GDPR applies to the processing of personal data to which this Chapter
applies but as if its Articles were part of an Act extending to England and
5Wales, Scotland and Northern Ireland.

(2) Chapter 2 of this Part applies for the purposes of the applied GDPR as it applies
for the purposes of the GDPR.

(3) In this Chapter, “the applied Chapter 2” means Chapter 2 of this Part as applied
by this Chapter.

(4) 10Schedule 6 contains provision modifying—

(a) the GDPR as it applies by virtue of subsection (1) (see Part 1);

(b) Chapter 2 of this Part as it applies by virtue of subsection (2) (see Part 2).

(5) A question as to the meaning or effect of a provision of the applied GDPR, or
the applied Chapter 2, is to be determined consistently with the interpretation
15of the equivalent provision of the GDPR, or Chapter 2 of this Part, as it applies
otherwise than by virtue of this Chapter, except so far as Schedule 6 requires a
different interpretation.

21 Power to make provision in consequence of regulations related to the GDPR

(1) The Secretary of State may by regulations make provision in connection with
20the processing of personal data to which this Chapter applies which is
equivalent to that made by GDPR regulations, subject to such modifications as
the Secretary of State considers appropriate.

(2) In this section, “GDPR regulations” means regulations made under section 2(2)
of the European Communities Act 1972 which make provision relating to the
25GDPR.

(3) Regulations under subsection (1) may apply a provision of GDPR regulations,
with or without modification.

(4) Regulations under subsection (1) may amend or repeal a provision of—

(a) the applied GDPR;

(b) 30this Chapter;

(c) Parts 5 to 7, in so far as they apply in relation to the applied GDPR.

(5) Regulations under this section are subject to the affirmative resolution
procedure.

Exemptions etc

22 35Manual unstructured data held by FOI public authorities

(1) The provisions of the applied GDPR and this Act listed in subsection (2) do not
apply to personal data to which this Chapter applies by virtue of section 19(2)
(manual unstructured personal data held by FOI public authorities).

(2) Those provisions are—

(a) 40in Chapter II of the applied GDPR (principles)—

(i) Articles 5(1)(a) to (c), (e) and (f) (principles relating to
processing, other than the accuracy principle),

(ii) Article 6 (lawfulness),

(iii) Article 7 (conditions for consent),

(iv) 5Article 8(1) and (2) (child’s consent),

(v) Article 9 (processing of special categories of personal data),

(vi) Article 10 (data relating to criminal convictions etc), and

(vii) Article 11(2) (processing not requiring identification);

(b) in Chapter III of the applied GDPR (rights of the data subject)—

(i) 10Article 13(1) to (3) (personal data collected from data subject:
information to be provided),

(ii) Article 14(1) to (4) (personal data collected other than from data
subject: information to be provided),

(iii) Article 20 (right to data portability), and

(iv) 15Article 21(1) (objections to processing);

(c) in Chapter V of the applied GDPR, Articles 44 to 49 (transfers of
personal data to third countries or international organisations);

(d) sections 161 and 162 of this Act;

(see also paragraph 1(2) of Schedule 17).

(3) 20In addition, the provisions of the applied GDPR listed in subsection (4) do not
apply to personal data to which this Chapter applies by virtue of section 19(2)
where the personal data relates to appointments, removals, pay, discipline,
superannuation or other personnel matters in relation to—

(a) service in any of the armed forces of the Crown;

(b) 25service in any office or employment under the Crown or under any
public authority;

(c) service in any office or employment, or under any contract for services,
in respect of which power to take action, or to determine or approve the
action taken, in such matters is vested in—

(i) 30Her Majesty,

(ii) a Minister of the Crown,

(iii) the National Assembly for Wales,

(iv) the Welsh Ministers,

(v) a Northern Ireland Minister (within the meaning of the
35Freedom of Information Act 2000), or

(vi) an FOI public authority.

(4) Those provisions are—

(a) the remaining provisions of Chapters II and III (principles and rights of
the data subject);

(b) 40Chapter IV (controller and processor);

(c) Chapter IX (specific processing situations).

