Data Protection Bill (HL Bill 66)

85 The second data protection principle

(1) The second data protection principle is that—

(a) the purpose for which personal data is collected on any occasion must
be specified, explicit and legitimate, and

(b) 5personal data so collected must not be processed in a manner that is
incompatible with the purpose for which it is collected.

(2) Paragraph (b) of the second data protection principle is subject to subsections
(3) and (4)

(3) Personal data collected by a controller for one purpose may be processed for
10any other purpose of the controller that collected the data or any purpose of
another controller provided that—

(a) the controller is authorised by law to process the data for that purpose,
and

(b) the processing is necessary and proportionate to that other purpose.

(4) 15Processing of personal data is to be regarded as compatible with the purpose
for which it is collected if the processing—

(a) consists of—

(i) processing for archiving purposes in the public interest,

(ii) processing for the purposes of scientific or historical research,
20or

(iii) processing for statistical purposes, and

(b) is subject to appropriate safeguards for the rights and freedoms of the
data subject.

86 The third data protection principle

25The third data protection principle is that personal data must be adequate,
relevant and not excessive in relation to the purpose for which it is processed.

87 The fourth data protection principle

The fourth data protection principle is that personal data undergoing
processing must be accurate and, where necessary, kept up to date.

88 30The fifth data protection principle

The fifth data protection principle is that personal data must be kept for no
longer than is necessary for the purpose for which it is processed.

89 The sixth data protection principle

(1) The sixth data protection principle is that personal data must be processed in a
35manner that includes taking appropriate security measures as regards risks
that arise from processing personal data.

(2) The risks referred to in subsection (1) include (but are not limited to) accidental
or unauthorised access to, or destruction, loss, use, modification or disclosure
of, personal data.

CHAPTER 3 Rights of the data subject

Overview

90 Overview

(1) 5This Chapter sets out the rights of the data subject as follows—

(a) section 91 deals with the information to be made available to the data
subject;

(b) sections 92 and 93 deal with the right of access by the data subject;

(c) sections 94 to 96 deal with rights in relation to automated processing;

(d) 10section 97 deals with the right to object to processing;

(e) section 98 deals with rights to rectification and erasure of personal data.

(2) In this Chapter, “the controller”, in relation to a data subject, means the
controller in relation to personal data relating to the data subject.

Rights

91 15Right to information

(1) The controller must give a data subject the following information—

(a) the identity and the contact details of the controller;

(b) the legal basis on which, and the purposes for which, the controller
processes personal data;

(c) 20the categories of personal data relating to the data subject that are being
processed;

(d) the recipients or the categories of recipients of the personal data (if
applicable);

(e) the right to lodge a complaint with the Commissioner and the contact
25details of the Commissioner;

(f) how to exercise rights under this Chapter;

(g) any other information needed to secure that the personal data is
processed fairly and transparently.

(2) The controller may comply with subsection (1) by making information
30generally available, where the controller considers it appropriate to do so.

(3) The controller is not required under subsection (1) to give a data subject
information that the data subject already has.

(4) Where personal data relating to a data subject is collected by or on behalf of the
controller from a person other than the data subject, the requirement in
35subsection (1) has effect, in relation to the personal data so collected, with the
following exceptions—

(a) the requirement does not apply in relation to processing that is
authorised by an enactment;

(b) the requirement does not apply in relation to the data subject if giving
40the information to the data subject would be impossible or involve
disproportionate effort.

92 Right of access

(1) An individual is entitled to obtain from a controller—

(a) confirmation as to whether or not personal data concerning the
individual is being processed, and

(b) 5where that is the case—

(i) communication, in intelligible form, of the personal data of
which that individual is the data subject, and

(ii) the information set out in subsection (2).

(2) That information is—

(a) 10the purposes of and legal basis for the processing;

(b) the categories of personal data concerned;

(c) the recipients or categories of recipients to whom the personal data has
been disclosed;

(d) the period for which the personal data is to be preserved;

(e) 15the existence of a data subject’s rights to rectification and erasure of
personal data (see section 98);

(f) the right to lodge a complaint with the Commissioner and the contact
details of the Commissioner;

(g) any information about the origin of the personal data concerned.

(3) 20A controller is not obliged to provide information under this section unless the
controller has received such reasonable fee as the controller may require,
subject to subsection (4).

(4) The Secretary of State may by regulations—

(a) specify cases in which a controller may not charge a fee;

(b) 25specify the maximum amount of a fee.

