Data Protection Bill (HL Bill 66)

(a) Chapter 2 (the data protection principles), except section 84(1)(a) and
(2) and Schedules 9 and 10;

(b) Chapter 3 (rights of data subjects);

(c) in Chapter 4, section 106 (communication of a personal data breach to
5the Commissioner);

(d) in Part 5—

(i) section 117 (inspection in accordance with international
obligations);

(ii) in Schedule 13 (other general functions of the Commissioner),
10paragraphs 1(a) and (g) and 2;

(e) in Part 6—

(i) sections 137 to 147 and Schedule 15 (Commissioner’s notices
and powers of entry and inspection);

(ii) sections 161 to 163 (offences relating to personal data);

(iii) 15sections 164 to 166 (provision relating to the special purposes).

109 National security: certificate

(1) Subject to subsection (3), a certificate signed by a Minister of the Crown
certifying that exemption from all or any of the provisions mentioned in
section 108(2) is, or at any time was, required for the purpose of safeguarding
20national security in respect of any personal data is conclusive evidence of that
fact.

(2) A certificate under subsection (1)—

(a) may identify the personal data to which it applies by means of a general
description, and

(b) 25may be expressed to have prospective effect.

(3) Any person directly affected by the issuing of a certificate under subsection (1)
may appeal to the Tribunal against the certificate.

(4) If on an appeal under subsection (3), the Tribunal finds that, applying the
principles applied by a court on an application for judicial review, the Minister
30did not have reasonable grounds for issuing the certificate, the Tribunal may—

(a) allow the appeal, and

(b) quash the certificate.

(5) Where, in any proceedings under or by virtue of this Act, it is claimed by a
controller that a certificate under subsection (1) which identifies the personal
35data to which it applies by means of a general description applies to any
personal data, another party to the proceedings may appeal to the Tribunal on
the ground that the certificate does not apply to the personal data in question.

(6) But, subject to any determination under subsection (7), the certificate is to be
conclusively presumed so to apply.

(7) 40On an appeal under subsection (5), the Tribunal may determine that the
certificate does not so apply.

(8) A document purporting to be a certificate under subsection (1) is to be—

(a) received in evidence, and

(b) deemed to be such a certificate unless the contrary is proved.

(9) A document which purports to be certified by or on behalf of a Minister of the
Crown as a true copy of a certificate issued by that Minister under subsection
(1) is—

(a) in any legal proceedings, evidence of that certificate, and

(b) 5in any legal proceedings in Scotland, sufficient evidence of that
certificate.

(10) The power conferred by subsection (1) on a Minister of the Crown is
exercisable only by—

(a) a Minister who is a member of the Cabinet, or

(b) 10the Attorney General or the Advocate General for Scotland.

110 Other exemptions

Schedule 11 provides for further exemptions.

111 Power to make further exemptions

(1) Regulations made by the Secretary of State may provide for further exemptions
15from any provision of this Part.

(2) Regulations under this section may include provision amending or repealing
any provision of Schedule 11.

(3) Regulations under this section are subject to the affirmative resolution
procedure.

20Part 5 The Information Commissioner

The Commissioner

112 The Information Commissioner

(1) There is to continue to be an Information Commissioner.

(2) 25Schedule 12 makes provision about the Commissioner.

General functions

113 General functions under the GDPR and safeguards

(1) The Commissioner is to be the supervisory authority in the United Kingdom
for the purposes of Article 51 of the GDPR.

(2) 30General functions are conferred on the Commissioner by—

(a) Article 57 of the GDPR (tasks), and

(b) Article 58 of the GDPR (powers).

(3) The Commissioner’s functions in relation to the processing of personal data to
which the GDPR applies include—

(a) 35a duty to advise Parliament, the government and other institutions and
bodies on legislative and administrative measures relating to the

protection of individuals’ rights and freedoms with regard to the
processing of personal data, and

(b) a power to issue, on the Commissioner’s own initiative or on request,
opinions to Parliament, the government or other institutions and
5bodies as well as to the public on any issue related to the protection of
personal data.