(5) A controller is not obliged to comply with Article 15(1) to (3) of the applied
GDPR (right of access by the data subject) in relation to personal data to which
this Chapter applies by virtue of section 19(2) if—

(a) 45the request under that Article does not contain a description of the
personal data, or

(b) the controller estimates that the cost of complying with the request so
far as relating to the personal data would exceed the appropriate
maximum.

(6) Subsection (5)(b) does not remove the controller’s obligation to confirm
5whether or not personal data concerning the data subject is being processed
unless the estimated cost of complying with that obligation alone in relation to
the personal data would exceed the appropriate maximum.

(7) An estimate for the purposes of this section must be made in accordance with
regulations under section 12(5) of the Freedom of Information Act 2000.

(8) 10In subsections (5) and (6), “the appropriate maximum” means the maximum
amount specified by the Secretary of State by regulations.

(9) Regulations under subsection (8) are subject to the negative resolution
procedure.

23 Manual unstructured data used in longstanding historical research

(1) 15The provisions of the applied GDPR listed in subsection (2) do not apply to
personal data to which this Chapter applies by virtue of section 19(2) (manual
unstructured personal data held by FOI public authorities) at any time when—

(a) the personal data—

(i) is subject to processing which was already underway
20immediately before 24 October 1998, and

(ii) is processed only for the purposes of historical research, and

(b) the processing is not carried out—

(i) for the purposes of measures or decisions with respect to a
particular individual, or

(ii) 25in a way that causes, or is likely to cause, substantial damage or
substantial distress to a data subject.

(2) Those provisions are—

(a) in Chapter II of the applied GDPR (principles), Article 5(1)(d) (the
accuracy principle), and

(b) 30in Chapter III of the applied GDPR (rights of the data subject)—

(i) Article 16 (right to rectification), and

(ii) Article 17(1) and (2) (right to erasure).

(3) The exemptions in this section apply in addition to the exemptions in section
22.

24 35National security and defence exemption

(1) A provision of the applied GDPR or the Act mentioned in subsection (2) does
not apply to personal data to which this Chapter applies if exemption from the
provision is required for—

(a) the purpose of safeguarding national security, or

(b) 40defence purposes.

(2) The provisions are—

(a) Chapter II of the applied GDPR (principles) except for—

(i) Article 5(1)(a) (lawful, fair and transparent processing), so far as
it requires processing of personal data to be lawful;

(ii) Article 6 (lawfulness of processing);

(iii) Article 9 (processing of special categories of personal data);

(b) Chapter III of the applied GDPR (rights of data subjects);

(c) in Chapter IV of the applied GDPR—

(i) 5Article 33 (notification of personal data breach to the
Commissioner);

(ii) Article 34 (communication of personal data breach to the data
subject);

(d) Chapter V of the applied GDPR (transfers of personal data to third
10countries or international organisations);

(e) in Chapter VI of the applied GDPR—

(i) Article 57(1)(a) and (h) (Commissioner’s duties to monitor and
enforce the applied GDPR and to conduct investigations);

(ii) Article 58 (investigative, corrective, authorisation and advisory
15powers of Commissioner);

(f) Chapter VIII of the applied GDPR (remedies, liabilities and penalties)
except for—

(i) Article 83 (general conditions for imposing administrative
fines);

(ii) 20Article 84 (penalties);

(g) in Part 5 of this Act—

(i) in section 113 (general functions of the Commissioner),
subsections (3) and (8);

(ii) in section 113, subsection (9), so far as it relates to Article 58(2)(i)
25of the applied GDPR;

(iii) section 117 (inspection in accordance with international
obligations);

(h) in Part 6 of this Act—

(i) sections 137 to 147 and Schedule 15 (Commissioner’s notices
30and powers of entry and inspection);

(ii) sections 161 to 163 (offences relating to personal data);

(i) in Part 7 of this Act, section 173 (representation of data subjects).

25 National security: certificate

(1) Subject to subsection (3), a certificate signed by a Minister of the Crown
35certifying that exemption from all or any of the provisions listed in section
24(2) is, or at any time was, required in relation to any personal data for the
purpose of safeguarding national security is conclusive evidence of that fact.

