Data Protection Bill (HL Bill 74)

EXPLANATORY NOTES

Explanatory notes to the Bill, prepared by the Department for Digital, Culture, Media and Sport and the Home Office, are published separately as HL Bill 66—EN.

EUROPEAN CONVENTION ON HUMAN RIGHTS

Lord Ashton of Hyde has made the following statement under section 19(1)(a) of the Human Rights Act 1998:

In my view the provisions of the Data Protection Bill [HL] are compatible with the Convention rights.

Contents

  1. Part 1

    Preliminary

    1. 1. Overview

    2. 2. Terms relating to the processing of personal data

  2. Part 2

    General processing

    1. Chapter 1

      Scope and definitions

      1. 3. Processing to which this Part applies

      2. 4. Definitions

    2. Chapter 2

      The GDPR

      1. Meaning of certain terms used in the GDPR

        1. 5. Meaning of “controller”

        2. 6. Meaning of “public authority” and “public body”

      2. Lawfulness of processing

        1. 7. Lawfulness of processing: public interest etc

        2. 8. Child’s consent in relation to information society services

      3. Special categories of personal data

        1. 9. Special categories of personal data and criminal convictions etc data

        2. 10. Special categories of personal data etc: supplementary

      4. Rights of the data subject

        1. 11. Limits on fees that may be charged by controllers

        2. 12. Obligations of credit reference agencies

        3. 13. Automated decision-making authorised by law: safeguards

      5. Restrictions on data subject's rights

        1. 14. Exemptions etc

        2. 15. Power to make further exemptions etc by regulations

      6. Accreditation of certification providers

        1. 16. Accreditation of certification providers

      7. Transfers of personal data to third countries etc

        1. 17. Transfers of personal data to third countries etc

      8. Specific processing situations

        1. 18. Processing for archiving, research and statistical purposes: safeguards

    3. Chapter 3

      Other general processing

      1. Scope

        1. 19. Processing to which this Chapter applies

      2. Application of the GDPR

        1. 20. Application of the GDPR to processing to which this Chapter applies

        2. 21. Power to make provision in consequence of regulations related to the GDPR

      3. Exemptions etc

        1. 22. Manual unstructured data held by FOI public authorities

        2. 23. Manual unstructured data used in longstanding historical research

        3. 24. National security and defence exemption

        4. 25. National security: certificate

        5. 26. National security and defence: modifications to Articles 9 and 32 of the
          applied GDPR

  3. Part 3

    Law enforcement processing

    1. Chapter 1

      Scope and definitions

      1. Scope

        1. 27. Processing to which this Part applies

      2. Definitions

        1. 28. Meaning of “competent authority”

        2. 29. “The law enforcement purposes”

        3. 30. Meaning of “controller” and “processor”

        4. 31. Other definitions

    2. Chapter 2

      Principles

      1. 32. Overview and general duty of controller

      2. 33. The first data protection principle

      3. 34. The second data protection principle

      4. 35. The third data protection principle

      5. 36. The fourth data protection principle

      6. 37. The fifth data protection principle

      7. 38. The sixth data protection principle

      8. 39. Safeguards: archiving

      9. 40. Safeguards: sensitive processing

    3. Chapter 3

      Rights of the data subject

      1. Overview and scope

        1. 41. Overview and scope

      2. Information: controller's general duties

        1. 42. Information: controller’s general duties

      3. Data subject's right of access

        1. 43. Right of access by the data subject

      4. Data subject's rights to rectification or erasure etc

        1. 44. Right to rectification

        2. 45. Right to erasure or restriction of processing

        3. 46. Rights under section 44 or 45: supplementary

      5. Automated individual decision-making

        1. 47. Right not to be subject to automated decision-making

        2. 48. Automated decision-making authorised by law: safeguards

      6. Supplementary

        1. 49. Exercise of rights through the Commissioner

        2. 50. Form of provision of information etc

        3. 51. Manifestly unfounded or excessive requests by the data subject

        4. 52. Meaning of “applicable time period”