(4) The Commissioner’s functions under Article 58 of the GDPR are subject to the
safeguards in subsections (5) to (9).

(5) The Commissioner’s power under Article 58(1)(a) of the GDPR (power to
10require a controller or processor to provide information that the Commissioner
requires for the performance of the Commissioner’s tasks under the GDPR) is
exercisable only by giving an information notice under section 137.

(6) The Commissioner’s power under Article 58(1)(b) of the GDPR (power to carry
out data protection audits) is exercisable only in accordance with section 140.

(7) 15The Commissioner’s powers under Article 58(1)(e) and (f) of the GDPR (power
to obtain information from controllers and processors and access to their
premises) are exercisable only—

(a) in accordance with Schedule 15 (see section 147), or

(b) to the extent that they are exercised in conjunction with the power
20under Article 58(1)(b) of the GDPR, in accordance with section 140.

(8) The following powers are exercisable only by giving an enforcement notice
under section 142—

(a) the Commissioner’s powers under Article 58(2)(c) to (g) and (j) of the
GDPR (certain corrective powers);

(b) 25the Commissioner’s powers under Article 58(2)(h) to order a
certification body to withdraw, or not to issue, a certification under
Articles 42 and 43 of the GDPR.

(9) The Commissioner’s powers under Articles 58(2)(i) and 83 of the GDPR
(administrative fines) are exercisable only by giving a penalty notice under
30section 148.

(10) This section is without prejudice to other functions conferred on the
Commissioner, whether by the GDPR, this Act or otherwise.

114 Other general functions

(1) The Commissioner—

(a) 35is to be the supervisory authority in the United Kingdom for the
purposes of Article 41 of the Law Enforcement Directive, and

(b) is to continue to be the designated authority in the United Kingdom for
the purposes of Article 13 of the Data Protection Convention.

(2) Schedule 13 confers general functions on the Commissioner in connection with
40processing to which the GDPR does not apply.

(3) This section and Schedule 13 are without prejudice to other functions conferred
on the Commissioner, whether by this Act or otherwise.

115 Competence in relation to courts etc

Nothing in this Act permits or requires the Commissioner to exercise functions
in relation to the processing of personal data by—

(a) an individual acting in a judicial capacity, or

(b) 5a court or tribunal acting in its judicial capacity,

(and see also Article 55(3) of the GDPR).

International role

116 Co-operation and mutual assistance

(1) Articles 60 to 62 of the GDPR confer functions on the Commissioner in relation
10to co-operation and mutual assistance between, and joint operations of,
supervisory authorities under the GDPR.

(2) References to the GDPR in subsection (1) do not include the applied GDPR.

(3) Article 61 of the applied GDPR confers functions on the Commissioner in
relation to co-operation with other supervisory authorities (as defined in
15Article 4(21) of the applied GDPR).

(4) Part 1 of Schedule 14 makes provision as to the functions to be carried out by
the Commissioner for the purposes of Article 50 of the Law Enforcement
Directive (mutual assistance).

(5) Part 2 of Schedule 14 makes provision as to the functions to be carried out by
20the Commissioner for the purposes of Article 13 of the Data Protection
Convention (co-operation between parties).

117 Inspection of personal data in accordance with international obligations

(1) The Commissioner may inspect personal data where the inspection is
necessary in order to discharge an international obligation of the United
25Kingdom, subject to the restriction in subsection (2).

(2) The power is exercisable only if the personal data—

(a) is processed wholly or partly by automated means, or

(b) is processed otherwise than by automated means and forms part of a
filing system or is intended to form part of a filing system.

(3) 30The power under subsection (1) includes power to inspect, operate and test
equipment which is used for the processing of personal data.

(4) Before exercising the power under subsection (1), the Commissioner must by
written notice inform the controller and any processor that the Commissioner
intends to do so.

(5) 35Subsection (4) does not apply if the Commissioner considers that the case is
urgent.

