Data Protection Bill (HL Bill 66)

(3) In addition, where the processing for any of the law enforcement purposes is
sensitive processing, the processing is permitted only in the two cases set out
in subsections (4) and (5).

(4) The first case is where—

(a) 5the data subject has given consent to the processing for the law
enforcement purpose as mentioned in subsection (2)(a), and

(b) at the time when the processing is carried out, the controller has an
appropriate policy document in place (see section 40).

(5) The second case is where—

(a) 10the processing is strictly necessary for the law enforcement purpose,

(b) the processing meets at least one of the conditions in Schedule 8, and

(c) at the time when the processing is carried out, the controller has an
appropriate policy document in place (see section 40).

(6) The Secretary of State may by regulations amend Schedule 8 by adding,
15varying or omitting conditions.

(7) Regulations under subsection (6) are subject to the affirmative resolution
procedure.

(8) In this section, “sensitive processing” means—

(a) the processing of personal data revealing racial or ethnic origin,
20political opinions, religious or philosophical beliefs or trade union
membership;

(b) the processing of genetic data, or of biometric data, for the purpose of
uniquely identifying an individual;

(c) the processing of data concerning health;

(d) 25the processing of data concerning an individual’s sex life or sexual
orientation.

34 The second data protection principle

(1) The second data protection principle is that—

(a) the law enforcement purpose for which personal data is collected on
30any occasion must be specified, explicit and legitimate, and

(b) personal data so collected must not be processed in a manner that is
incompatible with the purpose for which it was collected.

(2) Paragraph (b) of the second data protection principle is subject to subsections
(3) and (4).

(3) 35Personal data collected for a law enforcement purpose may be processed for
any other law enforcement purpose (whether by the controller that collected
the data or by another controller) provided that—

(a) the controller is authorised by law to process the data for the other
purpose, and

(b) 40the processing is necessary and proportionate to that other purpose.

(4) Personal data collected for any of the law enforcement purposes may not be
processed for a purpose that is not a law enforcement purpose unless the
processing is authorised by law.

35 The third data protection principle

The third data protection principle is that personal data processed for any of
the law enforcement purposes must be adequate, relevant and not excessive in
relation to the purpose for which it is processed.

36 5The fourth data protection principle

(1) The fourth data protection principle is that—

(a) personal data processed for any of the law enforcement purposes must
be accurate and, where necessary, kept up to date, and

(b) every reasonable step must be taken to ensure that personal data that is
10inaccurate, having regard to the law enforcement purpose for which it
is processed, is erased or rectified without delay.

(2) In processing personal data for any of the law enforcement purposes, personal
data based on facts must, so far as possible, be distinguished from personal
data based on personal assessments.

(3) 15In processing personal data for any of the law enforcement purposes, a clear
distinction must, where relevant and as far as possible, be made between
personal data relating to different categories of data subject, such as—

(a) persons suspected of having committed or being about to commit a
criminal offence;

(b) 20persons convicted of a criminal offence;

(c) persons who are or may be victims of a criminal offence;

(d) witnesses or other persons with information about offences.

(4) All reasonable steps must be taken to ensure that personal data which is
inaccurate, incomplete or no longer up to date is not transmitted or made
25available for any of the law enforcement purposes.

(5) For that purpose—

(a) the quality of personal data must be verified before it is transmitted or
made available,

(b) in all transmissions of personal data, the necessary information
30enabling the recipient to assess the degree of accuracy, completeness
and reliability of the data and the extent to which it is up to date must
be included, and

(c) if, after personal data has been transmitted, it emerges that the data was
incorrect or that the transmission was unlawful, the recipient must be
35notified without delay.

37 The fifth data protection principle

(1) The fifth data protection principle is that personal data processed for any of the
law enforcement purposes must be kept for no longer than is necessary for the
purpose for which it is processed.

(2) 40Appropriate time limits must be established for the periodic review of the need
for the continued storage of personal data for any of the law enforcement
purposes.

