Data Protection Bill (HL Bill 66)

Data Protection BillPage 40

(a) informing and advising the controller, any processor engaged by the
controller, and any employee of the controller who carries out
processing of personal data, of that person’s obligations under this
Part,

(b) 5providing advice on the carrying out of a data protection impact
assessment under section 62 and monitoring compliance with that
section,

(c) co-operating with the Commissioner,

(d) acting as the contact point for the Commissioner on issues relating to
10processing, including in relation to the consultation mentioned in
section 63, and consulting with the Commissioner, where appropriate,
in relation to any other matter,

(e) monitoring compliance with policies of the controller in relation to the
protection of personal data, and

(f) 15monitoring compliance by the controller with this Part.

(2) In relation to the policies mentioned in subsection (1)(e), the data protection
officer’s tasks include—

(a) assigning responsibilities under those policies,

(b) raising awareness of those policies,

(c) 20training staff involved in processing operations, and

(d) conducting audits required under those policies.

(3) In performing the tasks set out in subsections (1) and (2), the data protection
officer must have regard to the risks associated with processing operations,
taking into account the nature, scope, context and purposes of processing.

25 CHAPTER 5 Transfers of personal data to third countries etc

Overview and interpretation

70 Overview and interpretation

(1) This Chapter deals with the transfer of personal data to third countries or
30international organisations, as follows—

(a) sections 71 to 74 set out the general conditions that apply;

(b) section 75 sets out the special conditions that apply where the intended
recipient of personal data is not a relevant authority in a third country
or an international organisation;

(c) 35section 76 makes special provision about subsequent transfers of
personal data.

(2) In this Chapter, “relevant authority”, in relation to a third country, means any
person based in a third country that has (in that country) functions comparable
to those of a competent authority.

Data Protection BillPage 41

General principles for transfers

71 General principles for transfers of personal data

(1) A controller may not transfer personal data to a third country or to an
international organisation unless—

(a) 5the three conditions set out in subsections (2) to (4) are met, and

(b) in a case where the personal data was originally transmitted or
otherwise made available to the controller or another competent
authority by a member State other than the United Kingdom, that
member State, or any person based in that member State which is a
10competent authority for the purposes of the Law Enforcement
Directive, has authorised the transfer in accordance with the law of the
member State.

(2) Condition 1 is that the transfer is necessary for any of the law enforcement
purposes.

(3) 15Condition 2 is that the transfer—

(a) is based on an adequacy decision (see section 72),

(b) if not based on an adequacy decision, is based on there being
appropriate safeguards (see section 73), or

(c) if not based on an adequacy decision or on there being appropriate
20safeguards, is based on special circumstances (see section 74).

(4) Condition 3 is that—

(a) the intended recipient is a relevant authority in a third country or an
international organisation that is a relevant international organisation,
or

(b) 25in a case where the controller is a competent authority specified in any
of paragraphs 4 to 16, 20 to 43, 46 and 48 of Schedule 7—

(i) the intended recipient is a person in a third country other than
a relevant authority, and

(ii) the additional conditions in section 75 are met.

(5) 30Authorisation is not required as mentioned in subsection (1)(b) if—

(a) the transfer is necessary for the prevention of an immediate and serious
threat either to the public security of a member State or a third country
or to the essential interests of a member State, and

(b) the authorisation cannot be obtained in good time.

(6) 35Where a transfer is made without the authorisation mentioned in subsection
(1)(b), the authority in the member State which would have been responsible
for deciding whether to authorise the transfer must be informed without delay.

(7) In this section, relevant international organisation” means an international
organisation that carries out functions for any of the law enforcement
40purposes.