(5) Where a controller—

(a) reasonably requires further information—

(i) in order that the controller be satisfied as to the identity of the
individual making a request under subsection (1), or

(ii) 30to locate the information which that individual seeks, and

(b) has informed that individual of that requirement,

the controller is not obliged to comply with the request unless the controller is
supplied with that further information.

(6) Where a controller cannot comply with the request without disclosing
35information relating to another individual who can be identified from that
information, the controller is not obliged to comply with the request unless—

(a) the other individual has consented to the disclosure of the information
to the individual making the request, or

(b) it is reasonable in all the circumstances to comply with the request
40without the consent of the other individual.

(7) In subsection (6), the reference to information relating to another individual
includes a reference to information identifying that individual as the source of
the information sought by the request.

(8) Subsection (6) is not to be construed as excusing a controller from
45communicating so much of the information sought by the request as can be
communicated without disclosing the identity of the other individual

concerned, whether by the omission of names or other identifying particulars
or otherwise.

(9) In determining for the purposes of subsection (6)(b) whether it is reasonable in
all the circumstances to comply with the request without the consent of the
5other individual concerned, regard must be had, in particular, to—

(a) any duty of confidentiality owed to the other individual,

(b) any steps taken by the controller with a view to seeking the consent of
the other individual,

(c) whether the other individual is capable of giving consent, and

(d) 10any express refusal of consent by the other individual.

(10) Subject to subsection (6), a controller must comply with a request under
subsection (1)—

(a) promptly, and

(b) in any event before the end of the applicable time period.

(11) 15If a court is satisfied on the application of an individual who has made a
request under subsection (1) that the controller in question has failed to comply
with the request in contravention of this section, the court may order the
controller to comply with the request.

(12) The jurisdiction conferred on a court by this section is exercisable by the High
20Court or, in Scotland, by the Court of Session.

(13) In this section—

• “the applicable time period” means the period of—

  (a)

  one month, or

  (b)

  such longer period, not exceeding three months, as may be
  25specified in regulations made by the Secretary of State,

  beginning with the relevant day;

• “the relevant day”, in relation to a request under subsection (1), means the
  latest of the following days—

  (a)

  the day on which the controller receives the request,

  (b)

  30the day on which the fee (if any) is paid, and

  (c)

  the day on which the controller receives the information (if any)
  required under subsection (5) in connection with the request.

(14) Regulations under this section are subject to the negative resolution procedure.

93 Right of access: supplementary

(1) 35The controller must comply with the obligation imposed by section 92(1)(b)(i)
by supplying the data subject with a copy of the information in writing
unless—

(a) the supply of such a copy is not possible or would involve
disproportionate effort, or

(b) 40the data subject agrees otherwise;

and where any of the information referred to in section 92(1)(b)(i) is expressed
in terms which are not intelligible without explanation the copy must be
accompanied by an explanation of those terms.

(2) Where a controller has previously complied with a request made under section
4592 by an individual, the controller is not obliged to comply with a subsequent

identical or similar request under that section by that individual unless a
reasonable interval has elapsed between compliance with the previous request
and the making of the current request.

(3) In determining for the purposes of subsection (2) whether requests under
5section 92 are made at reasonable intervals, regard must be had to—

(a) the nature of the data,

(b) the purpose for which the data is processed, and

(c) the frequency with which the data is altered.

(4) The information to be supplied pursuant to a request under section 92 must be
10supplied by reference to the data in question at the time when the request is
received, except that it may take account of any amendment or deletion made
between that time and the time when the information is supplied, being an
amendment or deletion that would have been made regardless of the receipt of
the request.

(5) 15For the purposes of section 92(6) to (8), an individual can be identified from
information to be disclosed to a data subject by a controller if the individual can
be identified from—

(a) that information, or

(b) that and any other information that the controller reasonably believes
20the data subject making the request is likely to possess or obtain.

94 Right not to be subject to automated decision-making

(1) The controller may not take a decision significantly affecting a data subject that
is based solely on automated processing of personal data relating to the data
subject.

(2) 25Subsection (1) does not prevent such a decision being made on that basis if—

(a) the decision is required or authorised by law,

(b) the data subject has given consent to the decision being made on that
basis, or

(c) the decision is a decision taken in the course of steps taken—

(i) 30for the purpose of considering whether to enter into a contract
with the data subject,

(ii) with a view to entering into such a contract, or

(iii) in the course of performing such a contract.

(3) For the purposes of this section, a decision that has legal effects as regards an
35individual is to be regarded as significantly affecting the individual.