    4. Chapter 4

      Controller and processor

      1. Overview and scope

        1. 53. Overview and scope

      2. General obligations

        1. 54. General obligations of the controller

        2. 55. Data protection by design and default

        3. 56. Joint controllers

        4. 57. Processors

        5. 58. Processing under the authority of the controller or processor

        6. 59. Records of processing activities

        7. 60. Logging

        8. 61. Co-operation with the Commissioner

        9. 62. Data protection impact assessment

        10. 63. Prior consultation with the Commissioner

      3. Obligations relating to security

        1. 64. Security of processing

        2. 65. Notification of a personal data breach to the Commissioner

      4. Obligations relating to personal data breaches

        1. 66. Communication of a personal data breach to the data subject

      5. Data protection officers

        1. 67. Designation of a data protection officer

        2. 68. Position of data protection officer

        3. 69. Tasks of data protection officer

    5. Chapter 5

      Transfers of personal data to third countries etc

      1. Overview and interpretation

        1. 70. Overview and interpretation

      2. General principles for transfers

        1. 71. General principles for transfers of personal data

        2. 72. Transfers on the basis of an adequacy decision

        3. 73. Transfers on the basis of appropriate safeguards

        4. 74. Transfers on the basis of special circumstances

      3. Transfers to particular recipients

        1. 75. Transfers of personal data to persons other than relevant authorities

      4. Subsequent transfers

        1. 76. Subsequent transfers

    6. Chapter 6

      Supplementary

      1. 77. National security: certificates by the Minister

      2. 78. Special processing restrictions

      3. 79. Reporting of infringements

  4. Part 4

    Intelligence services processing

    1. Chapter 1

      Scope and definitions

      1. Scope

        1. 80. Processing to which this Part applies

      2. Definitions

        1. 81. Meaning of “controller” and “processor”