(6) It is an offence—

(a) intentionally to obstruct a person exercising the power under
subsection (1), or

(b) 40to fail without reasonable excuse to give a person exercising that power
any assistance the person may reasonably require.

118 Further international role

(1) The Commissioner must, in relation to third countries and international
organisations, take appropriate steps to—

(a) develop international co-operation mechanisms to facilitate the
5effective enforcement of legislation for the protection of personal data;

(b) provide international mutual assistance in the enforcement of
legislation for the protection of personal data, subject to appropriate
safeguards for the protection of personal data and other fundamental
rights and freedoms;

(c) 10engage relevant stakeholders in discussion and activities aimed at
furthering international co-operation in the enforcement of legislation
for the protection of personal data;

(d) promote the exchange and documentation of legislation and practice
for the protection of personal data, including legislation and practice
15relating to jurisdictional conflicts with third countries.

(2) Subsection (1) applies only in connection with the processing of personal data
to which the GDPR does not apply; for the equivalent duty in connection with
the processing of personal data to which the GDPR applies, see Article 50 of the
GDPR (international co-operation for the protection of personal data).

(3) 20The Commissioner must carry out data protection functions which the
Secretary of State directs the Commissioner to carry out for the purpose of
enabling Her Majesty’s Government in the United Kingdom to give effect to an
international obligation of the United Kingdom.

(4) The Commissioner may provide an authority carrying out data protection
25functions under the law of a British overseas territory with assistance in
carrying out those functions.

(5) The Secretary of State may direct that assistance under subsection (4) is to be
provided on terms, including terms as to payment, specified or approved by
the Secretary of State.

(6) 30In this section—

• “data protection functions” means functions relating to the protection of
  individuals with respect to the processing of personal data;

• “mutual assistance in the enforcement of legislation for the protection of
  personal data” includes assistance in the form of notification, complaint
  35referral, investigative assistance and information exchange;

• “third country” means a country or territory that is not a member State.

Codes of practice

119 Data-sharing code

(1) The Commissioner must prepare a code of practice which contains—

(a) 40practical guidance in relation to the sharing of personal data in
accordance with the requirements of the data protection legislation,
and

(b) such other guidance as the Commissioner considers appropriate to
promote good practice in the sharing of personal data.

(2) Where a code under this section is in force, the Commissioner may prepare
amendments of the code or a replacement code.

(3) Before preparing a code or amendments under this section, the Commissioner
must consult the Secretary of State and such of the following as the
5Commissioner considers appropriate—

(a) trade associations;

(b) data subjects;

(c) persons who appear to the Commissioner to represent the interests of
data subjects.

(4) 10A code under this section may include transitional provision or savings.

(5) In this section—

• “good practice in the sharing of personal data” means such practice in the
  sharing of personal data as appears to the Commissioner to be desirable
  having regard to the interests of data subjects and others, including
  15compliance with the requirements of the data protection legislation;

• “the sharing of personal data” means the disclosure of personal data by
  transmission, dissemination or otherwise making it available;

• “trade association” includes a body representing controllers or
  processors.

120 20Direct marketing code

(1) The Commissioner must prepare a code of practice which contains—

(a) practical guidance in relation to the carrying out of direct marketing in
accordance with the requirements of the data protection legislation and
the Privacy and Electronic Communications (EC Directive) Regulations
252003 (S.I. 2003/2426), and

(b) such other guidance as the Commissioner considers appropriate to
promote good practice in direct marketing.

(2) Where a code under this section is in force, the Commissioner may prepare
amendments of the code or a replacement code.

(3) 30Before preparing a code or amendments under this section, the Commissioner
must consult the Secretary of State and such of the following as the
Commissioner considers appropriate—

(a) trade associations;

(b) data subjects;

(c) 35persons who appear to the Commissioner to represent the interests of
data subjects.

(4) A code under this section may include transitional provision or savings.