38 The sixth data protection principle

The sixth data protection principle is that personal data processed for any of
the law enforcement purposes must be so processed in a manner that ensures
appropriate security of the personal data, using appropriate technical or
5organisational measures (and, in this principle, “appropriate security” includes
protection against unauthorised or unlawful processing and against accidental
loss, destruction or damage).

39 Safeguards: archiving

(1) This section applies in relation to the processing of personal data for a law
10enforcement purpose where the processing is necessary—

(a) for archiving purposes in the public interest,

(b) for scientific or historical research purposes, or

(c) for statistical purposes.

(2) The processing is not permitted if—

(a) 15it is carried out for the purposes of, or in connection with, measures or
decisions with respect to a particular data subject, or

(b) it is likely to cause substantial damage or substantial distress to an
individual.

40 Safeguards: sensitive processing

(1) 20This section applies for the purposes of section 33(4) and (5) (which require a
controller to have an appropriate policy document in place when carrying out
sensitive processing in reliance on the consent of the data subject or, as the case
may be, in reliance on a condition specified in Schedule 8).

(2) The controller has an appropriate policy document in place in relation to the
25sensitive processing if the controller has produced a document which—

(a) explains the controller’s procedures for securing compliance with the
data protection principles (see section 32(1)) in connection with
sensitive processing in reliance on the consent of the data subject or (as
the case may be) in reliance on the condition in question, and

(b) 30explains the controller’s policies as regards the retention and erasure of
personal data processed in reliance on the consent of the data subject or
(as the case may be) in reliance on the condition in question, giving an
indication of how long such personal data is likely to be retained.

(3) Where personal data is processed on the basis that an appropriate policy
35document is in place, the controller must during the relevant period—

(a) retain the appropriate policy document,

(b) review and (if appropriate) update it from time to time, and

(c) make it available to the Commissioner, on request, without charge.

(4) The record maintained by the controller under section 59(1) and, where the
40sensitive processing is carried out by a processor on behalf of the controller, the
record maintained by the processor under section 59(3) must include the
following information—

(a) whether the sensitive processing is carried out in reliance on the
consent of the data subject or, if not, which condition in Schedule 8 is
45relied on,

(b) how the processing satisfies section 33 (lawfulness of processing), and

(c) whether the personal data is retained and erased in accordance with the
policies described in subsection (2)(b) and, if it is not, the reasons for not
following those policies.

(5) 5In this section, “relevant period”, in relation to sensitive processing in reliance
on the consent of the data subject or in reliance on a condition specified in
Schedule 8, means a period which—

(a) begins when the controller starts to carry out the sensitive processing in
reliance on the data subject’s consent or (as the case may be) in reliance
10on that condition, and

(b) ends at the end of the period of 6 months beginning with the day the
controller ceases to carry out the processing.

CHAPTER 3 Rights of the data subject

15 Overview and scope

41 Overview and scope

(1) This Chapter—

(a) imposes general duties on the controller to make information available
(see section 42);

(b) 20confers a right of access by the data subject (see section 43);

(c) confers rights on the data subject with respect to the rectification of
personal data and the erasure of personal data or the restriction of its
processing (see sections 44 to 46);

(d) regulates automated decision-making (see sections 47 and 48);

(e) 25makes supplementary provision (see sections 49 to 52).

(2) This Chapter applies only in relation to the processing of personal data for a
law enforcement purpose.

(3) But sections 42 to 46 do not apply in relation to the processing of relevant
personal data in the course of a criminal investigation or criminal proceedings,
30including proceedings for the purpose of executing a criminal penalty.

(4) In subsection (3), “relevant personal data” means personal data contained in a
judicial decision or in other documents relating to the investigation or
proceedings which are created by or on behalf of a court or other judicial
authority.

(5) 35In this Chapter, “the controller”, in relation to a data subject, means the
controller in relation to personal data relating to the data subject.