72 Transfers on the basis of an adequacy decision

A transfer of personal data to a third country or an international organisation
is based on an adequacy decision where—

(a) the European Commission has decided, in accordance with Article 36
45of the Law Enforcement Directive, that—

Data Protection BillPage 42

(i) the third country or a territory or one or more specified sectors
within that third country, or

(ii) (as the case may be) the international organisation,

ensures an adequate level of protection of personal data, and

(b) 5that decision has not been repealed or suspended, or amended in a way
that demonstrates that the Commission no longer considers there to be
an adequate level of protection of personal data.

73 Transfers on the basis of appropriate safeguards

(1) A transfer of personal data to a third country or an international organisation
10is based on there being appropriate safeguards where—

(a) a legal instrument containing appropriate safeguards for the protection
of personal data binds the intended recipient of the data, or

(b) the controller, having assessed all the circumstances surrounding
transfers of that type of personal data to the third country or
15international organisation, concludes that appropriate safeguards exist
to protect the data.

(2) The controller must inform the Commissioner about the categories of data
transfers that take place in reliance on subsection (1)(b).

(3)
Where a transfer of data takes place in reliance on subsection (1)—

(a) 20the transfer must be documented,

(b) the documentation must be provided to the Commissioner on request,
and

(c) the documentation must include, in particular—

(i) the date and time of the transfer,

(ii) 25the name of and any other pertinent information about the
recipient,

(iii) the justification for the transfer, and

(iv) a description of the personal data transferred.

74 Transfers on the basis of special circumstances

(1) 30A transfer of personal data to a third country or international organisation is
based on special circumstances where the transfer is necessary—

(a) to protect the vital interests of the data subject or another person,

(b) to safeguard the legitimate interests of the data subject,

(c) for the prevention of an immediate and serious threat to the public
35security of a member State or a third country,

(d) in individual cases for any of the law enforcement purposes, or

(e) in individual cases for a legal purpose.

(2) But subsection (1)(d) and (e) do not apply if the controller determines that
fundamental rights and freedoms of the data subject override the public
40interest in the transfer.

(3) Where a transfer of data takes place in reliance on subsection (1)

(a) the transfer must be documented,

(b) the documentation must be provided to the Commissioner on request,
and

(c) 45the documentation must include, in particular—

Data Protection BillPage 43

(i) the date and time of the transfer,

(ii) the name of and any other pertinent information about the
recipient,

(iii) the justification for the transfer, and

(iv) 5a description of the personal data transferred.

(4) For the purposes of this section, a transfer is necessary for a legal purpose if—

(a) it is necessary for the purpose of, or in connection with, any legal
proceedings (including prospective legal proceedings) relating to any
of the law enforcement purposes,

(b) 10it is necessary for the purpose of obtaining legal advice in relation to
any of the law enforcement purposes, or

(c) it is otherwise necessary for the purposes of establishing, exercising or
defending legal rights in relation to any of the law enforcement
purposes.

15Transfers to particular recipients

75 Transfers of personal data to persons other than relevant authorities

(1) The additional conditions referred to in section 71(4)(b)(ii) are the following
four conditions.

(2) Condition 1 is that the transfer is strictly necessary in a specific case for the
20performance of a task of the transferring controller as provided by law for any
of the law enforcement purposes.

(3) Condition 2 is that the transferring controller has determined that there are no
fundamental rights and freedoms of the data subject concerned that override
the public interest necessitating the transfer.

(4) 25Condition 3 is that the transferring controller considers that the transfer of the
personal data to a relevant authority in the third country would be ineffective
or inappropriate (for example, where the transfer could not be made in
sufficient time to enable its purpose to be fulfilled).

(5) Condition 4 is that the transferring controller informs the intended recipient of
30the specific purpose or purposes for which the personal data may, so far as
necessary, be processed.

(6) Where personal data is transferred to a person in a third country other than a
relevant authority, the transferring controller must inform a relevant authority
in that third country without undue delay of the transfer, unless this would be
35ineffective or inappropriate.

(7) The transferring controller must—

(a) document any transfer to a recipient in a third country other than a
relevant authority, and

(b) inform the Commissioner about the transfer.