(2) A certificate under subsection (1)—

(a) may identify the personal data to which it applies by means of a general
40description, and

(b) may be expressed to have prospective effect.

(3) Any person directly affected by a certificate under subsection (1) may appeal
to the Tribunal against the certificate.

(4) If, on an appeal under subsection (3), the Tribunal finds that, applying the
45principles applied by a court on an application for judicial review, the Minister
did not have reasonable grounds for issuing a certificate, the Tribunal may—

(a) allow the appeal, and

(b) quash the certificate.

(5) Where, in any proceedings under or by virtue of the applied GDPR or this Act,
it is claimed by a controller that a certificate under subsection (1) which
identifies the personal data to which it applies by means of a general
5description applies to any personal data, another party to the proceedings may
appeal to the Tribunal on the ground that the certificate does not apply to the
personal data in question.

(6) But, subject to any determination under subsection (7), the certificate is to be
conclusively presumed so to apply.

(7) 10On an appeal under subsection (5), the Tribunal may determine that the
certificate does not so apply.

(8) A document purporting to be a certificate under subsection (1) is to be—

(a) received in evidence, and

(b) deemed to be such a certificate unless the contrary is proved.

(9) 15A document which purports to be certified by or on behalf of a Minister of the
Crown as a true copy of a certificate issued by that Minister under subsection
(1) is—

(a) in any legal proceedings, evidence of that certificate;

(b) in any legal proceedings in Scotland, sufficient evidence of that
20certificate.

(10) The power conferred by subsection (1) on a Minister of the Crown is
exercisable only by—

(a) a Minister who is a member of the Cabinet, or

(b) the Attorney General or the Advocate General for Scotland.

26 25National security and defence: modifications to Articles 9 and 32 of the
applied GDPR

(1) Article 9(1) of the applied GDPR (prohibition on processing of special
categories of personal data) does not prohibit the processing of personal data
to which this Chapter applies to the extent that the processing is carried out—

(a) 30for the purpose of safeguarding national security or for defence
purposes, and

(b) with appropriate safeguards for the rights and freedoms of data
subjects.

(2) Article 32 of the applied GDPR (security of processing) does not apply to a
35controller or processor to the extent that the controller or the processor (as the
case may be) is processing personal data to which this Chapter applies for—

(a) the purpose of safeguarding national security, or

(b) defence purposes.

(3) Where Article 32 of the applied GDPR does not apply, the controller or the
40processor must implement security measures appropriate to the risks arising
from the processing of the personal data.

(4) For the purposes of subsection (3), where the processing of personal data is
carried out wholly or partly by automated means, the controller or the
processor must, following an evaluation of the risks, implement measures
45designed to—

(a) prevent unauthorised processing or unauthorised interference with the
systems used in connection with the processing,

(b) ensure that it is possible to establish the precise details of any
processing that takes place,

(c) 5ensure that any systems used in connection with the processing
function properly and may, in the case of interruption, be restored, and

(d) ensure that stored personal data cannot be corrupted if a system used
in connection with the processing malfunctions.

Part 3 10Law enforcement processing

CHAPTER 1 Scope and definitions

Scope

27 Processing to which this Part applies

(1) 15This Part applies to—

(a) the processing by a competent authority of personal data wholly or
partly by automated means, and

(b) the processing by a competent authority otherwise than by automated
means of personal data which forms part of a filing system or is
20intended to form part of a filing system.

(2) Any reference in this Part to the processing of personal data is to processing to
which this Part applies.

(3) For the meaning of “competent authority”, see section 28.

Definitions

28 25Meaning of “competent authority”

(1) In this Part, “competent authority” means—

(a) a person specified in Schedule 7, and

(b) any other person if and to the extent that the person has statutory
functions for any of the law enforcement purposes.

(2) 30But an intelligence service is not a competent authority within the meaning of
this Part.

(3) The Secretary of State may by regulations amend Schedule 7—

(a) so as to add a person to, or remove a person from, the Schedule;

(b) so as to reflect any change in the name of a person specified in the
35Schedule.