95 Right to intervene in automated decision-making

(1) This section applies where—

(a) the controller takes a decision significantly affecting a data subject that
is based solely on automated processing of personal data relating to the
40data subject, and

(b) the decision is required or authorised by law.

(2) This section does not apply to such a decision if—

(a) the data subject has given consent to the decision being made on that
basis, or

(b) the decision is a decision taken in the course of steps taken—

(i) for the purpose of considering whether to enter into a contract
with the data subject,

(ii) with a view to entering into such a contract, or

(iii) 5in the course of performing such a contract.

(3) The controller must as soon as reasonably practicable notify the data subject
that such a decision has been made.

(4) The data subject may, before the end of the period of 21 days beginning with
receipt of the notification, request the controller—

(a) 10to reconsider the decision, or

(b) to take a new decision that is not based solely on automated processing.

(5) If a request is made to the controller under subsection (4), the controller must,
before the end of the period of 21 days beginning with receipt of the request—

(a) consider the request, including any information provided by the data
15subject that is relevant to it, and

(b) by notice in writing inform the data subject of the outcome of that
consideration.

(6) For the purposes of this section, a decision that has legal effects as regards an
individual is to be regarded as significantly affecting the individual.

96 20Right to information about decision-making

(1) Where—

(a) the controller processes personal data relating to a data subject, and

(b) results produced by the processing are applied to the data subject,

the data subject is entitled to obtain from the controller, on request, knowledge
25of the reasoning underlying the processing.

(2) Where the data subject makes a request under subsection (1), the controller
must comply with the request without undue delay.

97 Right to object to processing

(1) A data subject is entitled at any time, by notice given to the controller, to
30require the controller—

(a) not to process personal data relating to the data subject, or

(b) not to process such data for a specified purpose or in a specified
manner,

on the ground that, for specified reasons relating to the situation of the data
35subject, the processing in question is an unwarranted interference with the
interests or rights of the data subject.

(2) Where the controller—

(a) reasonably requires further information—

(i) in order that the controller be satisfied as to the identity of the
40individual giving notice under subsection (1), or

(ii) to locate the data to which the notice relates, and

(b) has informed that individual of that requirement,

the controller is not obliged to comply with the notice unless the controller is
supplied with that further information.

(3) The controller must, before the end of 21 days beginning with the relevant day,
give a notice to the data subject—

(a) stating that the controller has complied or intends to comply with the
notice under subsection (1), or

(b) 5stating the controller’s reasons for not complying with the notice to any
extent and the extent (if any) to which the controller has complied or
intends to comply with the notice under subsection (1).

(4) If the controller does not comply with a notice under subsection (1) to any
extent, the data subject may apply to a court for an order that the controller take
10steps for complying with the notice.

(5) If the court is satisfied that the controller should comply with the notice (or
should comply to any extent), the court may order the controller to take such
steps for complying with the notice (or for complying with it to that extent) as
the court thinks fit.

(6) 15The jurisdiction conferred on a court by this section is exercisable by the High
Court or, in Scotland, by the Court of Session.

(7) In this section, “the relevant day”, in relation to a notice under subsection (1),
means—

(a) the day on which the controller receives the notice, or

(b) 20if later, the day on which the controller receives the information (if any)
required under subsection (2) in connection with the notice.

98 Rights to rectification and erasure

(1) If a court is satisfied on the application of a data subject that personal data
relating to the data subject is inaccurate, the court may order the controller to
25rectify that data without undue delay.

(2) If a court is satisfied on the application of a data subject that the processing of
personal data relating to the data subject would infringe any of sections 84 to
89, the court may order the controller to erase that data without undue delay.

(3) If personal data relating to the data subject must be maintained for the
30purposes of evidence, the court may (instead of ordering the controller to
rectify or erase the personal data) order the controller to restrict its processing
without undue delay.

(4) If—

(a) the data subject contests the accuracy of personal data, and

(b) 35the court is satisfied that the controller is not able to ascertain whether
the data is accurate or not,

the court may (instead of ordering the controller to rectify or erase the personal
data) order the controller to restrict its processing without undue delay.

(5) The jurisdiction conferred on a court by this section is exercisable by the High
40Court or, in Scotland, by the Court of Session.

CHAPTER 4 Controller and processor

Overview

99 Overview

5This Chapter sets out—

(a) the general obligations of controllers and processors (see sections 100 to
104);

(b) specific obligations of controllers and processors with respect to
security (see section 105);

(c) 10specific obligations of controllers and processors with respect to
personal data breaches (see section 106).

General obligations

100 General obligations of the controller

Each controller must implement appropriate measures—

(a) 15to ensure, and

(b) to be able to demonstrate, in particular to the Commissioner,

that the processing of personal data complies with the requirements of this
Part.