Information: controller's general duties

42 Information: controller’s general duties

(1) The controller must make available to data subjects the following information
40(whether by making the information generally available to the public or in any
other way)—

(a) the identity and the contact details of the controller;

(b) where applicable, the contact details of the data protection officer (see
sections 67 to 69);

(c) the purposes for which the controller processes personal data;

(d) 5the existence of the rights of data subjects to request from the
controller—

(i) access to personal data (see section 43),

(ii) rectification of personal data (see section 44), and

(iii) erasure of personal data or the restriction of its processing (see
10section 45);

(e) the existence of the right to lodge a complaint with the Commissioner
and the contact details of the Commissioner.

(2) The controller must also, in specific cases for the purpose of enabling the
exercise of a data subject’s rights under this Part, give the data subject the
15following—

(a) information about the legal basis for the processing;

(b) information about the period for which the personal data will be stored
or, where that is not possible, about the criteria used to determine that
period;

(c) 20where applicable, information about the categories of recipients of the
personal data (including recipients in third countries or international
organisations);

(d) such further information as is necessary to enable the exercise of the
data subject’s rights under this Part.

(3) 25An example of where further information may be necessary as mentioned in
subsection (2)(d) is where the personal data being processed was collected
without the knowledge of the data subject.

(4) The controller may restrict, wholly or partly, the provision of information to
the data subject under subsection (2) to the extent that and for so long as the
30restriction is, having regard to the fundamental rights and legitimate interests
of the data subject, a necessary and proportionate measure to—

(a) avoid obstructing an official or legal inquiry, investigation or
procedure;

(b) avoid prejudicing the prevention, detection, investigation or
35prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) protect national security;

(e) protect the rights and freedoms of others.

(5) Where the provision of information to a data subject under subsection (2) is
40restricted, wholly or partly, the controller must inform the data subject in
writing without undue delay—

(a) that the provision of information has been restricted,

(b) of the reasons for the restriction,

(c) of the data subject’s right to make a request to the Commissioner under
45section 49,

(d) of the data subject’s right to lodge a complaint with the Commissioner,
and

(e) of the data subject’s right to apply to a court under section 158.

(6) Subsection (5)(a) and (b) do not apply to the extent that complying with them
would undermine the purpose of the restriction.

(7) The controller must—

(a) record the reasons for a decision to restrict (whether wholly or partly)
5the provision of information to a data subject under subsection (2), and

(b) if requested to do so by the Commissioner, make the record available
to the Commissioner.

Data subject's right of access

43 Right of access by the data subject

(1) 10A data subject is entitled to obtain from the controller—

(a) confirmation as to whether or not personal data concerning him or her
is being processed, and

(b) where that is the case, access to the personal data and the information
set out in subsection (2).

(2) 15That information is—

(a) the purposes of and legal basis for the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data has
been disclosed (including recipients or categories of recipients in third
20countries or international organisations);

(d) the period for which it is envisaged that the personal data will be stored
or, where that is not possible, the criteria used to determine that period;

(e) the existence of the data subject’s rights to request from the controller—

(i) rectification of personal data (see section 44), and

(ii) 25erasure of personal data or the restriction of its processing (see
section 45);

(f) the existence of the data subject’s right to lodge a complaint with the
Commissioner and the contact details of the Commissioner;

(g) communication of the personal data undergoing processing and of any
30available information as to its origin.

(3) Where a data subject makes a request under subsection (1), the information to
which the data subject is entitled must be provided in writing —

(a) without undue delay, and

(b) in any event, before the end of the applicable time period (as to which
35see section 52).

(4) The controller may restrict, wholly or partly, the rights conferred by subsection
(1) to the extent that and for so long as the restriction is, having regard to the
fundamental rights and legitimate interests of the data subject, a necessary and
proportionate measure to—

(a) 40avoid obstructing an official or legal inquiry, investigation or
procedure;

(b) avoid prejudicing the prevention, detection, investigation or
prosecution of criminal offences or the execution of criminal penalties;

(c) protect public security;

(d) 45protect national security;

(e) protect the rights and freedoms of others.