        2. 82. Other definitions

    2. Chapter 2

      Principles

      1. Overview

        1. 83. Overview

      2. The data protection principles

        1. 84. The first data protection principle

        2. 85. The second data protection principle

        3. 86. The third data protection principle

        4. 87. The fourth data protection principle

        5. 88. The fifth data protection principle

        6. 89. The sixth data protection principle

    3. Chapter 3

      Rights of the data subject

      1. Overview

        1. 90. Overview

      2. Rights

        1. 91. Right to information

        2. 92. Right of access

        3. 93. Right of access: supplementary

        4. 94. Right not to be subject to automated decision-making

        5. 95. Right to intervene in automated decision-making

        6. 96. Right to information about decision-making

        7. 97. Right to object to processing

        8. 98. Rights to rectification and erasure

    4. Chapter 4

      Controller and processor

      1. Overview

        1. 99. Overview

      2. General obligations

        1. 100. General obligations of the controller

        2. 101. Data protection by design

        3. 102. Joint controllers

        4. 103. Processors

        5. 104. Processing under the authority of the controller or processor

      3. Obligations relating to security

        1. 105. Security of processing

      4. Obligations relating to personal data breaches

        1. 106. Communication of a personal data breach

    5. Chapter 5

      Transfers of personal data outside the United Kingdom

      1. 107. Transfers of personal data outside the United Kingdom

    6. Chapter 6

      Exemptions

      1. 108. National security

      2. 109. National security: certificate

      3. 110. Other exemptions

      4. 111. Power to make further exemptions

  5. Part 5

    The Information Commissioner

    1. The Commissioner

      1. 112. The Information Commissioner

    2. General functions

      1. 113. General functions under the GDPR and safeguards

      2. 114. Other general functions

      3. 115. Competence in relation to courts etc

    3. International role

      1. 116. Co-operation and mutual assistance

      2. 117. Inspection of personal data in accordance with international obligations

      3. 118. Further international role

    4. Codes of practice

      1. 119. Data-sharing code

      2. 120. Direct marketing code

      3. 121. Approval of data-sharing and direct marketing codes

      4. 122. Publication and review of data-sharing and direct marketing codes

      5. 123. Effect of data-sharing and direct marketing codes

      6. 124. Other codes of practice

    5. Consensual audits

      1. 125. Consensual audits

    6. Information provided to the Commissioner

      1. 126. Disclosure of information to the Commissioner

      2. 127. Confidentiality of information

      3. 128. Guidance about privileged communications

    7. Fees

      1. 129. Fees for services

      2. 130. Manifestly unfounded or excessive requests by data subjects etc

      3. 131. Guidance about fees

    8. Charges

      1. 132. Charges payable to the Commissioner by controllers

      2. 133. Regulations under section 132: supplementary

    9. Reports etc

      1. 134. Reporting to Parliament

      2. 135. Publication by the Commissioner

      3. 136. Notices from the Commissioner

  6. Part 6

    Enforcement

    1. Information notices

      1. 137. Information notices

      2. 138. Information notices: restrictions

      3. 139. False statements made in response to an information notice

    2. Assessment notices

      1. 140. Assessment notices

      2. 141. Assessment notices: restrictions

    3. Enforcement notices

      1. 142. Enforcement notices

      2. 143. Enforcement notices: supplementary

      3. 144. Enforcement notices: rectification and erasure of personal data etc

      4. 145. Enforcement notices: restrictions

      5. 146. Enforcement notices: cancellation and variation

    4. Powers of entry and inspection

      1. 147. Powers of entry and inspection

    5. Penalties

      1. 148. Penalty notices

      2. 149. Penalty notices: restrictions

      3. 150. Maximum amount of penalty

      4. 151. Fixed penalties for non-compliance with charges regulations

      5. 152. Amount of penalties: supplementary

    6. Guidance

      1. 153. Guidance about regulatory action

    7. Appeals

      1. 154. Rights of appeal

      2. 155. Determination of appeals

    8. Complaints

      1. 156. Complaints by data subjects

      2. 157. Orders to progress complaints

    9. Remedies in the court

      1. 158. Compliance orders

      2. 159. Compensation for contravention of the GDPR

      3. 160. Compensation for contravention of other data protection legislation

    10. Offences relating to personal data

      1. 161. Unlawful obtaining etc of personal data

      2. 162. Re-identification of de-identified personal data

      3. 163. Alteration etc of personal data to prevent disclosure

    11. The special purposes

      1. 164. The special purposes

      2. 165. Provision of assistance in special purposes proceedings

      3. 166. Staying special purposes proceedings

    12. Jurisdiction of courts

      1. 167. Jurisdiction

    13. Definitions

      1. 168. Interpretation of Part 6

  7. Part 7

    Supplementary and final provision

    1. Regulations under this Act

      1. 169. Regulations and consultation

    2. Changes to the Data Protection Convention

      1. 170. Power to reflect changes to the Data Protection Convention

    3. Rights of the data subject

      1. 171. Prohibition of requirement to produce relevant records

      2. 172. Avoidance of certain contractual terms relating to health records

      3. 173. Representation of data subjects

      4. 174. Data subject’s rights and other prohibitions and restrictions

    4. Framework for Data Processing by Government

      1. 175. Framework for Data Processing by Government

      2. 176. Approval of the Framework

      3. 177. Publication and review of the Framework

      4. 178. Effect of the Framework

    5. Offences

      1. 179. Penalties for offences

      2. 180. Prosecution

      3. 181. Liability of directors etc

      4. 182. Recordable offences

      5. 183. Guidance about PACE codes of practice

    6. The Tribunal

      1. 184. Disclosure of information to the Tribunal

      2. 185. Proceedings in the First-tier Tribunal: contempt

      3. 186. Tribunal Procedure Rules

    7. Definitions

      1. 187. Meaning of “health professional” and “social work professional”

      2. 188. Other definitions

      3. 189. Index of defined expressions

    8. Territorial application

      1. 190. Territorial application of this Act

    9. General

      1. 191. Children in Scotland

      2. 192. Application to the Crown

      3. 193. Application to Parliament

      4. 194. Minor and consequential amendments

    10. Final

      1. 195. Commencement

      2. 196. Transitional provision

      3. 197. Extent

      4. 198. Short title

    1. Schedule 1

      Special categories of personal data and criminal convictions
      etc data

      1. Part 1

        Conditions relating to employment, health and research etc

      2. Part 2

        Substantial public interest conditions

      3. Part 3

        Additional conditions relating to criminal convictions etc

      4. Part 4

        Appropriate policy document and additional safeguards

    2. Schedule 2

      Exemptions etc from the GDPR

      1. Part 1

        Adaptations and restrictions based on Articles 6(3) and 23(1)

      2. Part 2

        Restrictions based on Article 23(1): Restrictions of rules in
        Articles 13 to 21

      3. Part 3

        Restriction based on Article 23(1): Protection of rights of others

      4. Part 4

        Restrictions based on Article 23(1): Restrictions of rules in
        Articles 13 to 15

      5. Part 5

        Exemptions etc based on Article 85(2) for reasons of freedom
        of expression and information

      6. Part 6

        Derogations etc based on Article 89 for research, statistics and
        archiving

    3. Schedule 3

      Exemptions etc from the GDPR: health, social work, education
      and child abuse data

      1. Part 1

        GDPR provisions to be restricted: “the listed GDPR
        provisions”

      2. Part 2

        Health data

      3. Part 3

        Social work data

      4. Part 4

        Education data

      5. Part 5

        Child abuse data

    4. Schedule 4

      Exemptions etc from the GDPR: disclosure prohibited or
      restricted by an enactment

    5. Schedule 5

      Accreditation of certification providers: reviews and appeals

    6. Schedule 6

      The applied GDPR and the applied Chapter 2

      1. Part 1

        Modifications to the GDPR

      2. Part 2

        Modifications to Chapter 2 of Part 2

    7. Schedule 7

      Competent authorities

    8. Schedule 8

      Conditions for sensitive processing under Part 3

    9. Schedule 9

      Conditions for processing under Part 4

    10. Schedule 10

      Conditions for sensitive processing under Part 4

    11. Schedule 11

      Other exemptions under Part 4

    12. Schedule 12

      The Information Commissioner

    13. Schedule 13

      Other general functions of the Commissioner

    14. Schedule 14

      Co-operation and mutual assistance

      1. Part 1

        Law Enforcement Directive

      2. Part 2

        Data Protection Convention

    15. Schedule 15

      Powers of entry and inspection

    16. Schedule 16

      Penalties

    17. Schedule 17

      Relevant records

    18. Schedule 18

      Minor and consequential amendments

      1. Part 1

        Acts and Measures

      2. Part 2

        Subordinate legislation