101 Data protection by design

(1) 20Where a controller proposes that a particular type of processing of personal
data be carried out by or on behalf of the controller, the controller must, prior
to the processing, consider the impact of the proposed processing on the rights
and freedoms of data subjects.

(2) A controller must implement appropriate technical and organisational
25measures which are designed to ensure that—

(a) the data protection principles are implemented, and

(b) risks to the rights and freedoms of data subjects are minimised.

102 Joint controllers

(1) Where two or more intelligence services jointly determine the purposes and
30means of processing personal data, they are joint controllers for the purposes
of this Part.

(2) Joint controllers must, in a transparent manner, determine their respective
responsibilities for compliance with this Part by means of an arrangement
between them, except to the extent that those responsibilities are determined
35under or by virtue of an enactment.

(3) The arrangement must designate the controller which is to be the contact point
for data subjects.

103 Processors

(1) This section applies to the use by a controller of a processor to carry out
processing of personal data on behalf of the controller.

(2) The controller may use only a processor who undertakes—

(a) 5to implement appropriate measures that are sufficient to secure that the
processing complies with this Part;

(b) to provide to the controller such information as is necessary for
demonstrating that the processing complies with this Part.

(3) If a processor determines, in breach of this Part, the purposes and means of
10processing, the processor is to be treated for the purposes of this Part as a
controller in respect of that processing.

104 Processing under the authority of the controller or processor

A processor, and any person acting under the authority of a controller or
processor, who has access to personal data may not process the data except—

(a) 15on instructions from the controller, or

(b) to comply with a legal obligation.

Obligations relating to security

105 Security of processing

(1) Each controller and each processor must implement security measures
20appropriate to the risks arising from the processing of personal data.

(2) In the case of automated processing, each controller and each processor must,
following an evaluation of the risks, implement measures designed to—

(a) prevent unauthorised processing or unauthorised interference with the
systems used in connection with it,

(b) 25ensure that it is possible to establish the precise details of any
processing that takes place,

(c) ensure that any systems used in connection with the processing
function properly and may, in the case of interruption, be restored, and

(d) ensure that stored personal data cannot be corrupted if a system used
30in connection with the processing malfunctions.

Obligations relating to personal data breaches

106 Communication of a personal data breach

(1) If a controller becomes aware of a serious personal data breach in relation to
personal data for which the controller is responsible, the controller must notify
35the Commissioner of the breach without undue delay.

(2) Where the notification to the Commissioner is not made within 72 hours, the
notification must be accompanied by reasons for the delay.

(3) Subject to subsection (4), the notification must include—

(a) a description of the nature of the personal data breach including, where
40possible, the categories and approximate number of data subjects

concerned and the categories and approximate number of personal
data records concerned;

(b) the name and contact details of the contact point from whom more
information can be obtained;

(c) 5a description of the likely consequences of the personal data breach;

(d) a description of the measures taken or proposed to be taken by the
controller to address the personal data breach, including, where
appropriate, measures to mitigate its possible adverse effects.

(4) Where and to the extent that it is not possible to provide all the information
10mentioned in subsection (3) at the same time, the information may be provided
in phases without undue further delay.

(5) If a processor becomes aware of a personal data breach (in relation to data
processed by the processor), the processor must notify the controller without
undue delay.

(6) 15Subsection (1) does not apply in relation to a personal data breach if the breach
also constitutes a relevant error within the meaning given by section 231(9) of
the Investigatory Powers Act 2016.

(7) For the purposes of this section, a personal data breach is serious if the breach
seriously interferes with the rights and freedoms of a data subject.

20CHAPTER 5 Transfers of personal data outside the United Kingdom

107 Transfers of personal data outside the United Kingdom

(1) A controller may not transfer personal data to—

(a) a country or territory outside the United Kingdom, or

(b) 25an international organisation,

unless the transfer falls within subsection (2).

(2) A transfer of personal data falls within this subsection if the transfer is a
necessary and proportionate measure carried out—

(a) for the purposes of the controller’s statutory functions, or

(b) 30for other purposes provided for, in relation to the controller, in section
2(2)(a) of the Security Service Act 1989 or section 2(2)(a) or 4(2)(a) of the
Intelligence Services Act 1994.

CHAPTER 6 Exemptions

108 35National security

(1) A provision mentioned in subsection (2) does not apply to personal data to
which this Part applies if exemption from the provision is required for the
purpose of safeguarding national security.

(2) The provisions are—