(5) In this section—

• “direct marketing” means the communication (by whatever means) of
  40advertising or marketing material which is directed to particular
  individuals;

• “good practice in direct marketing” means such practice in direct
  marketing as appears to the Commissioner to be desirable having
  regard to the interests of data subjects and others, including compliance
  45with the requirements mentioned in subsection (1)(a);

• “trade association” includes a body representing controllers or
  processors.

121 Approval of data-sharing and direct marketing codes

(1) When a code is prepared under section 119 or 120—

(a) 5the Commissioner must submit the final version to the Secretary of
State, and

(b) the Secretary of State must lay the code before Parliament.

(2) If, within the 40-day period, either House of Parliament resolves not to
approve the code, the Commissioner must not issue the code.

(3) 10If no such resolution is made within that period—

(a) the Commissioner must issue the code, and

(b) the code comes into force at the end of the period of 21 days beginning
with the day on which it is issued.

(4) If, as a result of subsection (2), there is no code in force under section 119 or 120,
15the Commissioner must prepare another version of the code.

(5) Nothing in subsection (2) prevents another version of the code being laid
before Parliament.

(6) In this section, “the 40-day period” means—

(a) if the code is laid before both Houses of Parliament on the same day, the
20period of 40 days beginning with that day, or

(b) if the code is laid before the Houses of Parliament on different days, the
period of 40 days beginning with the later of those days.

(7) In calculating the 40-day period, no account is to be taken of any period during
which Parliament is dissolved or prorogued or during which both Houses of
25Parliament are adjourned for more than 4 days.

(8) This section, other than subsection (4), applies in relation to amendments
prepared under sections 119 and 120 as it applies in relation to codes prepared
under those sections.

122 Publication and review of data-sharing and direct marketing codes

(1) 30The Commissioner must publish a code issued under section 121(3).

(2) Where an amendment of a code is issued under section 121(3), the
Commissioner must publish—

(a) the amendment, or

(b) the code as amended by it.

(3) 35The Commissioner must keep under review each code issued under section
121(3) for the time being in force.

(4) Where the Commissioner becomes aware that the terms of such a code could
result in a breach of an international obligation of the United Kingdom, the
Commissioner must exercise the power under section 119(2) or 120(2) with a
40view to remedying the situation.

123 Effect of data-sharing and direct marketing codes

(1) A failure by a person to act in accordance with a provision of a code issued
under section 121(3) does not of itself make that person liable to legal
proceedings in a court or tribunal.

(2) 5A code issued under section 121(3), including an amendment or replacement
code, is admissible in evidence in legal proceedings.

(3) In any proceedings before a court or tribunal, the court or tribunal must take
into account a provision of a code issued under section 121(3) in determining a
question arising in the proceedings if—

(a) 10the question relates to a time when the provision was in force, and

(b) the provision appears to the court or tribunal to be relevant to the
question.

(4) Where the Commissioner is carrying out a function described in subsection (5),
the Commissioner must take into account a provision of a code issued under
15section 121(3) in determining a question arising in connection with the carrying
out of the function if—

(a) the question relates to a time when the provision was in force, and

(b) the provision appears to the Commissioner to be relevant to the
question.

(5) 20Those functions are functions under—

(a) the data protection legislation, or

(b) the Privacy and Electronic Communications (EC Directive) Regulations
2003 (S.I. 2003/2426).

124 Other codes of practice

(1) 25The Secretary of State may by regulations require the Commissioner—

(a) to prepare appropriate codes of practice giving guidance as to good
practice in the processing of personal data, and

(b) to make them available to such persons as the Commissioner considers
appropriate.

(2) 30Before preparing such codes, the Commissioner must consult such of the
following as the Commissioner considers appropriate—

(a) trade associations;

(b) data subjects;

(c) persons who appear to the Commissioner to represent the interests of
35data subjects.

(3) Regulations under this section—

(a) must describe the personal data or processing to which the code of
practice is to relate, and

(b) may describe the persons or classes of person to whom it is to relate.

(4) 40Regulations under this section are subject to the negative resolution procedure.