(5) Where the rights of a data subject under subsection (1) are restricted, wholly or
partly, the controller must inform the data subject in writing without undue
delay—

(a) 5that the rights of the data subject have been restricted,

(b) of the reasons for the restriction,

(c) of the data subject’s right to make a request to the Commissioner under
section 49,

(d) of the data subject’s right to lodge a complaint with the Commissioner,
10and

(e) of the data subject’s right to apply to a court under section 158.

(6) Subsection (5)(a) and (b) do not apply to the extent that the provision of the
information would undermine the purpose of the restriction.

(7) The controller must—

(a) 15record the reasons for a decision to restrict (whether wholly or partly)
the rights of a data subject under subsection (1), and

(b) if requested to do so by the Commissioner, make the record available
to the Commissioner.

Data subject's rights to rectification or erasure etc

44 20Right to rectification

(1) The controller must, if so requested by a data subject, rectify without undue
delay inaccurate personal data relating to the data subject.

(2) Where personal data is inaccurate because it is incomplete, the controller must,
if so requested by a data subject, complete it.

(3) 25The duty under subsection (2) may, in appropriate cases, be fulfilled by the
provision of a supplementary statement.

(4) Where the controller would be required to rectify personal data under this
section but the personal data must be maintained for the purposes of evidence,
the controller must (instead of rectifying the personal data) restrict its
30processing.

45 Right to erasure or restriction of processing

(1) The controller must erase personal data without undue delay where—

(a) the processing of the personal data would infringe section 33, 34(1) to
(3), 35, 36(1), 37(1), 38, 39 or 40, or

(b) 35the controller has a legal obligation to erase the data.

(2) Where the controller would be required to erase personal data under
subsection (1) but the personal data must be maintained for the purposes of
evidence, the controller must (instead of erasing the personal data) restrict its
processing.

(3) 40Where a data subject contests the accuracy of personal data (whether in making
a request under this section or section 44 or in any other way), but it is not

possible to ascertain whether it is accurate or not, the controller must restrict
its processing.

(4) A data subject may request the data controller to erase personal data or to
restrict its processing (but the duties of the controller under this section apply
5whether or not such a request is made).

46 Rights under section 44 or 45: supplementary

(1) Where a data subject requests the rectification or erasure of personal data or the
restriction of its processing, the controller must inform the data subject in
writing—

(a) 10whether the request has been granted, and

(b) if it has been refused—

(i) of the reasons for the refusal,

(ii) of the data subject’s right to make a request to the
Commissioner under section 49,

(iii) 15of the data subject’s right to lodge a complaint with the
Commissioner, and

(iv) of the data subject’s right to apply to a court under section 158.

(2) The controller must comply with the duty under subsection (1)—

(a) without undue delay, and

(b) 20in any event, before the end of the applicable time period (see section
52).

(3) The controller may restrict, wholly or partly, the provision of information to
the data subject under subsection (1)(b)(i) to the extent that and for so long as
the restriction is, having regard to the fundamental rights and legitimate
25interests of the data subject, a necessary and proportionate measure to—

(a) avoid obstructing an official or legal inquiry, investigation or
procedure;

(b) avoid prejudicing the prevention, detection, investigation or
prosecution of criminal offences or the execution of criminal penalties;

(c) 30protect public security;

(d) protect national security;

(e) protect the rights and freedoms of others.

(4) Where the rights of a data subject under subsection (1) are restricted, wholly or
partly, the controller must inform the data subject in writing without undue
35delay—

(a) that the rights of the data subject have been restricted,

(b) of the reasons for the restriction,

(c) of the data subject’s right to lodge a complaint with the Commissioner,
and

(d) 40of the data subject’s right to apply to a court under section 158.

(5) Subsection (4)(a) and (b) do not apply to the extent that the provision of the
information would undermine the purpose of the restriction.

(6) The controller must—

(a) record the reasons for a decision to restrict (whether wholly or partly)
45the provision of information to a data subject under subsection (4), and

(b) if requested to do so by the Commissioner, make the record available
to the Commissioner.