(8) 40This section does not affect the operation of any international agreement in
force between member States and third countries in the field of judicial co-
operation in criminal matters and police co-operation.

Data Protection BillPage 44

Subsequent transfers

76 Subsequent transfers

(1) Where personal data is transferred in accordance with section 71, the
transferring controller must make it a condition of the transfer that the data is
5not to be further transferred to a third country or international organisation
without the authorisation of the transferring controller or another competent
authority.

(2) A competent authority may give an authorisation under subsection (1) only
where the further transfer is necessary for a law enforcement purpose.

(3) 10In deciding whether to give the authorisation, the competent authority must
take into account (among any other relevant factors)—

(a) the seriousness of the circumstances leading to the request for
authorisation,

(b) the purpose for which the personal data was originally transferred, and

(c) 15the standards for the protection of personal data that apply in the third
country or international organisation to which the personal data would
be transferred.

(4) In a case where the personal data was originally transmitted or otherwise made
available to the transferring controller or another competent authority by a
20member State other than the United Kingdom, an authorisation may not be
given under subsection (1) unless that member State, or any person based in
that member State which is a competent authority for the purposes of the Law
Enforcement Directive, has authorised the transfer in accordance with the law
of the member State.

(5) 25Authorisation is not required as mentioned in subsection (4) if—

(a) the transfer is necessary for the prevention of an immediate and serious
threat either to the public security of a member State or a third country
or to the essential interests of a member State, and

(b) the authorisation cannot be obtained in good time.

(6) 30Where a transfer is made without the authorisation mentioned in subsection
(4), the authority in the member State which would have been responsible for
deciding whether to authorise the transfer must be informed without delay.

CHAPTER 6 Supplementary

77 35National security: certificates by the Minister

(1) A Minister of the Crown may issue a certificate certifying, for the purposes of
section 42(4), 43(4), 46(3) or 66(7), that a restriction is a necessary and
proportionate measure to protect national security.

(2) The certificate may—

(a) 40relate to a specific restriction (described in the certificate) which a
controller has imposed or is proposing to impose under section 42(4),
43(4), 46(3) or 66(7), or

Data Protection BillPage 45

(b) identify any restriction to which it relates by means of a general
description.

(3) Subject to subsection (6), a certificate issued under subsection (1) is conclusive
evidence that the specific restriction or (as the case may be) any restriction
5falling within the general description is, or at any time was, a necessary and
proportionate measure to protect national security.

(4) A certificate issued under subsection (1) may be expressed to have prospective
effect.

(5) Any person directly affected by the issuing of a certificate under subsection (1)
10may appeal to the Tribunal against the certificate.

(6) If, on an appeal under subsection (5), the Tribunal finds that, applying the
principles applied by a court on an application for judicial review, the Minister
did not have reasonable grounds for issuing the certificate, the Tribunal may —

(a) allow the appeal, and

(b) 15quash the certificate.

(7) Where in any proceedings under or by virtue of this Act, it is claimed by a
controller that a restriction falls within a general description in a certificate
issued under subsection (1), any other party to the proceedings may appeal to
the Tribunal on the ground that the restriction does not fall within that
20description.

(8) But, subject to any determination under subsection (9), the restriction is to be
conclusively presumed to fall within the general description.

(9) On an appeal under subsection (7), the Tribunal may determine that the
certificate does not so apply.

(10) 25A document purporting to be a certificate under subsection (1) is to be—

(a) received in evidence, and

(b) deemed to be such a certificate unless the contrary is proved.

(11) A document which purports to be certified by or on behalf of a Minister of the
Crown as a true copy of a certificate issued by that Minister under subsection
30(1) is—

(a) in any legal proceedings, evidence of that certificate, and

(b) in any legal proceedings in Scotland, sufficient evidence of that
certificate.

(12) The power conferred by subsection (1) on a Minister of the Crown is
35exercisable only by—

(a) a Minister who is a member of the Cabinet, or

(b) the Attorney General or the Advocate General for Scotland.