(4) Regulations under subsection (3) which make provision of the kind described
in subsection (3)(a) may also make consequential amendments of section
71(4)(b).

(5) Regulations under subsection (3) which make provision of the kind described
in subsection (3)(a), or which make provision of that kind and of the kind
described in subsection (3)(b), are subject to the affirmative resolution
procedure.

(6) 5Regulations under subsection (3) which make provision only of the kind
described in subsection (3)(b) are subject to the negative resolution procedure.

(7) In this section—

• “intelligence service” means—

  (a)

  the Security Service;

  (b)

  10the Secret Intelligence Service;

  (c)

  the Government Communications Headquarters;

• “statutory function” means a function under or by virtue of an enactment.

29 “The law enforcement purposes”

For the purposes of this Part, “the law enforcement purposes” are the purposes
15of the prevention, investigation, detection or prosecution of criminal offences
or the execution of criminal penalties, including the safeguarding against and
the prevention of threats to public security.

30 Meaning of “controller” and “processor”

(1) In this Part, “controller” means the competent authority which, alone or jointly
20with others—

(a) determines the purposes and means of the processing of personal data,
or

(b) is the controller by virtue of subsection (2).

(2) Where personal data is processed only—

(a) 25for purposes for which it is required by an enactment to be processed,
and

(b) by means by which it is required by an enactment to be processed,

the competent authority on which the obligation to process the data is imposed
by the enactment (or, if different, one of the enactments) is the controller.

(3) 30In this Part, “processor” means any person who processes personal data on
behalf of the controller (other than a person who is an employee of the
controller).

31 Other definitions

(1) This section defines certain other expressions used in this Part.

(2) 35“Employee”, in relation to any person, includes an individual who holds a
position (whether paid or unpaid) under the direction and control of that
person.

(3) “Personal data breach” means a breach of security leading to the accidental or
unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
40personal data transmitted, stored or otherwise processed.

(4) “Profiling” means any form of automated processing of personal data
consisting of the use of personal data to evaluate certain personal aspects

relating to an individual, in particular to analyse or predict aspects concerning
that individual’s performance at work, economic situation, health, personal
preferences, interests, reliability, behaviour, location or movements.

(5) “Recipient”, in relation to any personal data, means any person to whom the
5data is disclosed, whether a third party or not, but it does not include a public
authority to whom disclosure is or may be made in the framework of a
particular inquiry in accordance with the law.

(6) “Restriction of processing” means the marking of stored personal data with the
aim of limiting its processing for the future.

(7) 10“Third country” means a country or territory other than a member State.

(8) Sections 2 and 184 include definitions of other expressions used in this Part.

CHAPTER 2 Principles

32 Overview and general duty of controller

(1) 15This Chapter sets out the six data protection principles as follows—

(a) section 33(1) sets out the first data protection principle (requirement
that processing be lawful and fair);

(b) section 34(1) sets out the second data protection principle (requirement
that purposes of processing be specified, explicit and legitimate);

(c) 20section 35 sets out the third data protection principle (requirement that
personal data be adequate, relevant and not excessive);

(d) section 36(1) sets out the fourth data protection principle (requirement
that personal data be accurate and kept up to date);

(e) section 37(1) sets out the fifth data protection principle (requirement
25that personal data be kept for no longer than is necessary);

(f) section 38 sets out the sixth data protection principle (requirement that
personal data be processed in a secure manner).

(2) In addition—

(a) each of sections 33, 34, 36 and 37 makes provision to supplement the
30principle to which it relates, and

(b) sections 39 and 40 make provision about the safeguards that apply in
relation to certain types of processing.

(3) The controller in relation to personal data is responsible for, and must be able
to demonstrate, compliance with this Chapter.

33 35The first data protection principle

(1) The first data protection principle is that the processing of personal data for
any of the law enforcement purposes must be lawful and fair.

(2) The processing of personal data for any of the law enforcement purposes is
lawful only if and to the extent that it is based on law and either—

(a) 40the data subject has given consent to the processing for that purpose, or

(b) the processing is necessary for the performance of a task carried out for
that purpose by a competent authority.