(7) Where the controller rectifies personal data, it must notify the competent
authority (if any) from which the inaccurate personal data originated.

(8) 5In subsection (7), the reference to a competent authority includes (in addition
to a competent authority within the meaning of this Part) any person that is a
competent authority for the purposes of the Law Enforcement Directive in a
member State other than the United Kingdom.

(9) Where the controller rectifies, erases or restricts the processing of personal data
10which has been disclosed by the controller—

(a) the controller must notify the recipients, and

(b) the recipients must similarly rectify, erase or restrict the processing of
the personal data (so far as they retain responsibility for it).

(10) Where processing is restricted in accordance with section 45(3), the controller
15must inform the data subject before lifting the restriction.

Automated individual decision-making

47 Right not to be subject to automated decision-making

(1) A controller may not take a significant decision based solely on automated
processing unless that decision is required or authorised by law.

(2) 20A decision is a “significant decision” for the purpose of this section if, in
relation to a data subject, it—

(a) produces an adverse legal effect concerning the data subject, or

(b) significantly affects the data subject.

48 Automated decision-making authorised by law: safeguards

(1) 25A decision is a “qualifying significant decision” for the purposes of this section
if—

(a) it is a significant decision in relation to a data subject, and

(b) it is required or authorised by law.

(2) Where a controller takes a qualifying significant decision in relation to a data
30subject based solely on automated processing—

(a) the controller must, as soon as reasonably practicable, notify the data
subject in writing that a decision has been taken based solely on
automated processing, and

(b) the data subject may, before the end of the period of 21 days beginning
35with receipt of the notification, request the controller to—

(i) reconsider the decision, or

(ii) take a new decision that is not based solely on automated
processing.

(3) If a request is made to a controller under subsection (2), the controller must,
40before the end of the period of 21 days beginning with receipt of the request—

(a) consider the request, including any information provided by the data
subject that is relevant to it,

(b) comply with the request, and

(c) by notice in writing inform the data subject of—

(i) the steps taken to comply with the request, and

(ii) the outcome of complying with the request.

(4) The Secretary of State may by regulations make such further provision as the
5Secretary of State considers appropriate to provide suitable measures to
safeguard a data subject’s rights, freedoms and legitimate interests in
connection with the taking of qualifying significant decisions based solely on
automated processing.

(5) Regulations under subsection (4)—

(a) 10may amend this section, and

(b) are subject to the affirmative resolution procedure.

(6) In this section “significant decision” has the meaning given by section 47(2).

Supplementary

49 Exercise of rights through the Commissioner

(1) 15This section applies where a controller—

(a) restricts under section 42(4) the information provided to the data
subject under section 42(2) (duty of the data controller to give the data
subject additional information),

(b) restricts under section 43(4) the data subject’s rights under section 43(1)
20(right of access), or

(c) refuses a request by the data subject for rectification under section 44 or
for erasure or restriction of processing under section 45.

(2) The data subject may—

(a) where subsection (1)(a) or (b) applies, request the Commissioner to
25check that the processing of personal data relating to the data subject
complies with this Part;

(b) where subsection (1)(c) applies, request the Commissioner to check that
the refusal of the data subject’s request was lawful.

(3) The Commissioner must take such steps as appear to the Commissioner to be
30appropriate to respond to a request under subsection (2) (which may include
the exercise of any of the powers conferred by sections 137 and 140).

(4) After taking those steps, the Commissioner must inform the data subject—

(a) where subsection (1)(a) or (b) applies, whether the Commissioner is
satisfied that the processing by the controller of personal data relating
35to the data subject complies with this Part;

(b) where subsection (1)(c) applies, whether the Commissioner is satisfied
that the controller’s refusal of the data subject’s request was lawful.

(5) The Commissioner must also inform the data subject of the data subject’s right
to apply to a court under section 158.

(6) 40Where the Commissioner is not satisfied as mentioned in subsection (4)(a) or
(b), the Commissioner may also inform the data subject of any further steps
that the Commissioner is considering taking under Part 6