(5) In this section—

• “good practice in the processing of personal data” means such practice in
  the processing of personal data as appears to the Commissioner to be
  desirable having regard to the interests of data subjects and others,

• including compliance with the requirements of the data protection
  legislation;

• “trade association” includes a body representing controllers or
  processors.

5Consensual audits

125 Consensual audits

(1) The Commissioner’s functions under Article 58(1) of the GDPR and paragraph
1 of Schedule 13 include power, with the consent of a controller or processor,
to carry out an assessment of whether the controller or processor is complying
10with good practice in the processing of personal data.

(2) The Commissioner must inform the controller or processor of the results of
such an assessment.

(3) In this section, “good practice in the processing of personal data” has the same
meaning as in section 124.

15Information provided to the Commissioner

126 Disclosure of information to the Commissioner

(1) No enactment or rule of law prohibiting or restricting the disclosure of
information precludes a person from providing the Commissioner with
information necessary for the discharge of the Commissioner’s functions
20under—

(a) the data protection legislation, or

(b) the information regulations.

(2) The “information regulations” means—

(a) the Privacy and Electronic Communications (EC Directive) Regulations
252003 (S.I. 2003/2426);

(b) the Environmental Information Regulations 2004 (S.I. 2004/3391);

(c) the INSPIRE Regulations 2009 (S.I. 2009/3157);

(d) the Re-use of Public Sector Information Regulations 2015 (S.I. 2015/
1415).

127 30Confidentiality of information

(1) It is an offence for a person who is or has been the Commissioner, or a member
of the Commissioner’s staff or an agent of the Commissioner, knowingly or
recklessly to disclose information which—

(a) has been obtained by, or provided to, the Commissioner under or for
35the purposes of the data protection legislation or the information
regulations,

(b) relates to an identified or identifiable living individual or business, and

(c) is not available to the public from other sources at the time of the
disclosure and has not previously been available to the public from
40other sources,

unless the disclosure is made with lawful authority.

(2) For the purposes of subsection (1), a disclosure is made with lawful authority
only if and to the extent that—

(a) the disclosure was made with the consent of the individual or of the
person for the time being carrying on the business,

(b) 5the information was provided for the purpose of its being made
available to the public (in whatever manner) under a provision of the
data protection legislation, the information regulations or the Freedom
of Information Act 2000,

(c) the disclosure was made for the purposes of, and is necessary for, the
10discharge of a function under the data protection legislation, the
information regulations or the Freedom of Information Act 2000,

(d) the disclosure was made for the purposes of, and is necessary for, the
discharge of an EU obligation,

(e) the disclosure was made for the purposes of criminal or civil
15proceedings, however arising, or

(f) having regard to the rights, freedoms and legitimate interests of any
person, the disclosure was necessary in the public interest.

(3) In this section, “the information regulations” has the same meaning as in
section 126.

128 20Guidance about privileged communications

(1) The Commissioner must produce and publish guidance about—

(a) how the Commissioner proposes to secure that privileged
communications which the Commissioner obtains or has access to in
the course of carrying out the Commissioner’s functions are used or
25disclosed only so far as necessary for carrying out those functions, and

(b) how the Commissioner proposes to comply with restrictions and
prohibitions on obtaining or having access to privileged
communications which are imposed by an enactment.

(2) The Commissioner—

(a) 30may alter or replace the guidance, and

(b) must publish any altered or replacement guidance.

(3) The Commissioner must consult the Secretary of State before publishing
guidance under this section (including altered or replacement guidance).

(4) The Commissioner must arrange for guidance under this section (including
35altered or replacement guidance) to be laid before Parliament.

(5) In this section, “privileged communications” means—

(a) communications made—

(i) between a professional legal adviser and the adviser’s client,
and

(ii) 40in connection with the giving of legal advice to the client with
respect to legal obligations, liabilities or rights, and

(b) communications made—

(i) between a professional legal adviser and the adviser’s client or
between such an adviser or client and another person,

(ii) 45in connection with or in contemplation of legal proceedings,
and

(iii) for the purposes of such proceedings.