(13) No power conferred by any provision of Part 6 may be exercised in relation to
the imposition of—

(a) 40a specific restriction in a certificate under subsection (1), or

(b) a restriction falling within a general description in such a certificate.

Data Protection BillPage 46

78 Special processing restrictions

(1) Subsections (3) and (4) apply where, for a law enforcement purpose, a
controller transmits or otherwise makes available personal data to an EU
recipient or a non-EU recipient.

(2) 5In this section—

  • EU recipient” means—

    (a)

    a recipient in a member State other than the United Kingdom, or

    (b)

    an agency, office or body established pursuant to Chapters 4
    and 5 of Title V of the Treaty on the Functioning of the European
    10Union;

  • “non-EU recipient” means—

    (a)

    a recipient in a third country, or

    (b)

    an international organisation.

(3) The controller must consider whether, if the personal data had instead been
15transmitted or otherwise made available within the United Kingdom to
another competent authority, processing of the data by the other competent
authority would have been subject to any restrictions by virtue of any
enactment or rule of law.

(4) Where that would be the case, the controller must inform the EU recipient or
20non-EU recipient that the data is transmitted or otherwise made available
subject to compliance by that person with the same restrictions (which must be
set out in the information given to that person).

(5) Except as provided by subsection (4), the controller may not impose
restrictions on the processing of personal data transmitted or otherwise made
25available by the controller to an EU recipient.

(6) Subsection (7) applies where—

(a) a competent authority for the purposes of the Law Enforcement
Directive in a member State other than the United Kingdom transmits
or otherwise makes available personal data to a controller for a law
30enforcement purpose, and

(b) the competent authority in the other member State informs the
controller, in accordance with any law of that member State which
implements Article 9(3) and (4) of the Law Enforcement Directive, that
the data is transmitted or otherwise made available subject to
35compliance by the controller with restrictions set out by the competent
authority.

(7) The controller must comply with the restrictions.

79 Reporting of infringements

(1) Each controller must implement effective mechanisms to encourage the
40reporting of an infringement of this Part.

(2) The mechanisms implemented under subsection (1) must provide that an
infringement may be reported to any of the following persons—

(a) the controller;

(b) the Commissioner.

(3) 45The mechanisms implemented under subsection (1) must include—

Data Protection BillPage 47

(a) raising awareness of the protections provided by Part 4A of the
Employment Rights Act 1996 and Part 5A of the Employment Rights
(Northern Ireland) Order 1996 (S.I. 1996/1919 (N.I. 16)), and

(b) such other protections for a person who reports an infringement of this
5Part as the controller considers appropriate.

(4) A person who reports an infringement of this Part does not breach—

(a) an obligation of confidence owed by the person, or

(b) any other restriction on the disclosure of information (however
imposed).

(5) 10Subsection (4) does not apply if or to the extent that the report includes a
disclosure which is prohibited by any of Parts 1 to 7 or Chapter 1 of Part 9 of
the Investigatory Powers Act 2016.

Part 4 Intelligence services processing

15 CHAPTER 1 Scope and definitions

Scope

80 Processing to which this Part applies

(1) This Part applies to—

(a) 20the processing by an intelligence service of personal data wholly or
partly by automated means, and

(b) the processing by an intelligence service otherwise than by automated
means of personal data which forms part of a filing system or is
intended to form part of a filing system.

(2) 25In this Part “intelligence service” means—

(a) the Security Service;

(b) the Secret Intelligence Service;

(c) the Government Communications Headquarters.

(3) A reference in this Part to the processing of personal data is to processing to
30which this Part applies.

Definitions

81 Meaning of “controller” and “processor”

(1) In this Part, “controller” means the intelligence service which, alone or jointly
with others—

(a) 35determines the purposes and means of the processing of personal data,
or

(b) is the controller by virtue of subsection (2).

(2) Where personal data is processed only—

Data Protection BillPage 48

(a) for purposes for which it is required by an enactment to be processed,
and

(b) by means by which it is required by an enactment to be processed,

the intelligence service on which the obligation to process the data is imposed
5by the enactment (or, if different, one of the enactments) is the controller.

(3) In this Part, “processor” means any person who processes personal data on
behalf of the controller (other than a person who is an employee of the
controller).

82 Other definitions

(1) 10This section defines other expressions used in this Part.

(2) “Consent”, in relation to the processing of personal data relating to an
individual, means a freely given, specific, informed and unambiguous
indication of the individual’s wishes by which the individual, by a statement
or by a clear affirmative action, signifies agreement to the processing of the
15personal data.

(3) “Employee”, in relation to any person, includes an individual who holds a
position (whether paid or unpaid) under the direction and control of that
person.

(4) “Personal data breach” means a breach of security leading to the accidental or
20unlawful destruction, loss, alteration, unauthorised disclosure of, or access to,
personal data transmitted, stored or otherwise processed.

(5) “Recipient”, in relation to any personal data, means any person to whom the
data is disclosed, whether a third party or not, but it does not include a person
to whom disclosure is or may be made in the framework of a particular inquiry
25in accordance with the law.

(6) “Restriction of processing” means the marking of stored personal data with the
aim of limiting its processing for the future.

(7) Sections 2 and 184 include definitions of other expressions used in this Part.

CHAPTER 2 30 Principles

Overview

83 Overview

(1) This Chapter sets out the six data protection principles as follows—

(a) section 84 sets out the first data protection principle (requirement that
35processing be lawful, fair and transparent);

(b) section 85 sets out the second data protection principle (requirement
that the purposes of processing be specified, explicit and legitimate);

(c) section 86 sets out the third data protection principle (requirement that
personal data be adequate, relevant and not excessive);

(d) 40section 87 sets out the fourth data protection principle (requirement
that personal data be accurate and kept up to date);

Data Protection BillPage 49

(e) section 88 sets out the fifth data protection principle (requirement that
personal data be kept for no longer than is necessary);

(f) section 89 sets out the sixth data protection principle (requirement that
personal data be processed in a secure manner).

(2) 5Each of sections 84, 85 and 89 makes provision to supplement the principle to
which it relates.

The data protection principles

84 The first data protection principle

(1) The first data protection principle is that the processing of personal data must
10be—

(a) lawful, and

(b) fair and transparent.

(2) The processing of personal data is lawful only if and to the extent that—

(a) at least one of the conditions in Schedule 9 is met, and

(b) 15in the case of sensitive processing, at least one of the conditions in
Schedule 10 is also met.

(3) The Secretary of State may by regulations amend Schedule 10 by adding,
varying or omitting conditions.

(4) Regulations under subsection (3) are subject to the affirmative resolution
20procedure.

(5) In determining whether the processing of personal data is fair and transparent,
regard is to be had to the method by which it is obtained.

(6) For the purposes of subsection (5), data is to be treated as obtained fairly and
transparently if it consists of information obtained from a person who—

(a) 25is authorised by an enactment to supply it, or

(b) is required to supply it by an enactment or by an international
obligation of the United Kingdom.

(7) In this section, “sensitive processing” means—

(a) the processing of personal data revealing racial or ethnic origin,
30political opinions, religious or philosophical beliefs or trade union
membership;

(b) the processing of genetic data for the purpose of uniquely identifying
an individual;

(c) the processing of biometric data for the purpose of uniquely identifying
35an individual;

(d) the processing of data concerning health;

(e) the processing of data concerning an individual’s sex life or sexual
orientation;

(f) the processing of personal data as to—

(i) 40the commission or alleged commission of an offence by an
individual, or

(ii) proceedings for an offence committed or alleged to have been
committed by an individual, the disposal of such proceedings
or the sentence of a court in such proceedings.